it seems we got a false negative in C++ or at least we wonder if that rule might be added to SonarQube in the future. We are using SonarQube 10.0.0.68432.
We realized this code caused our application to crash in some conditons and it got obvious that using the same/own CString as import for CString.Format call leads to unpredictable behaviour in any case as the string passed into the Format (the memory it points to) is cleared during this operation. Depending on when the memory then is finally resused/overtwritten it might work fine or crash, so it is pretty hard to detect.
CString sqlCond = L"something"; sqlCond.Format(L"(c.Security = 2) OR (%s)", sqlCond.GetString());
Is this somthing that could be added as a rule to SQ?