Hello,
I have been getting “Out of bound memory access" and “Potential memory leak” recommendations often while scanning C++ code. I am wondering if newer operating systems take care of these problems, and that these might be false positives? Any insights to this would be helpful.
Thanks
Ben
P.S. I am using SonarQube 8.2 Developer edition
The operating system does not take care of those issues. A buffer overflow is always something that can crash your program, or be a vulnerability that attackers can exploit. A potential memory leak can be less of an issue for a short-living program (because the OS will reclaim the memory at the end of the execution), but in general, while it runs, the program might eat-up more and more memory until the computer becomes really slow (I still remember old versions of firefox that suffered from that… This is why I switched to Chrome…).
Now, both issues can be very hard to detect, and these rules can raise false positives (even if we try to reduce them). In fact, having a program capable of detecting that kind of bug perfectly would be like having a program capable of solving the halting problem)…
If you have a small example of code where you believe we raise sch an issue erroneously, you may want to share it with us, so that we understand what happens.
Moreover, there are techniques in C++ that greatly reduce the risk of those error happening (for instance, std::unique_ptr are the kryptonite of memory leaks, if you don’t use them, I suggest you have a look at them).