Options to address a single-type of warning in C code - memcmp() of structures

Must-share information (formatted with Markdown):
Using SonarQube 6.7LTS.

SonarQube has flagged an issue with some code very similar to this FreeBSD networking code. It complains of error code S5000 stating that:
“memcmp” should only be called with pointers to trivially copyable types with no padding

The structure in-question is an IPv6 address which is defined this way.

My goal is to have this SonarQube warning go away while retaining the possibility that other errors in the same line (now or in the future) might be reported.

In an ideal world, SonarQube would recognize that this sort of structure cannot have any padding in it on a practical level. Is there a way to so instrument the structure to indicate this? For example, would SonarQube intelligently recognize the “packed” attribute on the structure?

The next alternative would be to suppress this particular class of warnings on the particular lines. It appears that SonarQube supports @SuppressWarnings for Java code. Alas, I’m unable to find particular mechanisms to do so for C/C++ code. I know that many linters and Coverity do that, but can’t find documentation for SonarQube.

Marking the issue as “False Positive” seems to be the preferred option in the SonarQube documentation, but our internal SQ team reports that those annotations don’t get carried forward to future branches so everything needs to be reevaluated and redone again, making this unworkable.

Finally, there’s the //NOSONAR statement, but that disables all scanning for the particular line. I want to avoid that because it’s foreseeable that other issues (especially with pointers) might be introduced in the future and we don’t want to avoid being notified of them.

How can I best resolve this issue within the constraints listed?

Hey there.

SonarQube. v6.7 is very old at this point – and has been EOL for a long time. You should make your way to SonarQube v7.9 LTS and then v8.9 LTS. It’s possible our analyzer has gotten smarter since then, but you’ll need to upgrade and let us know if the issue is still reported.

When an issue marked as a false-positive in SonarQube, that issue status will be copied over to any branch created in the future (it has to be copied manually to existing branches). With this in mind, I think this is probably your most workable solution.