For example : in the code below if we haven’t initialized any value to variable a then sonarqube detects it as a bug
int function(int flag, int b) {
int a;
if (flag) {
a = b;
}
return a; // Noncompliant - "a" has not been initialized in all paths
}
But when we we initialize a with some function and that function doesn’t return any value then sonarqube doesn’t detect it as a bug for example
int a = getCmtFileFormat();
printf("hello %d\n", a);
Here we have initialized a with a function and that function is not returning any value or returning null then in this case its not detected as bug by sonarqube.
If I understand your question correctly, the function getCmtFileFormat() is declared as returning an int but does not have a return statement. In that case, the problem is with getCmtFileFormat, because not having a return statement for a non-void function is undefined behavior. Your compiler should emit a warning on the function and SonarQube should detect S935 “non-void function does not return a value”.
Our function getCmtFileFormat() has a return statement “return m_cmtFileFormat;”. We would not compile if it does not have a return as we treat that warning as error in our project compiler options.
int m_cmtFileFormat //declared this variable as integer with no initial value
DrepDataStorage::getCmtFileFormat(void) { return m_cmtFileFormat; } //our getCmtFileFormat function returns m_cmtFileFormat with no initial value
int a = getCmtFileFormat(); // then we are just trying to initialized this function to variable “a”
printf(“hello %d\n”, a); // then trying to print the variable “a”
Here we assume SonarQube should give bug as “Variables should be initialized before use”
because “Variables should be initialized before their use to avoid unexpected behaviors due to garbage values”
I cannot reproduce the issue. I tried with this simple example:
class UninitClass {
public:
int getI() const { return i; } // S836 is raised here.
private:
int i;
};
int main(void) {
UninitClass s;
int z = s.getI();
return z;
}
So it must be something special in your example. You can try the simple example and see if it detects it.
Otherwise, the best way to move forward if you want us to investigate the issue is to provide a reproducer file. To generate the reproducer file:
Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer= “Full path to the .cpp”
Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
Please share this file. If you think this file contains private information, let us know, we’ll send you a private message that will allow you to send it privately.