We have been using Sonarqube on a variety of host tools with C/C++, Java, Javascript and it has produced useful static analysis results. Thus, we have begun running some of our embedded C code through Sonarqube, but the static analysis is not finding much. Of course, our code could be clean, I suppose, but based upon previous experience we expected more findings.
There are 18 deactivated bug rules in the Sonarway C quality profile. Could/should these be enabled to have a deeper analysis?
Is there an embedded C focused quality profile available from Sonarsource or a third party?
The quality and the precision of our analysis depend on how your project is configured.
If you have any doubt about its configuration, do not hesitate to contact the commercial support that will be happy to help you.
Having said that:
First, no, there is no embedded C focused quality profile in SonarSource, but we’ve taken note of this need.
I don’t know if you’re aware but we provide misra rules (see misra-c2012 rules and misra-c2004 rules). Maybe these will be of interest to you.
There are indeed 18 deactivated bug rules in the Sonarway C quality profile. If those rules make sense to you, do not hesitate to activate them. I’m not sure to understand what you mean with a “deeper” analysis, but if you believe that you can benefit from any of these rules, you definitely can activate them (not all rules are in sonarway because some of them could be too noisy in certain use cases)
The static analysis won’t run properly if you have parsing errors (this can be easily checked with the rule Track parsing failures). If you don’t have any parsing errors and you notice a false negative (i.e. a bug that we do not detect) do not hesitate to share it with us, this kind of feedback is really helpful for us to improve our plugins.