Sonarqube is not covering the NULL pointer check

Hi,
we are using SONAR QUBE 7.6 community edition.

In our product we have activated NULL pointer check rules in the sonar. But still it is not detecting the NULL pointer check.
Where we are observing the issue, we are seeing “Not covered by test” error instead of capturing as a issue. Will you please help how to handle this?

Attached the screen shot of the error herewith.

please help.

Hello @santothoughts,

You’re using a too old version of SonarQube for us to be able to really help you.
The C/C++ analyzer has improved a lot since SonarQube 7.6. The first thing to do would be to upgrade to SonarQube 7.9 LTS (at least) or SonarQube 8.5 (even better) to be on a supported version running the most up to date analyzer.
Once done, please come back to me and explain on which line you expect a Null pointer issue detected (and, so that we see the code well, hide the tooltip about tests, this is a completely different feature, it’s not interesting for your case).

Olivier

I have installed 8.5.1.38104 still it is not detected the NULL pointer check. Find the attached image and explanation for the same.

Hello SONARSOURCE,

Any comment on the issue highlighted by Nagi Reddy?

Hello @Nagi_Reddy,

I originally missed that on your initial post your mentioned using SonarQube Community Edition.
The C/C++ analyzer developed by SonarSource (Plugin sonar-cpp) is only available in SonarQube Developer Edition and higher. See https://www.sonarsource.com/plans-and-pricing/
So:

  • If you confirm that you are using the Community Edition and you have C/C++ code analyzed, it means that you use a 3rd party community analyzer (possibly sonar-cxx) and therefore we SonarSource have absolutely no control over the quality or accuracy of the findings
  • If you use a Developer Edition or higher, then please send me reproducer (ie the sample project) and the build script (since for C/C++ we require to build the code (and wrap with build wrapper) to analyze it)

Olivier

Hello @santothoughts, @JanarthananRajendran and @Nagi_Reddy,

In addition to what @OlivierK mentioned, our static analyzer would only raise an issue if it is sure that fp_proc is a nullptr and is dereferenced. In the code snipped that you shared, fp_proc value is not certainly a nullptr. So even if you are using the developer edition i don’t expect it to raise an issue. We don’t recommend/have a rule for defensive check for nullptr.

Thanks,

Thanks Olivier,Sabra for the response, we are using Community Edition Version 8.5.1 (build 38104) using, Even with the null pointer initialization i have did the sonar run. Find the attached results for the same. Even i am opted for the Development version, once i have the free trail i will share the results.

Hello,

I am no quite sure what the above means. Anyhow I think that I understand it means that you are using the Community Edition and therefore my post below is still valid:

Please come back to us when you have set up a Developer Edition and you use the SonarSource C/C++ analyzer. As per @Abbas_Sabra’s post it does not mean it will raise an issue on the eventual null pointer but at least we’ll be able to investigate and explain why we don’t raise an issue if that’s the case.

Hi all,
as suggested I used Latest version i.e 8.5.1 version of Community version, Still it is not able to detect the NULL pointer check and it is giving “Not covered by the test” Please suggest me do i need to use any other edition? below is the sample code, I am expecting fp_thread and fp_proc should identified by sonar and say NULL check is missed.

sprintf(proc_info,"/trace/processStats.%u",(resetNum));
sprintf(thread_info,"/trace/threadStats.%u",(resetNum));

FILE *fp_thread = NULL, *fp_proc = NULL;

fp_thread = fopen(thread_info,"ab+");
fp_proc = fopen(proc_info, "ab+");

time(&time_of_day);
fwrite(&time_of_day,sizeof(time_t),1,fp_proc);
fwrite(&time_of_day,sizeof(time_t),1,fp_thread);

@Nagi_Reddy, I feel that you don’t read our feedback carefully enough:

  • As long as you use the community edition we can’t help you because the C++ analyser that you use (probably sonar-cxx) is not ours (sonar-cpp). Ours is only available in developer edition and higher
  • Even if you’d use our analyzer (ie developer edition), we raise Null pointer exception only if we’re sure that the pointer is null as is dereferenced, which is not the case in your snippet.

Hi Olivier Korach,
Thanks for the your quick reply, I have below 2 questions.

  1. We have Enterprise version with lenience, can it discover the issue?

FILE *fp_thread = NULL, *fp_proc = NULL;

fp_thread = fopen(thread_info,“ab+”);
fp_proc = fopen(proc_info, “ab+”);

time(&time_of_day);
fwrite(&time_of_day,sizeof(time_t),1,fp_proc);
fwrite(&time_of_day,sizeof(time_t),1,fp_thread);

  1. in the given snippet fp_thread, fp_proc are initialized to NULL, and in case file open is failed then still values of these variable are NULL and in the NULL file pointer variable we are try to write, this leading a crash, hope this NULL pointer check should caught in sonar check?

Can you please reply my 2 queries so that i can proceed further?