Currently, we are using a Static scanner that runs our C, C++ codebase. We are experimenting with the SonarCloud product. Created a trial account and ran a static scan. We are quite impressed with the results.
However, we have noticed a couple of items:
- The number of memory leaks related issues reported are lesser. We went further added a memory leaked code and the scanner did not flag that piece of a code snippet as a memory leak.
- Type mismatch - (e.g converting int to unsigned) is not flagged.
Is there any difference between using SonarQube and SonarCloud?
Please let us know if there needs to be a separate rule that needs to be added. Except for these two issues we are quite pleased and this may be a deal-breaker for us.