Does SonarQube supports MISRA Standard?

does SonarQube supports MISRA Standard?

Hello @hari123

Thanks for contacting us.

SonarQube support partially MISRA C 2004, MISRA C++ 2008 and MISRA C 2012.
The rules that are implemented strctly following misra for these standards can be found at:
https://rules.sonarsource.com/cpp/tag/misra-c2004/
https://rules.sonarsource.com/cpp/tag/misra-c++2008/
https://rules.sonarsource.com/cpp/tag/misra-c2012/

I hope it helps

1 Like

Hi Geoffray,

Thanks for the information.
I have one more query, does SonarQube gives a MISRA complaint report?

Regards,
Harish

Hi Harish

I guess you meant MISRA compliance report?
If that’s the case, no, SonarQube does not issue such reports.

Best,

Geoffray

Hi Geoffray,

Thanks for the details. Do you have any plan to include MISRA compliance(complete) in SonarQube , If yes , what would be the probable time frame MISRA compliance be available on SonarQube?

Regards,
Harish

Hi Harish.

Adding complete MISRA compliance and compliance report is not in our current roadmap.

Best,
Geoffray

Hi @hari123,

I’m no sure exactly what you mean by “MISRA compliance report”, MISRA in itself does not define the notion of a compliance report, and to claim MISRA compliance for your product, you anyways need more that what a tool can give you. For instance, for each deviation to a rule, you need a documented reason why you deviate, and prove that you followed the deviation procedure that you put in place.

If all you need is to know how good you are related to MISRA rules, you can just:

  • Make sure your analysis profile contains all MISRA rules (some of them are disabled in SonarWay, because they would be too noisy for general purpose software)
  • Filter your analysis results based on the rule tag:
    image

If you really need a written report (in PDF for instance), you can also use a web API to fetch the analysis results.

1 Like

@JolyLoic,

On the below link it says these rules are available in SonarLint, SonarCloud and SonarQube Developer Edition.

Which means they are not available and cannot be used in SonarQube Community Edition ? Or is there a way to set these up in CE as well ?

Thanks.

We don’t provide C++ analysis at all in SonarQube Community Edition, so yes you’ll need at least Developer edition to have C++ & MISRA analysis.

It was not on your roadmap in 2020 but did you reconsider adding support for the complete rule-set for MISRA 2004 standard ?
I am sure that i am not the only user waiting for this feature.

Sincerely,
Gaspard

We currently don’t have any plans for full support of MISRA 2004. According to MISRA rules themselves, all C projects started after 2012 shall use MISRA C 2012, therefore we do not really see the purpose in fully implementing MISRA C 2004…

Hi,
I am checking the rules tagged as MISRA rule. For example, for “C” language I found the following tags:

  1. MISRA-C2004 (14 rules): https://rules.sonarsource.com/cpp/tag/misra-c2004
  2. MISRA-C2012 (10 rules): https://rules.sonarsource.com/cpp/tag/misra-c2012
  3. Based-on-misra “C” (109 rules): https://sonarqube-developer.kinovaapps.com/coding_rules?languages=c&tags=based-on-misra

My problem is that I was expecting the rules count in 3 be the sum of tag 1 and 2.
Can you please explain how the misra tags work?
Thanks

Hello @Mohamed_Chibani,

The meaning of those tags is in the documentation.

A rule cannot have both the misra-c**** and the based-on-misra tag, they are mutually exclusive. A rule based-on-misra is usually a rule that started its life as a MISRA rule, but when we executed it on generic-purpose projects, we discovered that it raised a lot in situations that we did not consider as being that problematic. We then decided to relax the rule, to make sure that the places it gets reported are very relevant. And since doing that moves us away from MISRA, we changed the tag.

More recently, when faced with this issue, we tend to use a slightly different approach: We clone the rule, one version being fully conforming to MISRA, relevant for safety-critical software, one version becoming based-on-misra, relevant for generic purpose software.

Is this clearer now?

Hi Loïc,
First, thanks for the prompt reply.
Yes, it’s clear now.