SonarQube does not catch cpp:S872 as an issue

  • Version info:
    1.) SonarQube - 8.7.1.42226
    2.) SonarScanner for Azure DevOps 4.21.0
    3.) Build wrapper - {SonarQube URL}/static/cpp/build-wrapper-win-x86.zip
    Instructions followed @: C/C++/Objective-C | SonarQube Docs
    We have mix of C# and C++ projects.

We are trying to list all the violations of C++ rule S872 : “bool” expressions should not be used as operands to built-in operators other than =, &&, ||, !, ==, !=, unary &, and the conditional operator
Tagged as: Code Smell, Major

We did the below changes to drill down the issue:
1.) Created a Quality profile, tagging only the cpp:872.
2.) Linked this profile to the project for C++ language category.
3.) Executed analysis. Ensured the file under test is part of analysis - Success
4.) Ensured the specific profile is picked during analysis - Success
5.) We created a sample code same as in the non-compliant section in the rule.

Observed behavior:
SonarQube fails to recognize it. No issues are reported.

Note: I installed SonarLint from VS2019 as an extension and linked the SonarQube server. SonarLint fails to report it as well.

Any help appreciated.

Thanks,
Nitya

Hi Nitya,

Welcome to the community!

First, your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.7.1 → 8.9.1 → 9.0 (last step optional)

Regarding your actual question, it’s possible that your upgrade will change the behavior here, but can you provide a reproducer?

 
Ann

Hi Ann,

I upgraded the SonarQube version to 8.9.1.44547 and I still see that the code lines violating rule cpp:S872 are not caught during analysis.
How can I provide a reproducer? Is there a log file that you would like me to share?

Thanks,
Nitya

Hi Nitya,

Thanks for coming back. An idea reproducer is the smallest possible set of code that will (compile and) reproduce the error. Is it possible to boil this down to 20 lines or so?

 
Ann

Hi Ann,
An example would be this snippet:
bool b1 = true;
bool b2 = false;
if (b1 & b2)
{
// Do Something
}

Line #3 should ideally be flagged as an error by SonarQube based on the cpp:S872 rule which requires the bool condition to be:
bool b1 = true;
bool b2 = false;
if (b1 && b2)
{
// Do Something
}

&& would the correct check that is required in our project. We want to list such violations.
Unfortunately, this is not happening.

Thanks,
Nitya

Hi Nitya,

Thanks for the code. When the language experts show up to look at this, I’m sure they’ll find it helpful.

 
Ann

Hello @Nitya,

This is weird, I took the sample code you provided and issues were raised:

void test() {
  bool b1 = true;
  bool b2 = false;
  if (b1 & b2) // Two issues: "S872:Reconsider this operator for 'bool' operand." and "S867:"&" left operand should not have type 'bool'."
  {
    // Do Something
  }
}

To understand why there is no issue, could you provide me a reproducer file please?
To generate a reproducer file in SonarQube:

  • Add the reproducer option to the scanner configuration:
    sonar.cfamily.reproducer= "Full path to the .cpp file that has or include the file that has the false-negative"
  • Re-running the scanner should generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file (I can send you a PM if you want to share it privately)

Thank you

Hi Amelie,
Can you send me a PM? I would like to share the file privately.
Thank you,
Nitya

Hello @Nitya,

Thanks to the log file you provided us, it’s possible to understand what is the issue you encountered.

Our tools analyse C++ code, but the file that you tried to analyze was not a C++ file, but a C++/CLI file. This is an extension to C++, developed by Microsoft, and that we do not support. As you can see in your log file, there are messages such as:

2021-08-19T18:41:27.3849065Z 11:41:27.383 WARN: Microsoft extension activated by "/ZW:nostdlib" compiler option is not supported, skip analysis of files: [C:/agent/file1.cpp, C:/agent/file2.cpp, C:/agent/file3.cpp...

Which means that those files are not analyzed at all, and of course no issue can be raised.

There are usually two ways to make progress in that situation:

  • Sometimes, files that only contain pure C++ code are compiled in C++/CLI mode, for no good reason. In that case, modifying your project so that those files are compiled in pure C++ mode would solve the issue.
  • Sometimes, the files really contains C++/CLI features. Which mean they cannot be analyzed. However, C++/CLI is designed to be a glue between C++ and C#, and it’s usually a good idea to restrict the use of C++/CLI to a thin communication layer between those languages, and have the rest of the source code be pure C++ and pure C#. If you reorganize your code that way, the communication layer won’t be analyzed, but the rest of your C++ code (which should be most of it) can be.

Hope this helps,

Hello @JolyLoic,
Some of our projects are in UWP. That would be the reason for C++/CLI compiled code. We will be refactoring such projects to move to a different framework. Thank you for the support and finding the root cause.
Request to close this thread.

Much appreciated,
Thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.