I am using Cppcheck in combination with Cxx SonarQube plugin to make C/C++ code analysis. After executing Cppcheck I get the report in XML format and send it to SonarQube so I can check more in a graphical interface all the issues of my code.
After checking the results I see that Cppcheck does not differenciate between Bugs, Vulnerabilities or Security Hotspots as SonarQube does, there are only Bugs.
This is the Cppcheck report file of my code:
<?xml version="1.0" encoding="UTF-8"?><resultsversion="2"><cppcheckversion="2.7"/><errors><errorid="memleakOnRealloc"severity="error"msg="Common realloc mistake: 'buf' nulled but not freed upon failure"verbose="Common realloc mistake: 'buf' nulled but not freed upon failure"cwe="401"file0="src/C.c"><locationfile="src/C.c"line="391"column="12"/><symbol>buf</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component1.cc"><locationfile="src/component1.cc"line="37"column="14"/><symbol>ip</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component1.cc"><locationfile="src/component1.cc"line="42"column="6"/><symbol>ip</symbol></error><errorid="doubleFree"severity="error"msg="Memory pointed to by 'ip' is freed twice."verbose="Memory pointed to by 'ip' is freed twice."cwe="415"file0="src/component1.cc"><locationfile="src/component1.cc"line="47"column="12"/><locationfile="src/component1.cc"line="46"column="5"/><symbol>ip</symbol></error><errorid="mismatchAllocDealloc"severity="error"msg="Mismatching allocation and deallocation: ip"verbose="Mismatching allocation and deallocation: ip"cwe="762"file0="src/component1.cc"><locationfile="src/component1.cc"line="51"column="15"/><locationfile="src/component1.cc"line="50"column="10"/><symbol>ip</symbol></error><errorid="uninitvar"severity="error"msg="Uninitialized variable: a"verbose="Uninitialized variable: a"cwe="457"file0="src/component1.cc"><locationfile="src/component1.cc"line="32"column="8"/><symbol>a</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component2.cc"><locationfile="src/component2.cc"line="36"column="14"/><symbol>ip</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component2.cc"><locationfile="src/component2.cc"line="41"column="6"/><symbol>ip</symbol></error><errorid="doubleFree"severity="error"msg="Memory pointed to by 'ip' is freed twice."verbose="Memory pointed to by 'ip' is freed twice."cwe="415"file0="src/component2.cc"><locationfile="src/component2.cc"line="46"column="12"/><locationfile="src/component2.cc"line="45"column="5"/><symbol>ip</symbol></error><errorid="mismatchAllocDealloc"severity="error"msg="Mismatching allocation and deallocation: ip"verbose="Mismatching allocation and deallocation: ip"cwe="762"file0="src/component2.cc"><locationfile="src/component2.cc"line="50"column="15"/><locationfile="src/component2.cc"line="49"column="10"/><symbol>ip</symbol></error><errorid="uninitvar"severity="error"msg="Uninitialized variable: a"verbose="Uninitialized variable: a"cwe="457"file0="src/component2.cc"><locationfile="src/component2.cc"line="31"column="8"/><symbol>a</symbol></error><errorid="zerodiv"severity="error"msg="Division by zero."verbose="Division by zero."cwe="369"file0="src/main.cc"><locationfile="src/main.cc"line="9"column="15"info="Division by zero"/><locationfile="src/main.cc"line="8"column="13"info="Assignment 'x=0', assigned value is 0"/></error></errors></results>
I see only errors and I think SonarQube take them all as Bugs, I don't know if there is something that I'm missing or what.
Thanks in advance!
Last edit: Felipe 2022-05-06
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If I use --enable=style I get the following results:
<?xml version="1.0" encoding="UTF-8"?><resultsversion="2"><cppcheckversion="2.7"/><errors><errorid="memleakOnRealloc"severity="error"msg="Common realloc mistake: 'buf' nulled but not freed upon failure"verbose="Common realloc mistake: 'buf' nulled but not freed upon failure"cwe="401"file0="src/C.c"><locationfile="src/C.c"line="391"column="12"/><symbol>buf</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'e' can be reduced."verbose="The scope of the variable 'e' can be reduced. Warning: Be careful when fixingthis message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012 if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="247"column="18"/><symbol>e</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'filename' can be reduced."verbose="The scope of the variable 'filename' can be reduced. Warning: Be careful when fixing this message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012 if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="248"column="44"/><symbol>filename</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'oldest_mtime' can be reduced."verbose="The scope of the variable 'oldest_mtime' can be reduced. Warning: Be careful when fixing this message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012 if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="249"column="10"/><symbol>oldest_mtime</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'num_files' can be reduced."verbose="The scope of the variable 'num_files' can be reduced. Warning: Be careful when fixing this message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="250"column="7"/><symbol>num_files</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'comp_spec' can be reduced."verbose="The scope of the variable 'comp_spec' can be reduced. Warning: Be careful when fixing this message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="294"column="8"/><symbol>comp_spec</symbol></error><errorid="variableScope"severity="style"msg="The scope of the variable 'buf' can be reduced."verbose="The scope of the variable 'buf' can be reduced. Warning: Be careful when fixing this message, especially when there