Hello,
it seems we got a false positive on C++ rule “Null pointers should not be dereferenced[cpp:S2259]”.
We are using SonarQube 10.0.0.68432.
This issue is raised on this code:
AFX_MANAGE_STATE(AfxGetStaticModuleState());
CString strKey;
strKey.Format(_T("%s"), bstrKey);
if (!m_pMapPairs)
AfxThrowOleDispatchException(-1, _T("No map set for this CaptureBarcode object."));
CString strValue;
if (m_pMapPairs->Lookup(strKey, strValue))
return TRUE;
else
return FALSE;
The issue is reported for the access to m_pMapPairs, although this is already checked for null in:
if (!m_pMapPairs)
AfxThrowOleDispatchException(-1, _T("No map set for this CaptureBarcode object."));
So when really null then this dereferencing code is never reached.
Is this a known issue? Would checking (m_pMapPairs == nullptr) instead of (!m_pMapPairs) fix this false positive? What further information can we provide?
Thanks!
Hi @Wolfgang_Gogg!
My guess is that AfxThrowOleDispatchException() is not marked noreturn, and because of that, we think the control can fall through on that branch(where m_pMapPairs is null) reaching the dereference.
I would recommend you generate a reproducer and send it to us on some channel to investigate your case(s).
To generate the reproducer file:
- Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
- Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer=“Full path to the .cpp”
- Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
- Please share this file. If you think this file contains private information, let us know, and we’ll send you a private message that will allow you to send it privately.