On June 15th, taint analysis for C and C++ will enter beta on SonarQube Cloud.
This is an important step forward for our C/C++ security analysis, bringing focused taint detection to SonarQube Cloud and strengthening the security of your C and C++ code.
These rules will be included in the Sonar way quality profile, reflecting their importance for C and C++ security analysis.
They are cross-project rules designed to help identify critical vulnerabilities.
We are adding them to Sonar way even though they are still in beta because they have already been deeply validated internally on many projects, and we do not expect significant issues in normal use. At the same time, detection with this level of impact should not be considered GA until it has been exposed to customers at scale and validated with real-world feedback.
These rules are not available with Automatic Analysis or AutoConfig. They are available only for projects configured with a compilation database, with or without build-wrapper.
You may notice a slight increase in analysis time and memory consumption. Given the importance of these rules, we believe this trade-off is justified.
Hi @BillHoover , sorry about that. The deployment was slightly delayed for operational reasons. We will update the thread when it is deployed. It should not be long.
I’ve noticed this in our pipelines now and its adding significant time to the tasks and failing at the end?
Is there any documentation for this, how to adjust it or turn it off?
##[error]14:29:40.999 ERROR Detected non-zero taint analysis exit code, a file named '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz' will be automatically generated to help the investigation of the problem.
Please contact SonarSource support providing this file to help improving the analyzer.
14:29:40.999 ERROR Detected non-zero taint analysis exit code, a file named '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz' will be automatically generated to help the investigation of the problem.
Please contact SonarSource support providing this file to help improving the analyzer.
14:38:23.221 INFO Taint analysis reproducer written to '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz'
14:38:23.376 INFO Sensor CFamilyTaintAnalysis [cpp] (done) | time=839932ms
Thanks, I’ll turn it off for now and circle back to that file and the why next week.
For our product 10+ minutes on every gated build is a huge impact for this, but possibly something we can schedule nightly / weekly once it works on our codebase.
We got similar issue and the scan runs more than 2 hours and we are disabling the taintAnalysis
17:10:51.337 INFO Parsed LLVM IR file [1/1376]: 'C:\a\_work\1\s\.scannerwork\cfamily\taint-analysis\0003049C771B904A895EDD4791B94A81.bc' in 249ms 19:12:14.759 INFO Parsed LLVM IR file [1376/1376]: 'C:\a\_work\1\s\.scannerwork\cfamily\taint-analysis\FFC211E5C21A5AE032789D3453A55EFD.bc' in 9697ms
In that case, we would kindly ask you to disable taint analysis for the time being. We will let you know as soon as the taint analysis optimizations are available.