Rule cpp:S5008 false positive for overriden functions

CarelC · November 18, 2024, 8:30am

What language is this for?
C++
Which rule?
cpp:S5008
Why do you believe it’s a false-positive/false-negative?
We do not have access to change function signatures of external libraries.
SonarQube Server / Community Build - which version?
Developer Edition v10.5.1
How can we reproduce the problem?

class handler: public apache::thrift::TProcessorEventHandler {
...
void* getContext(const char* fn_name, void* serverContext) final {}
};

# Replace this use of "void *" with a more meaningful type

This is 100% a duplicate of this report: Rule cpp:S4998 false positive for overriden functions - Clean Code / Report False-positive / False-negative… - Sonar Community
Looking at the issue mentioned: [CPP-5365] S1238,S6188,S4998: Fix FPs with functions whose signature is not user-controlled - Jira
I don’t see cpp:S5008 mentioned, thus decided to make this report. It does not seem like I can comment or watch that issue. Also the trello board linked appears to be private.

CarelC · November 18, 2024, 8:40am

Related is also the return type, triggering cpp:S5025

void* getContext(const char* fn_name, void* serverContext) final
{
    return new ...;
}

Since the signature can’t be changed, there is no realistic option for using an “operation that automatically manages the memory”

Fred_Tingaud · November 18, 2024, 1:29pm

Hi @CarelC, thanks for reporting these.
S5008 has indeed been identified in our Trello board as a rule where the problem of external constraints on signatures creates false positives.
Regarding S5025, it is more subtle as it depends on whether the ownership of the pointer is transferred as part of the API or not. I’ll write it down and we’ll do our best to come up with a reasonable solution.