I noticed from analyzing my C project with SonarQube Developer Edition, that it did not find all the same bugs that the Clang Static Analyzer did. Here are some tests I did of short programs where I expected SonarQube to find a bug, but it didn’t:
arrayindex.txt (218 Bytes) : Expected to see “Variables should be initialized before use” and/or “Memory access should be explicitly bounded to prevent buffer overflows”
garbage_assert.txt (88 Bytes) Expected to see “Variables should be initialized before use”
unreachable.txt (219 Bytes) Expected to see “Conditionally executed blocks must be reachable”
(I had to make them .txt files in order to upload)
I am using SonarQube Developer Edition v. 7.2.1 and SonarScanner 4.3.0. I realize this is an older version of SonarQube, but my developer edition license is tied to that server ID so that is what I am currently using.
I was hoping the SonarQube team could look into this and see if these are real limitations that should be addressed?