False negative on C++ CString Format code?

Wolfgang_Gogg · May 23, 2023, 11:54am

Hello,
it seems we got a false negative in C++ or at least we wonder if that rule might be added to SonarQube in the future. We are using SonarQube 10.0.0.68432.

We realized this code caused our application to crash in some conditons and it got obvious that using the same/own CString as import for CString.Format call leads to unpredictable behaviour in any case as the string passed into the Format (the memory it points to) is cleared during this operation. Depending on when the memory then is finally resused/overtwritten it might work fine or crash, so it is pretty hard to detect.

CString sqlCond = L"something";
sqlCond.Format(L"(c.Security = 2) OR (%s)", sqlCond.GetString());

Is this somthing that could be added as a rule to SQ?

Thanks!

Fred_Tingaud · May 29, 2023, 9:12am

Hi @Wolfgang_Gogg ,

Thanks for raising this point.

At the moment, we have no MFC specific rules. And because we don’t have access to the implementation of CString.Format, the symbolic execution cannot detect the problem either.

If an MFC specific set of rules is developed in the future, we’ll put it in it, but I can’t say if and when that will happen.

Fred

Topic		Replies	Views
False positive for cpp:S1116 Report False-positive / False-negative... sonarqube , cfamily	5	1427	March 1, 2022
False-positive cpp:S2260 with C++23 Report False-positive / False-negative... cfamily	4	302	February 19, 2024
cpp:S1081: false positive when using the {fmt} lib's fmt::sprintf Report False-positive / False-negative... cfamily	2	859	February 14, 2020
False positive for C++/MFC code Report False-positive / False-negative... cfamily	1	298	May 22, 2023
False-positive cpp:S109 with string literals and concatenation Report False-positive / False-negative... cfamily	2	193	February 28, 2024

False negative on C++ CString Format code?

Related topics