Missing Rules in SonarCFamily

Hello together,

While trying to evaluate whether SonarQube suffices our requirements when analysing C code, I was missing a few rules from comparable static code analysis tools. To name a few examples:

  • Attempt to cast away const/volatile from a pointer or reference
  • Impermissible cast of composite expression
  • A specific argument to an operator is certain to be 0

I tried to identify equivalent rules in the list of C rules but could not find any. Did I miss some rules or are these aspects not covered by SonarQube?

Kind regards,
Julian Frattini

Hello @JulianFrattini,

We currently have this rule in our C++ analyzer and we plan to enable it for the C analyzer in the next release by the end of the month. you can follow the ticket here.

For cast, we have more than one rule for modularity purpose:

  • Pointer conversions should be restricted to a safe subset.
  • Pointers should not be cast to integral types.
  • The value of a complex expression should only be cast to a type that is narrower and of the same signedness as the underlying type of the expression.
  • Function pointers should not be converted to any other type

If you have a specific case that is not covered by these rules let us know and we will be more than happy to extend the list.

We don’t currently have this rule. We agree with you it is a valuable one. We will work on adding it to our C analyzer, but we currently have no ETA.

Thanks,
Abbas

Hello Abbas,

Thank you for the elaborate answer. Is there any insight into the feature schedule of SonarQube in the sense of when to expect certain features?

Kind regards,
Julian Frattini

Hello @JulianFrattini ,

If your question is about features in SnarQube as a platform, you can check this.
If your question is specifically about our C analyzer, we currently don’t have a public roadmap.

Thanks,
Abbas