Does Cfamily analyzer have these rules

Sorry to bother you again, I am doing the comparison between SonarQub and other static analysis tools, and now i want to know whether SonaQub has the similar rules to scan these issues?

  1. res = WideCharToMultiByte(CP_ACP, 0, src, -1, 0, 3, 0, 0); //buffer overflow
  2. wchar_t *foo = L"abc"; BSTR bar = (BSTR)foo; //it’s best not to use BSTR in new designs.
  3. does this rule “Insecure functions should not be used” only check strlcpy' strncpy strlcat strncat snprintf fgets getpwuid`? I want to know this because there are many more unsecure function such as _iota/_itow/_splitpath…, can this rule check these issues?
  4. When an application loads an external library, it’s important for the code to use a fully qualified path.

I don’t know how to reply for this topic in web site, so I edit the post. Our codes are legacy code, so there are many out of C++ standard code in our project, but there are not secure and need to be addressed, so I want to figure out that part. As you said, we can specify our own rules, that’s great, how to do that?

Hello @judy,
I moved your reply here because it is always better to keep one subject per post.

There are some rules related to functions that should not be used. you can have a look at S1911, S982, S2393 … None of them contains the functions you specified.
_iota/_itow/_splitpath… are not standard C++ that is why you wouldn’t find a rule for them.
I think it is a good idea to let the users configure this rule to append their list of unsafe functions that they want to detect. You can watch this ticket to be notified when this feature is added to the analyzer.

WideCharToMultiByte and BSTR are not standard C++ so we don’t have specific rules for them.

I’ m not sure I understood this point. Do you mean include path shouldn’t be relative?

Thanks,
Abbas