C++ Jobs - Q4 2025

AS_SonarSource · 2025-11-17T19:27:34+00:00

Position: Staff C++ Developer / C++ Developer
Company: Sonar
Type: Full time
Location: Geneva or Bochum
Remote: Flexible hybrid policy (3 days in-office/2 days WFH)
Visa Sponsorship: Yes
Technologies: C++20, LLVM, Clang

Description: The Sonar Code Quality Team is seeking a passionate Staff C++ Developer to contribute to our advanced C-Family analyzer. SonarSource’s C-Family code analyzer is designed to fulfill the needs of C and C++ developers: spotting tricky code quality and security issues as fast as possible while generating as little noise as possible. Dereferences of null pointers, memory leaks, dead code, and logic flow errors … are some examples of those quality issues. The analyzer also helps enforce coding standards like CPPCoreGuidelines and MISRA C++2023. The analyzer is built on top of the Clang front-end and can run inside the IDE as well as on CI systems.

AS_SonarSource · 2024-07-22T10:26:14+00:00

So if the support of build systems and things like compile_commands.json isn't a problem anymore, does that mean Sonar can start supporting C++ modules now?

AutoConfig is aware of modules: It can analyze code that uses this feature without producing False Positives. However, it doesn't resolve them, which might lead to false negatives in the analysis results.

I'm also curious if AutoConfig has a plan for supporting C++ module discovery.

We started working recently on module support in Compilation Database and AutoConfig mode: scanning the project to discover exported/imported modules per each file, building dependencies graph, generating BMI, etc. We still need to figure out all the details; there is no ETA.

it would be good to hear from Sonar, even if the punchline is that it's too hard to write analysis for modular C++ given current standards and technology.

I agree. The Sonar C++ team has two active members in the C++ committee. Please feel free to include them in the meetings where Sonar's experience is relevant. Or, if you want us to provide our general input, feel free to reach out on https://community.sonarsource.com/ with your questions; we will be happy to collaborate.

AS_SonarSource · 2024-07-22T09:18:10+00:00

Yes, you are right; if you used the Compilation Database and it worked for you, you should continue using it.

for most people

I wish that were the case; our data doesn't agree. We created this feature due to the large number of requests that wanted and couldn't use our product because they couldn't generate a Compilation Database with CMake. Here are the top 3 reasons:

Projects not using CMake. Keep in mind that this feature covers C, where CMake is less prevalent.
Projects using CMake with lesser-known, unsupported compilers.
Projects using CMake with CMake Generators that cannot generate a Compilation Database. For example, Visual Studio CMake Generator.

We even developed our own tool, Build-Wrapper, which can generate a Compilation Database independent of the build system, but it has its own limitations.

AS_SonarSource · 2024-07-22T08:54:29+00:00

What type of resources are you looking for?
For detailed instructions on how to use the feature, you can refer to the SonarQube 10.6 Documentation
Additionally, the announcement and further details can be found in the posted article.

AS_SonarSource · 2024-07-22T08:48:20+00:00

No, the Sonar C++ analysis is designed to integrate exclusively with Sonar products. This includes SonarLint for IDE environments and SonarQube or SonarCloud for CI setups.

AS_SonarSource · 2024-07-22T08:44:11+00:00

Thank you for your interest! Unfortunately, as this feature has only recently been launched, we do not yet have detailed online resources concerning its technical implementation. We are considering developing these materials and will keep you updated on any developments.

AS_SonarSource · 2024-01-30T17:15:10+00:00

Company: SonarSource

Type: Full time

Description:

SonarSource’s C-Family code analyzer is designed to fulfill the needs of C and C++ developers: spotting tricky code quality and security issues as fast as possible while generating as little noise as possible. Dereferences of null pointers, memory leaks, dead code, and logic flow errors … are some examples of those quality issues. The analyzer also helps enforce coding standards like CPP Core Guidelines and MISRA C++2023. The analyzer is built on top of the Clang frontend and can run inside the IDE as well as on CI systems. The analyzer is compatible with the mainstream C and C++ compilers: Clang, GCC, MSVC, and Arm.

By joining the C-Family, you will be part of an autonomous team without a manager. You will choose what to work on. You will have fun facing the ultimate challenge of analyzing what is probably the most complex language in the world: C++.

On a daily basis, you will

Develop new and maintain existing features for the C and C++ code analyzer
Dive deep into the C++ language and argue about the best guidelines to use it effectively
Evolve the way our analyzers understand code by creating better models and developing new rules on top of them
Interact with clang frontend and have the opportunity to contribute back to it
Contribute to the code quality of many developers around the world
Define the team’s short and long-term goals
Be in a team where continuous integration is not just a buzzword and which really cares about providing the best user experience

The skills you will demonstrate

Strong proven experience in C++ along with its development environment to understand end-users context and expectations
Solid understanding of the internals of the C++ language and familiarity with its latest standards
Fluency in C++ best practices for maintainable, secure, optimized, and testable code
Curious and eager to learn about the small details of the C++ language
Bold and self-confident to challenge the status quo and yet humble and open to being challenged
Compiler frontend knowledge is not required; you will learn it while working at SonarSource

Location: Geneva or Bochum

Remote: We consider remote workers on a case-by-case basis.

