Does SonarQube supports MISRA Standard?

hari123 · May 28, 2020, 4:39pm

does SonarQube supports MISRA Standard?

Geoffray · May 29, 2020, 7:25am

Thanks for contacting us.

SonarQube support partially MISRA C 2004, MISRA C++ 2008 and MISRA C 2012.
The rules that are implemented strctly following misra for these standards can be found at:
https://rules.sonarsource.com/cpp/tag/misra-c2004/
https://rules.sonarsource.com/cpp/tag/misra-c++2008/
https://rules.sonarsource.com/cpp/tag/misra-c2012/

I hope it helps

hari123 · June 1, 2020, 5:41pm

Hi Geoffray,

Thanks for the information.
I have one more query, does SonarQube gives a MISRA complaint report?

Regards,
Harish

Geoffray · June 2, 2020, 7:36am

Hi Harish

I guess you meant MISRA compliance report?
If that’s the case, no, SonarQube does not issue such reports.

Best,

Geoffray

hari123 · June 2, 2020, 9:11am

Hi Geoffray,

Thanks for the details. Do you have any plan to include MISRA compliance(complete) in SonarQube , If yes , what would be the probable time frame MISRA compliance be available on SonarQube?

Regards,
Harish

Geoffray · June 2, 2020, 9:34am

Hi Harish.

Adding complete MISRA compliance and compliance report is not in our current roadmap.

Best,
Geoffray

JolyLoic · June 2, 2020, 9:57am

Hi @hari123,

I’m no sure exactly what you mean by “MISRA compliance report”, MISRA in itself does not define the notion of a compliance report, and to claim MISRA compliance for your product, you anyways need more that what a tool can give you. For instance, for each deviation to a rule, you need a documented reason why you deviate, and prove that you followed the deviation procedure that you put in place.

If all you need is to know how good you are related to MISRA rules, you can just:

Make sure your analysis profile contains all MISRA rules (some of them are disabled in SonarWay, because they would be too noisy for general purpose software)
Filter your analysis results based on the rule tag:

If you really need a written report (in PDF for instance), you can also use a web API to fetch the analysis results.

vishalgoyal18 · January 14, 2022, 12:06pm

@JolyLoic,

On the below link it says these rules are available in SonarLint, SonarCloud and SonarQube Developer Edition.

Which means they are not available and cannot be used in SonarQube Community Edition ? Or is there a way to set these up in CE as well ?

Thanks.

JolyLoic · January 14, 2022, 3:30pm

We don’t provide C++ analysis at all in SonarQube Community Edition, so yes you’ll need at least Developer edition to have C++ & MISRA analysis.

Gaspard_Desmoulins · March 30, 2022, 12:51pm

It was not on your roadmap in 2020 but did you reconsider adding support for the complete rule-set for MISRA 2004 standard ?
I am sure that i am not the only user waiting for this feature.

Sincerely,
Gaspard

JolyLoic · March 30, 2022, 4:56pm

We currently don’t have any plans for full support of MISRA 2004. According to MISRA rules themselves, all C projects started after 2012 shall use MISRA C 2012, therefore we do not really see the purpose in fully implementing MISRA C 2004…

Mohamed_Chibani · May 24, 2022, 8:09pm

Hi,
I am checking the rules tagged as MISRA rule. For example, for “C” language I found the following tags:

MISRA-C2004 (14 rules): https://rules.sonarsource.com/cpp/tag/misra-c2004
MISRA-C2012 (10 rules): https://rules.sonarsource.com/cpp/tag/misra-c2012
Based-on-misra “C” (109 rules): https://sonarqube-developer.kinovaapps.com/coding_rules?languages=c&tags=based-on-misra

My problem is that I was expecting the rules count in 3 be the sum of tag 1 and 2.
Can you please explain how the misra tags work?
Thanks

JolyLoic · May 24, 2022, 10:59pm

Hello @Mohamed_Chibani,

The meaning of those tags is in the documentation.

A rule cannot have both the misra-c**** and the based-on-misra tag, they are mutually exclusive. A rule based-on-misra is usually a rule that started its life as a MISRA rule, but when we executed it on generic-purpose projects, we discovered that it raised a lot in situations that we did not consider as being that problematic. We then decided to relax the rule, to make sure that the places it gets reported are very relevant. And since doing that moves us away from MISRA, we changed the tag.

More recently, when faced with this issue, we tend to use a slightly different approach: We clone the rule, one version being fully conforming to MISRA, relevant for safety-critical software, one version becoming based-on-misra, relevant for generic purpose software.

Is this clearer now?

Mohamed_Chibani · May 25, 2022, 9:39pm

Hi Loïc,
First, thanks for the prompt reply.
Yes, it’s clear now.