Questions on MISRA Rules

We have recently started using SonarQube at work, and so far we like what we see, however, we are now looking to be compliant with MISRA 2023 for C and C++.

SonarQube has several rule categories relating to MISRA:

  • based-on-misra (336)
  • misra-advisory (37)
  • misra-c++2008 (79)
  • misra-c++2023 (116)
  • misra-c2004 (43)
  • misra-c2012 (32)
  • misra-mandatory (3)
  • misra-required (76)

This hotch-potch is a bit frustrating. I can disregard the 2004, 2008 and 2012 categories. This leaves nothing obvious for MISRA C 2023. To which MISRA standard do misra-advisory, misra-required and misra-mandatory relate?

How do the based-on-misra rules actually relate to MISRA rules? Which standards are they based on?

I feel that SonarSource do not understand the purpose of a standard like MISRA. We can follow the rules, but unless we can show an auditor that we have a method of checking compliance, we cannot call ourselves MISRA-compliant, and we cannot use this metric to assure clients.

Can SonarSource please provide compliance tables for MISRA 2023, detailing which SonarQube rules correspond to which MISRA rules, and, in the case of the “based-on” rules, how they deviate from the MISRA standard?


I appreciate your frustration.

Plainly stated, SonarQube, SonarCloud and SonarLint are not compliance tools, and we do not have the tables you’re asking for.

What I can say is that the rules with the misra-c[++](year) tags are strict implementations, and according to the relevant Product Manager,

But we don’t have a timeline on that.



I can provide additional information to what @ganncamp said:

The tags misra-advisory, misra-mandatory and misra-required should only appear on rules that are also tagged misra-c++2023. They directly reflect the category of the rule in the MISRA document.

We do not currently target MISRA C 2023, but I expect it to be very close to MISRA C 2012.