which versions are you using
Sonarqube: 9.9.3.79811
CFamily plugin version: 6.41.1.62265
how is SonarQube deployed: zip, Docker, Helm
what are you trying to achieve: Get a warning about an uninitialized variable.
what have you tried so far to achieve this: analyzed the code using SQ.
I have code similar to this (names have been changed):
class Child : public Parent
{
public:
~child(){}
struct
{
bool b;
} sContainer;
};
There are no warnings regarding the uninitialized value of b neither when declared nor when used. The files are recognized as c++ as I get a warning regarding destructor which should use = default.
It seems like an obvious thing to be caught by SQ so why isn’t it?
To investigate your issue I will need more context. A naive attempt at reproducing the false negative fails. Our analyzer successfully detects the S836 violation in the below example (constructed based on your code snippet):
class Parent {};
class Child : public Parent
{
public:
~Child() = default;
int foo() {
if (sContainer.b) // S836 Branch condition evaluates to a garbage value
return 0;
return 1;
}
struct
{
bool b;
} sContainer;
};
int main() {
Child child;
return child.foo();
}
To generate the reproducer file:
Search in the analysis log for the full path of the source file for which you want to create a reproducer - the file that contains the false-positive. You will have to use exactly this name (same case, / or \…)
Add the reproducer option to the scanner configuration:
sonar.cfamily.reproducer=“Full path to the .cpp”
Re-run the scanner to generate a file named sonar-cfamily.reproducer in the project folder.
Share this file privately by replying to the private message I’ve sent you.
P.S. in case of an issue in a header file, you want to generate the reproducer of the source file that includes that header.
Hi Arseniy.
Thanks for trying my code.
I have changed my code around and by introducing a main as yours my compiler complains the member is not initialized and as such I have to trust that SonarQube will also find this.
I was expecting SonarQube to be able to detect the lack of initialization even though there is no main in the class, but it seems this is not possible at the moment?
Without the context, our analyzer does not dare to make assumptions about the use of this class. It might be that the developer intends to always initialize Child::sContainer::b after a Child object is allocated and before b field is used (not arguing that it is a nice design).
Whenever there is a possibility of correct execution of the given code, we prefer giving the developer the benefit of the doubt, to avoid annoying false positives.