A false positive related to variable type occurs when the declaration and usage locations are in different files. The issue reported is “An integral type is too small to hold a pointer value.”
Example:
A.h
+(void) SSLInit;
+ (BOOL) setOSSLFIPSMode;
B.m
#import "A.h"
...
int mode = [irisSingleStream setOpenSSLFIPSMode]; # This will be flagged as an issue.
Recommendation:
We recommend enhancing the scanner to be more intelligent in recognizing that the variable is not a pointer.
This would help reduce the noise caused by this false positive issue.
The code snippets presented are incomplete, as there are no definitions for SSLInit,setOSSLFIPSMode,irisSingleStream, and BOOL. This makes it impossible for us to reproduce and triage the issue.
Could you please provide a complete code example or create a reproducer file for the issue, with information on which file and line the issue that you consider a false positive is reported?
To generate the reproducer file:
Search in the analysis log for the full path of the source file for which you want to create a reproducer (for instance, a file that contains a false-positive). You will have to use exactly this name (same case, / or \…)
Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer=“Full path to the .source file”
Re-run the scanner to generate a file named sonar-cfamily-reproducer.zip in the project folder.
Please share this file. If you think it contains private information, let us know, and we’ll send you a private message allowing you to send it privately.
I’ve investigated the issue you reported and was able to reproduce the problem. The sample project was particularly useful, so thank you! I can confirm we have a fix ready for the next release of SonarQube, 10.7. It’s also available in SonarCloud right now.
Essentially, the analyzer couldn’t find the definition of BOOL and considered that setOpenSSLFIPSMode returned an id. We’ve fixed that and similar problems with [CPP-5446] - Jira.
