Questions on MISRA Rules

We have recently started using SonarQube at work, and so far we like what we see, however, we are now looking to be compliant with MISRA 2023 for C and C++.

SonarQube has several rule categories relating to MISRA:

  • based-on-misra (336)
  • misra-advisory (37)
  • misra-c++2008 (79)
  • misra-c++2023 (116)
  • misra-c2004 (43)
  • misra-c2012 (32)
  • misra-mandatory (3)
  • misra-required (76)

This hotch-potch is a bit frustrating. I can disregard the 2004, 2008 and 2012 categories. This leaves nothing obvious for MISRA C 2023. To which MISRA standard do misra-advisory, misra-required and misra-mandatory relate?

How do the based-on-misra rules actually relate to MISRA rules? Which standards are they based on?

I feel that SonarSource do not understand the purpose of a standard like MISRA. We can follow the rules, but unless we can show an auditor that we have a method of checking compliance, we cannot call ourselves MISRA-compliant, and we cannot use this metric to assure clients.

Can SonarSource please provide compliance tables for MISRA 2023, detailing which SonarQube rules correspond to which MISRA rules, and, in the case of the “based-on” rules, how they deviate from the MISRA standard?

Hi,

I appreciate your frustration.

Plainly stated, SonarQube, SonarCloud and SonarLint are not compliance tools, and we do not have the tables you’re asking for.

What I can say is that the rules with the misra-c[++](year) tags are strict implementations, and according to the relevant Product Manager,

But we don’t have a timeline on that.

 
Ann

Hi @JWRWSEU,

I can provide additional information to what @ganncamp said:

The tags misra-advisory, misra-mandatory and misra-required should only appear on rules that are also tagged misra-c++2023. They directly reflect the category of the rule in the MISRA document.

We do not currently target MISRA C 2023, but I expect it to be very close to MISRA C 2012.

2 Likes

Are there any news re MISRA C/C++ 2023 ? or due dates?
Thank you

Hello @Roy

Thanks for reaching out.
We have been working on high-priority topics lately, and the implementation of the MISRA C++2023 has been stopped.
Unfortunately, I cannot give you more details about the future, specifically about specific coverage of MISRA C++2023 and timelines. Still, I expect the topic to be clarified and communicated in the next quarter.

Can you please confirm whether MISRA C 2012 is completely supported? Is CERT C also supported?

Hi @VarunP,

Welcome to the community!

There is some support for MISRA C 2012 and for CERT C, but neither is “completely” supported.

 
HTH,
Ann

Thank you for the prompt response.
Can you please let me know which rules of MISRA C 2012 & CERT C are supported by the tool?

As they said in the original reply, although some MISRA rules are covered, SonarQube is not a MISRA-compliance tool. I do like SonarQube, but if you want to be certifiably MISRA-compliant, you need to get another tool.

As they also said in the original response, they do not have tables of which MISRA rules are covered.

1 Like