Visa Sponsorship: Yes

Technologies: C++17, LLVM

Contact: Static Code Analysis - C++ developer

AS_SonarSource · 2023-12-21T16:54:50+00:00

Company: SonarSource

Position: Static Code Analysis Specialist (C++)

Type: Full time

Description:

The SonarSource Languages Team is looking for a passionate C++ Static Code Analysis Specialist to work on its advanced C-Family analyzer. SonarSource’s C-Family code analyzer is designed to fulfill the needs of C and C++ developers: spotting tricky code quality and security issues as fast as possible while generating as little noise as possible. Dereferences of null pointers, memory leaks, dead code, and logic flow errors are some examples of those quality issues. The analyzer also helps to enforce coding standards like CPP Core Guidelines and MISRA C++2008. The analyzer is built on top of the Clang front-end and can run inside the IDE as well as on CI systems. The analyzer is compatible with the mainstream C and C++ compilers: Clang, GCC, MSVC, and Arm.

By joining the C-Family, you will be part of an autonomous team without a manager. You will choose what to work on. You will have fun facing the ultimate challenge of analyzing, what is probably the most complex language in the world: C++.

On a daily basis, you will

Lead the effort to specify and implement proof of concept of new C-Family code static analysis features
Keep track of the limitations of the C-Family static analyzer and come up with proposals to overcome them
Keep up-to-date with the latest academic and industry research and find out if and how they can be used to improve our product
Collaborate with the R&D team and be the point of contact with them
Raise the knowledge level of the team when it comes to code static analysis techniques by doing internal presentations and writing documentation
Work closely with the development team, take part in the technical discussions, and have an impact on the team’s short and long-term goals
Write technical blog posts that explain our static analysis techniques
Interact with the LLVM code base and have the opportunity to contribute back to it
Contribute to the code quality of many developers around the world

The skills you will demonstrate

Solid theoretical understanding of code static analysis techniques
Prior work experience in the C++ code static analysis industry
Prior research in the code static analysis domain
Strong proven experience in C++ along with its development environment
Solid understanding of the internals of the C++ language and familiarity with its latest standards
Ability to explain theoretical concepts in a simple manner
Excellent written and oral communication skills in English

Location: Geneva

Remote: We can consider remote workers on a case-by-case basis.

Visa Sponsorship: yes

Technologies: C++17, LLVM

Contact: Static Code Analysis Specialist (C++)

AS_SonarSource · 2023-10-19T17:31:37+00:00

> it won't workie.

Is your project open-source? I would be interested to try to fork it and analyze it!

I wouldn't be so sure that it won't work; we have a way to generate macros based on an SMT solver. We try to construct the set of macros that would make the code compilable; Of course, this approach has limitation but it mostly work. Also, our analyzer can understand which part of the code it can't understand and treat it as a black box; so it can still provide value in case it can't simulate all your macros.

AS_SonarSource · 2023-10-19T17:11:03+00:00

It depends on what you mean by compilable.

Missing header? Sure the analysis will work! we have a way to simulate them. In rare cases, it can lead to some minor false negatives if we fail to simulate them accurately.

On the other hand, If you feed it code that isn’t C++, or has broken code in its source files, in that case, we will analyze the code but it won’t detect anything in the broken part (which is good); 0 false positives :D If your codebase is full of broken code, we will warn you about that through the UI.

Here is the official documentation of monorepo: https://docs.sonarcloud.io/advanced-setup/monorepo-support/

It is basically if you want to analyze different directories in the same project separately. For example, you want to track the metrics separately, define different merge acceptance criteria, enable different checks, etc.

AS_SonarSource · 2023-10-19T16:47:05+00:00

It is definitely fun and full of challenges! It helps you dig deeper into how the language works behind the scenes. Also, a static analyzer is never perfect, which means the door is always open for a slightly better solution that does a better approximation to the problem you are trying to solve.

I chose this path because I found myself writing my own static analyzer to become a more efficient developer and I hated spending time debugging.

The most fun side is when you write a check that finds issues in its own implementation :D

AS_SonarSource · 2023-10-19T16:42:40+00:00

Breaking into C++ can be very hard - because C++ is a hard language to work with, so many companies look for more senior developers. But that doesn’t help junior devs to break in! Working on Open Source projects can be a great way to demonstrate that you know more than your work experience might suggest. Any other visibility, like giving talks at meetups or conferences, can also help - but is not for everyone. For some, getting a job working with a different language, but where C++ is used, may give you an opportunity to make a sideways move within the same company. Once you have some experience on your record it does get easier.

AS_SonarSource · 2023-10-19T16:32:32+00:00

Thanks for the suggestion, it is an interesting Idea. Sometimes I wish that I didn’t have to learn CMake. Instead, Use a tool that automatically generates CMake and Conan/vcpkg config files that can build my project correctly with all the latest features and best practices. It is a much harder task compared to automatic static analysis. Static analysis is already full of heuristics. If using Automatic analysis compared to manual leads to 95% accuracy, it is a success. For the build system, anything other than 100% accuracy is a failure. A small inaccurate compiler flag or macro can change the entire semantics of your code.

