[Webinar] Write cleaner, safer modern C++ with SonarQube

What: How SonarQube analysis can help you write better modern C++
When: Sept. 2 10:00 a.m. CDT / 17:00 CEST (time zone conversion)
Presenters: G. Ann Campbell (me!), Loic Joly

In a live, 30 minute webinar Loic and I will talk about the benefits of SonarQube static analysis specifically for C++ developers. You’ll learn about:

  • Code Quality & Security for the individual: in-IDE and in PRs
  • Code Quality & Security for the team: in SonarQube
  • What types of issues you can find on your C++ code: Bugs, Vulnerabilities, Security Hotspots, and Code Smells.
  • How easy it is to get started - including a demo of SonarQube!

Intended audience: C++ developers new to SonarSource

Register now to reserve your seat.

See you then!


Hi again,

I left out the speaker bios in my first post. I want to fix that here because I’m excited that Loic will be joining me for this webinar:

Loïc is a C++ coder, speaker, teacher and expert. He represents France on the ISO C++ standardization committee and is also a member of the committee drafting the next version of the MISRA C++ standard for critical systems. In addition to developing in C++, he has a special interest in teaching it and spreading good practices across the community. He is a frequent speaker at meetups and conferences and teaches at Telecom SudParis.
Since he joined SonarSource in 2018, he has worked on static analysis for C++, both specifying rules to help other developers and having the fun of implementing them.

And FWIW, here’s my speaker bio:

Ann coded JavaScript for early browsers (think Netscape 3, IE 4), plus Perl, C, and Java. She became a vocal member of the SonarQube community in 2010 and joined SonarSource in 2013, after co-authoring SonarQube in Action. Her software career has spanned support, documentation, coding, and product management. Through the SonarQube community, she has helped hundreds of people understand how to make the most of SonarQube to write Clean and Secure Code.



Hi all,

If you couldn’t make the scheduled time, you can still watch the webinar on YouTube:

As usual, here are the questions participants asked:


Is my gcc-linaro-6.5.0 compiler supported by SonarQube?
Compilers based wholly on GCC, including Linaro GCC are supported. You can see the full list of supported compilers at https://www.sonarqube.org/cpp/.

Is it possible to use the build-wrapper with compiler caches like ccache or buildcache?
build-wrapper works with ccache.

Are Conan-packages supported? Can I simply wrap conan build…?
We haven’t tested this, but theoretically it should work. If you find that it doesn’t, please start a new thread here in the community.

How can I select the coding standard (C++XX)?
It is automatically detected from the build command data build-wrapper gathers.

Which unit test code coverage tools do you support?
The documentation includes the full list of coverage tools across all languages.

Is there a sample project to refer to for build setup for analysis?
Yes! Here you go :smiley:: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonarqube-scanner-build-wrapper-linux

Should I use SonarScanner for MSBuild or SonarScanner CLI for static analysis for VisualStudio?
If your project is a mix of C++ and C#, you should use SonarScanner for MSBuild. It’s the only scanner that properly handles C# code. Otherwise, you should default to SonarScanner CLI. In both cases you must also use the build-wrapper to gather your C++ configuration data.

What if you don’t support my specific compiler or its syntax? What about integrating the build-wrapper for easier Azure DevOps analysis?
We periodically expand our compiler/build support. Please create a new ‘New features’ thread with your specific request so others can vote for it. We use these threads to help us prioritize new features.

What are the options if you’re using a homegrown build and source control system, not Git or another standard SCM?
The use of an SCM is a programming best practice but not strictly required for analysis. We use SCM data to identify which lines and issues are “new”, and to correctly assign issues. Without SCM data, we identify new lines and issues on a best-effort basis.

Is pull request analysis supported only for C++ or for other languages as well?
Analysis is always fully multi-language. Pull request analysis is supported equally for all languages across the supported ALMs: GitHub, GitLab, Azure DevOps, and BitBucket Server.


Do you support AUTOSAR?
AUTOSAR was developed because MISRA C++ had not progressed since 2008. Now that the MISRA standard is being updated, AUTOSAR & MISRA have announced that they’ve merged.

As a consequence, we have no plan to address AUTOSAR. We’ll be focusing instead on the next version of the MISRA standard.

Do you support all MISRA rules?
Currently we don’t cover all of them, but we are continuously improving our MISRA coverage

Can I write my own rules and have them run by SonarQube?
Sorry, we don’t support custom rules for C++.


Are there limitations in the free C++ SonarLint plugin for VStudio?
Security Hotspots are not raised in SonarLint. Additionally, a few rules that require a view on the full project to make sense (for instance detecting unused functions) are also excluded, because SonarLint works on a file-by-file basis. All other issues raised by SonarQube will be raised in SonarLint as well, without restriction.

My IDE doesn’t seem to be supported. When will you add it?
It’s in our plans to support C++ in VSCode. If there’s another IDE you’d like to see us support, please create a new ‘New features’ thread with your specific request so others can vote for it. We use these threads to help us prioritize new features.

Getting started

SonarCloud is free for open-source C++ projects, right?
Yes. :smiley:

What edition do I use to analyze C++ code on-prem?
C++ analysis is fully supported in SonarQube Developer Edition.

How big a server do I need for a typical installation?
This really depends on your volume of code and analyses, but we do provide some recommendations for server requirements here and here in the documentation.

Additionally, you’ll want to make sure your CI agent is robust enough to deliver analysis results in a timely manner. Additionally, you may want to make sure you have the resources to configure multi-threaded analysis.

Could you expand on how the licensing by lines of code works?
Our commercial editions are priced per instance per year and based on your lines of code (LOC). LOCs are computed by summing up the main/program LOCs of each project analyzed. The LOCs used for a project are the LOCs found during the most recent analysis of this project. If you start using the branch analysis feature, then the counted LOCs of a project will be the ones of the biggest branch of that project.

As an example, if you have a 100-LOC project, and you analyze it once a day for 100 days, for licensing purposes that’s a total of 100 LOC.

For more detail on the pricing tiers for Developer Edition, please see: https://www.sonarqube.org/trial-request/developer-edition/

I’m ready to get started! Now what?
Request a free, 14-day trial license for Developer Edition.


Still have questions?
If you have general questions about product features, open a new thread here the community. We’ll be glad to see you!

For questions about commercial editions, including pricing or trial licenses, try one of these:

For other commercial questions, contact us here.