I noticed from analyzing my C project with SonarQube Developer Edition, that it did not find all the same bugs that the Clang Static Analyzer did. Here are some tests I did of short programs where I expected SonarQube to find a bug, but it didn’t:
arrayindex.txt (218 Bytes) : Expected to see “Variables should be initialized before use” and/or “Memory access should be explicitly bounded to prevent buffer overflows” garbage_assert.txt (88 Bytes) Expected to see “Variables should be initialized before use” unreachable.txt (219 Bytes) Expected to see “Conditionally executed blocks must be reachable”
(I had to make them .txt files in order to upload)
I am using SonarQube Developer Edition v. 7.2.1 and SonarScanner 4.3.0. I realize this is an older version of SonarQube, but my developer edition license is tied to that server ID so that is what I am currently using.
I was hoping the SonarQube team could look into this and see if these are real limitations that should be addressed?
For the first one, I checked and we detect exactly what you expect on our newer versions. You must be on an old version or you are not enabling the rule. Here what matters is the Cfamily plugin version. You didn’t share on which version are you? Check if there is a more recent one in your instance marketplace. Here what you should see:
For the second one, I see that we detect the issue but we aren’t reporting it due to its bad location. This is related to the fact that the usage is inside an assert. If you do the check outside of it, you should see the issue. Nonetheless, we should improve the reporting here. I created this ticket that you can watch for updates.
For the third case, this rule is under construction. It is currently disabled and should be implemented soon. We already have ticket for it and we will detect your case when delivered.
Thanks for the response, for info the Cfamily version I have is 5.1 build 10083. Looks like the latest one 6.9.0 build 17076 would require a system update on my end.
@tlangley, There is a huge difference between 5.1 and 6.9. The result of the analysis will vary drastically.
Try to upgrade when possible and let us know if you have any feedback on the newer version.
Note: the latest available version on the latest SonarQube release is 6.11.
