Issue with Rule c:S2259 Not Triggering Across Files in SonarCloud

Rules and Languages Report False-positive / False-negative...
, ,
1

Hello,

When a function is called from another file, the rule c:S2259 doesn’t trigger.

Mininal code to reproduce:

main.c

#include "bar.h"
#include <stdio.h>
#include <stdlib.h>

static int foo(int *ptr);

int main(int argc, char *argv[]) {

  foo(NULL); // This leads to the foo c:S2259 warning
  bar_bar(NULL); // This leads to no warning

  return EXIT_SUCCESS;
}

static int foo(int *ptr) {

  printf("Pointer value: %p\n", (void *)ptr);
  return *ptr; // Warning: Dereference of null pointer (loaded from variable 'ptr')
}

bar.c

int bar_bar(int *a)
{
    return *a;  // No warning here, but I expected same warning as in foo
}

bar.h

int bar_bar(int *a);

I’m using CMake with Ninja to compile. My CI is in GitHub action and I use SonarSource/sonarqube-scan-action/install-build-wrapper@v5 to create the compile_commands.json and SonarSource/sonarqube-scan-action@v5.

5

Hi @MNicoletDJO,

Thanks for reaching out.

The explanation is simple: We currently do not offer C and C++ analysis in cross-translation mode just yet. When analyzing main.c, the analyzer cannot “see” the null dereference in bar.c. And to avoid false positives, the analyzer does not report until it can “prove” a bug.

Best,
Philipp