Unreachable code not spotted

Tom_Isaacson2 · May 23, 2025, 7:47pm

SonarQube Server: Data Center Edition v2025.1.1 (104738)
how is SonarQube deployed: zip

We have a function that reads an HTTP response back from Curl. The code looks like this:

        if (response_code >= 200 && response_code <= 299) {
            // Do some stuff
        } else if (response_code == 203) {
            // Do some stuff
        } else if (response_code == 401) {
            // Do some stuff
        } else if (response_code == 404) {
            // Do some stuff
        } else {
            // Do some stuff
        }

The obvious bug here is that the if (response_code == 203) line is never reached because it’s caught by the earlier (response_code >= 200 && response_code < 299). But I’m surprised SonarQube doesn’t spot this. Is there no capability to notice unreachable code or is this just not being spotted?

necto · May 26, 2025, 7:23am

Hello, @Tom_Isaacson2

Indeed, at the moment we only detect trivially unreachable code with cpp:S1763, which does not cover your case.

We envision working on a more useful rule that would flag such invariant conditions as part of CPP-5167. We have no specific timeline for it.

Additionally, the next SonarQube Server release will provide a MISRA C++ 23 rule (0.0.2) “Controlling expressions should not be invariant” which should also detect such bugs. (Note that the rule is available to SonarQube Server users if you enable the additional setting for the preview of MISRA C++ 23 rules. We do not promise to keep these rules available for free once we have a more complete MISRA coverage).

Tom_Isaacson2 · May 26, 2025, 5:37pm

How do I enable the preview?

necto · May 27, 2025, 7:15am

To be more precise, the feature is called “Misra Compliance 2023 C++ Early Access”:

By default, when MISRA C++ 2023 rules are applied during analysis, a scanner warning informs developers that additional MISRA C++ 2023 Early Access rules can be enabled on their instance. As an instance administrator, you can activate or deactivate this warning by passing a scanner property at the instance level.
To do this, set the sonar.cfamily.misra.warnNewRules scanner property to true or false in your $<INSTALL_DIRECTORY>/conf/sonar-scanner.properties file.

Geoffray · May 27, 2025, 11:54am

Hello there.
Just bringing some additional information.
To enable the MISRA Early Access, you need to enable it at the instance level as explained here.
Note that it is available only in SonarQube Server 2025 Release 2 (one release after the version you run) and later, starting from Enterprise Edition (so, including Data Center Edition).
The rule that Arseniy mentioned will be shortly released in SonarQube Server 2025 Release 3.

Topic		Replies	Views
Bugs, Code Smell, Vulnerability are not detected for C/C++ language SonarQube Server / Community Build sonarqube , cfamily	1	842	April 20, 2020
SonarQube does not catch cpp:S872 as an issue SonarQube Server / Community Build sonarqube , cfamily	10	1137	August 24, 2021
No Code Scanned SonarQube Cloud cfamily , build-wrapper , coverage	14	1799	September 13, 2022
Misra rules seems bypassed for C code SonarQube Server / Community Build cfamily	3	561	April 8, 2021
SonarCloud reports incorrect "unreachable code" error on C# SonarQube Cloud csharp	2	343	September 26, 2023

Unreachable code not spotted

Related topics