Why security hotspots are not reported in this case

Please provide

  • Operating system:windows 10
  • Visual Studio version: 1.85.1
  • SonarLint plugin version:4.2.2
  • Programming language you’re coding in: c
  • Is connected mode used: sonarqube 10.2
    • Connected to SonarCloud or SonarQube (and which version):

And a thorough description of the problem / question:
I’m confused as to why security hotspots are not reported on line 7.Lines 8 and 9 report security hotspots

char buf[10];
int main(void)  {
    char const *message="ptpf11111111";

    size_t buflen = snprintf(0, 0, "%s",message);
    char* buf1 = malloc(buflen + 1); // For the final 0
    return 0;

Hey there.

Help me out – which hotspot(s) are being reported on Lines 8 and 9?


It is reported by rule c:S6069

Hello @zhangjiuwang ,

This rule has an exception when snprintf may have been used to compute the buffer size. See the exception on the rule description.

However, this looks to me like a bug. The snprintf comes after the call to sprintf, so it can’t possibly be used to do the bound checks.

I have created a ticket to track this issue

Thanks a lot for the report!

1 Like

Hi @aalvarez
Thanks for your reply. After I tried to delete the code after line 10, line 7 was also reported this security hotspot;
Also, why does line 9 (sprintf(buf,"ptpf");) report this security hotspot? Looks like the size of buf is enough?

It is, you are right. But note that “security hotspot” does not mean there is a bug, only that it is worth double-checking that line to make sure there isn’t.

If the analyzer could prove there is an overflow, then you would get

  • S3519 Memory access should be explicitly bounded to prevent buffer overflows (Example)