"Memory copy function overflows destination buffer" - cpp:S3519 false positive?

Andreas_Mandel · October 30, 2020, 8:10pm

I’m coming from the Java area and I’m used that SonarQube is mostly correct with such kind of findings. Now I’m confronted with a small c/c++ project where SonarQube flags code that was originally found in the net as Memory copy function overflows destination buffer I can not not see the point - can you see who is right? I hope it is not all to obvious?

https://sonarcloud.io/project/issues?id=Friends-of-OpenBikeSensor_OpenBikeSensorFirmware&issues=AXVSCjrR3HHzkZhCc1vE&open=AXVSCjrR3HHzkZhCc1vE - I’ve already reduced the severity from blocker to critical.

Is this a bug in my or SonarQubes logic?

The full project is at https://github.com/Friends-of-OpenBikeSensor/OpenBikeSensorFirmware and the Github action at https://github.com/Friends-of-OpenBikeSensor/OpenBikeSensorFirmware/actions

BTW: I’ve to mention that I’m impressed by the SonarCloud offering, thanks!

Geoffray · November 2, 2020, 2:47pm

Hello @Andreas_Mandel and welcome to the Sonarsource community!

We are glad you appreciate our products for C and C++.

As for your problem, it seems like a real false-positive. Thank you for reporting.
For now, it seems related to the issue in this ticket.

To speed up further investigations, would you mind generating a reproducer and sending it back to us?Steps are as follow:

Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer= “Full path to the .cpp file that has or include the file that has the false-positive”
Re-unning the scanner should generate a file named sonar-cfamily.reproducer in the project folder.
Please share this file. if you think this file contains private information we can send it privately.

Thanks,

Andreas_Mandel · November 2, 2020, 9:44pm

Hello @Geoffray,

thanks for looking into this. I’ve added the requested options to the scanner call. Since all is OSS there should be no private data included. sonar-cfamily.zip (685.2 KB)

The culprit file is https://github.com/Friends-of-OpenBikeSensor/OpenBikeSensorFirmware/blob/master/OpenBikeSensorFirmware/vector.h but I assume that is now all part of the attached file.

Kind regards,
Andreas.

Geoffray · November 3, 2020, 8:42am

Thanks Andreas. It should indeed include all the necessary material.

system · February 23, 2022, 4:23pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
C/C++ Sonarqube False Positive Report False-positive / False-negative... sonarqube , scanner , cfamily	2	800	August 11, 2022
"Memory set function overflows the destination buffer" problem Report False-positive / False-negative... sonarqube , cfamily	4	915	June 2, 2022
SonarQube Error with no code mistakes Report False-positive / False-negative... cfamily	2	513	November 18, 2020
SonarQube does not catch issues in C++ code SonarQube Server / Community Build sonarqube , scanner , cfamily	1	1114	May 29, 2020
About data out of bounds SonarQube Server / Community Build cfamily	5	1318	January 23, 2019

"Memory copy function overflows destination buffer" - cpp:S3519 false positive?

Related topics