We are using SonarSource Static Code Scan in JavaScript, Python, Go, and want to scale to C/C++ projects , we found the scan missing some trivial item so we would like to get feedback from the community , now we are using Klockwork for C/C++.
Must-share information (formatted with Markdown):
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
We are using the latest version
what are you trying to achieve
Scan C/C++ projects
what have you tried so far to achieve this
Open a bug to support until PoC entitlement ended so before we commit to buy it we would like to verify it stand with our needs .
Hi,
We encountered with few trivial problems that the tool didn’t catch. Problems like fopen without fclose because of “return” statement under some condition in the middle of the flow. Usage of the wrong define value (our developer bug) in strcpy call that lead to memory corruption. Both were identified by pre-sale support as Sonar bugs. Here is my concern regarding tool maturity for C/C++ scan
Welcome to the community & thanks for sharing. My main goal in asking was to make sure we had an opportunity to address the deficits you found.
I did a little checking internally, and if we’ve matched up the right presales case, then one of the bugs you reported is already fixed in 8.8 (don’t know if you were already aware of that) and we’re still working on the other one.