Sonarqube 声纳cxx don';我找不到虫子和其他东西
因为我将使用sonar检查我的C/C++项目是否存在bug、漏洞和其他问题,我已经安装了sonar v5.6.3和sonar cxx v0.9.6。 为了评估sonar,我使用了sonar示例中的c示例,并扩展了main.c文件:Sonarqube 声纳cxx don';我找不到虫子和其他东西,sonarqube,Sonarqube,因为我将使用sonar检查我的C/C++项目是否存在bug、漏洞和其他问题,我已经安装了sonar v5.6.3和sonar cxx v0.9.6。 为了评估sonar,我使用了sonar示例中的c示例,并扩展了main.c文件: #include <stdio.h> /* NOK, according to the MISRA C 2004 20.9 rule, stdio.h must not be used in embedded system's production cod
#include <stdio.h> /* NOK, according to the MISRA C 2004 20.9 rule, stdio.h must not be used in embedded system's production code */
#include <mylib.h>
int main(void) {
int a;
char buffer[10];
char index = 1;
int x = ADD(40, 2);
int y = fun(40, 2);
buffer[10] = 1; /* Vulnerability: Aray index out of bound */
buffer[a] = 'a'; /* Vulnerability: Array index ist used before limits check */
buffer[index] = '1'; /* Code smell: 'char' type used as array index */
if (1 == a) /* Bug: Access to an uninitialized value */
{
printf("a = 1");
}
a = 0;
if (x != 42)
{ /* NOK, empty code blocks generate violations */
}
x /= a; /* Bug: Division by zero */
printf("40 + 2 = %d\n", x);
printf("fun = %d\n", y);
}
int fun(int a, int b) {
return a * b;
}
- 错误:0
- 漏洞:0
- 代码:0
- 债务:0
- 复制:0%
- 重复的块:0
- 代码行:24
C++社区插件既不执行测试运行程序也不执行覆盖示踪器,也不执行静态检查程序本身。所有这些数据必须以报告的形式提供
本页上还有指向该页的链接。这链接到其他几个页面,解释如何生成Sonar cxx使用的报告。例如,您可以使用来运行代码的静态分析。将输出保存到项目中的某个目录中,并将sonar.cxx.cppcheck.reportPath属性(请参阅)设置为指向该目录。请参阅有关sonar cxx插件的重要说明:
我正在Sonarcloud.io上为C语言系列Sonar插件使用构建包装器配置 然后,您需要在sonar scanner之前运行wrapper,以
生成sonar.cfamily.build包装器输出路径后使用输出
sonar-scanner \
-Dsonar.cfamily.build-wrapper-output=bw-output \
... your other options
<>参见细节。以上是C或C++的代码吗?他们是不同的语言。而char
作为数组的索引很好,它是一个整数类型。不同的语言有不同的语义。在java或C++ C++中,你不能推断出一些错误或正确的东西。代码是C,但应该用C++解析器解析。在开始评估之前,我查看了sonar cxx的规则,并找到了用作代码数组索引的规则“char”类型。明确地说,x/=a中的除零;是一个bug,我希望解析器能够找到它……这是一个非常糟糕的方法!正如我提到的,它们是不同的语言。相同的语法可以有不同的语义(例如const
限定符、auto
,…)。永远不要把C代码当作C++来对待!(我没有说代码中没有错误,但是通过char
索引并不比通过任何其他整数索引差。实际上,在使用之前,它会被转换为int
,并且有符号索引为“气味”)。顺便说一句,像gcc这样的现代编译器会发现大多数错误。但是,用零定义可能会有问题。好吧,你是对的-方法不好。同时,我用C++示例进行了测试,但是结果是相同的——我看到了行数,但是所有其他值都是零:-你有任何文档来解释如何使用这个吗?实际上,这个问题中的代码根本看不到可测试性。测试、覆盖率和结果分析在哪里绑定到特定的代码行?(例如,采用LCOV或任何其他覆盖格式)
INFO: Scanner configuration file: D:\RnD_Tools\sonar-scanner-2.5\bin\..\conf\sonar-runner.properties
INFO: Project configuration file: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\sonar-project.properties
INFO: SonarQube Scanner 2.5
INFO: Java 1.8.0_73 Oracle Corporation (64-bit)
INFO: Windows 7 6.1 amd64
INFO: User cache: C:\Users\ralfebert\.sonar\cache
INFO: Load global repositories
INFO: Load global repositories (done) | time=129ms
INFO: User cache: C:\Users\ralfebert\.sonar\cache
INFO: Load plugins index
INFO: Load plugins index (done) | time=5ms
INFO: Default locale: "de_DE", source code encoding: "UTF-8"
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=193ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=118ms
INFO: Load active rules
INFO: Load active rules (done) | time=1528ms
INFO: SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project.
INFO: Publish mode
INFO: ------------- Scan C :: Simple Project :: SonarQube Scanner
INFO: Language is forced to c++
INFO: Load server rules
INFO: Load server rules (done) | time=250ms
INFO: Base dir: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner
INFO: Working dir: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\.sonar
INFO: Source paths: src
INFO: Source encoding: UTF-8, default locale: de_DE
INFO: Index files
INFO: 1 files indexed
INFO: Quality profile for c++: Sonar way
INFO: JaCoCoSensor: JaCoCo report not found : C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\target\jacoco.exec
INFO: JaCoCoItSensor: JaCoCo IT report not found: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\target\jacoco-it.exec
INFO: Sensor Lines Sensor
INFO: Sensor Lines Sensor (done) | time=10ms
INFO: Sensor CxxSquidSensor
INFO: Scanner found '0' report files
INFO: Cannot find a report for 'sonar.cxx.compiler.reportPath'
INFO: Project 'org.sonarqube:c-simple-sq-scanner' Cycles:0 Feedback cycles:0 Tangles:0 Weight:0.0
INFO: Sensor CxxSquidSensor (done) | time=178ms
INFO: Sensor CxxCoverageSensor
INFO: Sensor CxxCoverageSensor (done) | time=0ms
INFO: Sensor SCM Sensor
INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: Sensor SCM Sensor (done) | time=0ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=6ms
INFO: Sensor Code Colorizer Sensor
INFO: Sensor Code Colorizer Sensor (done) | time=22ms
INFO: Sensor CPD Block Indexer
INFO: DefaultCpdBlockIndexer is used for c++
INFO: Sensor CPD Block Indexer (done) | time=9ms
INFO: Calculating CPD for 1 files
INFO: CPD calculation finished
INFO: Analysis report generated in 50ms, dir size=31 KB
INFO: Analysis reports compressed in 7ms, zip size=11 KB
INFO: Analysis report uploaded in 141ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/org.sonarqube:c-simple-sq-scanner
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AVgF6GhDsPC8lDzvfGdL
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 7.584s
INFO: Final Memory: 49M/250M
INFO: ------------------------------------------------------------------------
sonar-scanner \
-Dsonar.cfamily.build-wrapper-output=bw-output \
... your other options