are inner loops. Here is an example where cppcheck will write that the scope for 'i' can be reduced:\012void f(int x)\012{\012 int i = 0;\012 if (x) {\012 // it's safe to move 'int i = 0;' here\012 for (int n = 0; n < 10; ++n) {\012 // it is possible but not safe to move 'int i = 0;' here\012 do_something(&i);\012 }\012 }\012}\012When you see this message it is always safe to reduce the variable scope 1 level."cwe="398"file0="src/C.c"><locationfile="src/C.c"line="503"column="18"/><symbol>buf</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component1.cc"><locationfile="src/component1.cc"line="37"column="14"/><symbol>ip</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component1.cc"><locationfile="src/component1.cc"line="42"column="6"/><symbol>ip</symbol></error><errorid="doubleFree"severity="error"msg="Memory pointed to by 'ip' is freed twice."verbose="Memory pointed to by 'ip' is freed twice."cwe="415"file0="src/component1.cc"><locationfile="src/component1.cc"line="47"column="12"/><locationfile="src/component1.cc"line="46"column="5"/><symbol>ip</symbol></error><errorid="mismatchAllocDealloc"severity="error"msg="Mismatching allocation and deallocation: ip"verbose="Mismatching allocation and deallocation: ip"cwe="762"file0="src/component1.cc"><locationfile="src/component1.cc"line="51"column="15"/><locationfile="src/component1.cc"line="50"column="10"/><symbol>ip</symbol></error><errorid="uninitvar"severity="error"msg="Uninitialized variable: a"verbose="Uninitialized variable: a"cwe="457"file0="src/component1.cc"><locationfile="src/component1.cc"line="32"column="8"/><symbol>a</symbol></error><errorid="unusedVariable"severity="style"msg="Unused variable: x"verbose="Unused variable: x"cwe="563"file0="src/component1.cc"><locationfile="src/component1.cc"line="17"column="18"/><symbol>x</symbol></error><errorid="unreadVariable"severity="style"msg="Variable 'i' is assigned a value that is never used."verbose="Variable 'i' is assigned a value that is never used."cwe="563"file0="src/component1.cc"><locationfile="src/component1.cc"line="37"column="11"/><symbol>i</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component2.cc"><locationfile="src/component2.cc"line="36"column="14"/><symbol>ip</symbol></error><errorid="deallocuse"severity="error"msg="Dereferencing 'ip' after it is deallocated / released"verbose="Dereferencing 'ip' after it is deallocated / released"cwe="416"file0="src/component2.cc"><locationfile="src/component2.cc"line="41"column="6"/><symbol>ip</symbol></error><errorid="doubleFree"severity="error"msg="Memory pointed to by 'ip' is freed twice."verbose="Memory pointed to by 'ip' is freed twice."cwe="415"file0="src/component2.cc"><locationfile="src/component2.cc"line="46"column="12"/><locationfile="src/component2.cc"line="45"column="5"/><symbol>ip</symbol></error><errorid="mismatchAllocDealloc"severity="error"msg="Mismatching allocation and deallocation: ip"verbose="Mismatching allocation and deallocation: ip"cwe="762"file0="src/component2.cc"><locationfile="src/component2.cc"line="50"column="15"/><locationfile="src/component2.cc"line="49"column="10"/><symbol>ip</symbol></error><errorid="uninitvar"severity="error"msg="Uninitialized variable: a"verbose="Uninitialized variable: a"cwe="457"file0="src/component2.cc"><locationfile="src/component2.cc"line="31"column="8"/><symbol>a</symbol></error><errorid="unusedVariable"severity="style"msg="Unused variable: x"verbose="Unused variable: x"cwe="563"file0="src/component2.cc"><locationfile="src/component2.cc"line="16"column="18"/><symbol>x</symbol></error><errorid="unreadVariable"severity="style"msg="Variable 'i' is assigned a value that is never used."verbose="Variable 'i' is assigned a value that is never used."cwe="563"file0="src/component2.cc"><locationfile="src/component2.cc"line="36"column="11"/><symbol>i</symbol></error><errorid="zerodiv"severity="error"msg="Division by zero."verbose="Division by zero."cwe="369"file0="src/main.cc"><locationfile="src/main.cc"line="9"column="15"info="Division by zero"/><locationfile="src/main.cc"line="8"column="13"info="Assignment 'x=0', assigned value is 0"/></error><errorid="unreadVariable"severity="style"msg="Variable 'y' is assigned a value that is never used."verbose="Variable 'y' is assigned a value that is never used."cwe="563"file0="src/main.cc"><locationfile="src/main.cc"line="9"column="11"/><symbol>y</symbol></error></errors></results>
It is true that there are two types of error severities: Error and Style, that does not seem to work with the same types of SonarQube (Bugs, New Vulnerabilities and New Security Hotspots).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello there!
I am using Cppcheck in combination with Cxx SonarQube plugin to make C/C++ code analysis. After executing Cppcheck I get the report in XML format and send it to SonarQube so I can check more in a graphical interface all the issues of my code.
After checking the results I see that Cppcheck does not differenciate between Bugs, Vulnerabilities or Security Hotspots as SonarQube does, there are only Bugs.
This is the Cppcheck report file of my code:
I see only errors and I think SonarQube take them all as Bugs, I don't know if there is something that I'm missing or what.
Thanks in advance!
Last edit: Felipe 2022-05-06
if you use
--enable=styleyou should see other severities also.Hi @danielmarjamaki,
If I use
--enable=styleI get the following results:It is true that there are two types of error severities: Error and Style, that does not seem to work with the same types of SonarQube (Bugs, New Vulnerabilities and New Security Hotspots).
Hi again @danielmarjamaki,
Maybe I'm wrong, the generated report is fine and Sonar is the one that has to classify the errors with the given report.
Yes