False positive on cpp:S4423 and libcurl

Versions: sonar-scanner-cli 4.6.2.2472-linux with cfamily
Code:

CURL* curl = curl_easy_init();
if( curl ) {
   curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
   // other code
}

I believe the code should not trigger the warning “Weak SSL/TLS protocols should not be used”.

The compliant solution on C static code analysis: Weak SSL/TLS protocols should not be used (quoted below) does not check return value of curl_easy_init(), I think it is inappropriate. Please check example code on CURLOPT_SSLVERSION .

CURL* curl;
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

Here is another version of code which triggers the warning too:

CURL* curl = curl_easy_init();
if( !curl ) {
   // throw an exception here
}
curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
// other code

By the way, if possible please help delete my account ‘abit’ from the issue tracker (https://jira.sonarsource.com/browse/CPP) because I thought I should create this false positive report there but actually could do nothing after registered an account.

Thanks.

1 Like

Hi Abit, and welcome to our community!

Thank you very much for reporting the false positive and the missing nullptr check in the rule specification.

I opened a PR for the rule specification: Modify Rule S4423[cfamily]: add missing nullptr check for libcurl examples by arseniy-sonar · Pull Request #707 · SonarSource/rspec · GitHub,

and a ticket to fix the false positive: [CPP-3476] S4423: FP for good code that checks the curl_easy_init return value for nullptr - SonarSource

P.S. I’ll see if I can help you to remove your user.

1 Like