False positive on cpp:S4423 and libcurl

Versions: sonar-scanner-cli 4.6.2.2472-linux with cfamily
Code:

CURL* curl = curl_easy_init();
if( curl ) {
   curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
   // other code
}

I believe the code should not trigger the warning “Weak SSL/TLS protocols should not be used”.

The compliant solution on C static code analysis: Weak SSL/TLS protocols should not be used (quoted below) does not check return value of curl_easy_init(), I think it is inappropriate. Please check example code on CURLOPT_SSLVERSION .

CURL* curl;
curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

Here is another version of code which triggers the warning too:

CURL* curl = curl_easy_init();
if( !curl ) {
   // throw an exception here
}
curl_easy_setopt( curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2 );
// other code

By the way, if possible please help delete my account ‘abit’ from the issue tracker (https://jira.sonarsource.com/browse/CPP) because I thought I should create this false positive report there but actually could do nothing after registered an account.

Thanks.

Hi Abit, and welcome to our community!

Thank you very much for reporting the false positive and the missing nullptr check in the rule specification.

I opened a PR for the rule specification: Modify Rule S4423[cfamily]: add missing nullptr check for libcurl examples by arseniy-sonar · Pull Request #707 · SonarSource/rspec · GitHub,

and a ticket to fix the false positive: [CPP-3476] S4423: FP for good code that checks the curl_easy_init return value for nullptr - SonarSource

P.S. I’ll see if I can help you to remove your user.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.