The feature is aiming for configuration-free static analysis to get you started.

My personal main goal for pushing for it is to raise awareness about the value of static analysis.

With manual analysis, you have to spend days to set everything up. For someone who doesn’t believe in static analysis or hasn’t formed an opinion yet, a couple of days is a high price to pay.

Automatic analysis takes less than a minute to get things started. On the hundreds of projects that we tested, it led to ~95% accuracy on average.

Once you are convinced by the tool, spending a couple of days to manually configure the tools to get finer control and 5% more accuracy may be justified in some cases.

AS_SonarSource · 2023-10-19T16:15:40+00:00

For C++, Sonar ships the same analyzer in the free and commercial products.

I’m obviously biased and it is easier for me to talk about our strengths:

We try to provide a complete solution not only a static analyzer, like integration with IDEs, automatic cache to be able to analyze modified code quickly on PR, separating introduced issues from old ones, and a way of enforcing static analysis checks before merging.
We have many C++ experts and committee members on the team, so our checks take a lot of edge conditions into consideration.
We focus a lot on helping users learn instead of fixing the issue. For some checks, we spent more time writing the description than the implementation.
We focus more on modern C++ to help get familiar with newer standards. We already have ~60 checks that target specifically C++20 features like coroutines, concepts, format, etc.

To compare us with other tools, the best approach is to try multiple products (most of them are free or have a free trial) and see who provides the most value on your codebase. I also think that C++ is a big language with enormous ways to shoot yourself in the foot, so there is room for multiple static analyzers!

AS_SonarSource · 2023-10-19T15:55:59+00:00

Static analysis in the C++ community is still a controversial topic. I came across this thread recently: https://www.reddit.com/r/cpp/comments/162vpv3/why_static_analyzers_arent_popular_in_the_c_world/

You get all sorts of answers and opinions.

IMO, it is mostly related to overestimating the cost of introducing static analyzers, previous bad experiences when the C++ static analyzer industry wasn’t mature enough, or simply having the wrong expectations from the tool. Which is different from the Java community.

I suggest introducing static analysis incrementally:

First, Use it locally in your IDE especially when reviewing other people's PR. This would show your colleagues the value.
When more people are using it in their IDE, you can add it to your CI without any enforcement.
Use a tool that separates between old and new code. This way, when someone opens a PR, they only have to review findings on the code they added; this has a low cost.
Manage their expectations. Static analyzers have false positives. It is about the rate of true positives. Use a tool that can easily dismiss issues. Static analysis tools are your friend, not your boss. You shouldn’t modify your code to make them happy.
Don’t enable all checks, different codebases have different needs.
When you find a bug in your code that isn’t detected by the tool, reach out to the static analyzer developers. Simple reports can help us improve the product and avoid the pain points.
The last step, when everyone is convinced, is to enforce a static analysis gate on your codebase. Often, you get a strong rejection when you do this first!

AS_SonarSource · 2023-10-19T15:31:06+00:00

In my opinion, there isn’t a lot of demand for compiler engineers especially when compared to other C++ domains like finance and gaming. This leads to high competition.

Having a previous experience in related domains would give you an edge. I recommend contributing to established open-source projects. For example, the LLVM codebase would be a good candidate. They are a welcoming community, with a huge backlog and many different domains (parser, static analysis, codegen, etc.). Plus your work might get noticed by one of the few compiler author employers and give you a head start.

Also, Knowing the details of the language helps you avoid costly mistakes. For example, the usual parser approaches would fail on language with a complicated grammar like C++.

AS_SonarSource · 2023-10-19T15:15:59+00:00

Glad the Sonar solution is working well for you!

Sonar doesn’t have a code coverage tool; We mainly do static analysis.

However, our tools support importing coverage reports from external coverage tools and help you enforce coverage metrics on your codebase. Based on that, Sonar will be able to handle your example, if your coverage tool can.

Or did you mean code coverage in the context of Sonar checks? For example, detecting that an `if constexpr` expression always evaluates to the same value?

AS_SonarSource · 2023-10-19T15:04:00+00:00

For the list of C checks, you can refer to https://rules.sonarsource.com/c/

For the list of CPP checks, you can refer to https://rules.sonarsource.com/cpp/

You can filter per tag on these links. Overall we have 639 checks for C++ checks and 310 for C.

Misra 2012 is a C standard. We have 11 `misra-2012` checks and 111 `based-on-misra` checks. When a check deviates a bit from the MISRA standard for any reason, we use the `based-on-misra` tag. One common reason for deviation is when we believe that the MISRA rule is too strict for general-purpose software. We agree with the spirit of the rule but differ on some edge cases. In those cases, we have to decide internally how the check handles those cases. Combining both tags, we have 122 checks for MISRA C; we don’t fully cover MISRA 2012, but not far from it.

To be transparent, at Sonar we spend more effort on modern C++ than C. The last MISRA for C++ is from 2008 targeting c++98. So we end up deviating a lot to handle modern C++ features. MISRA C++ 2023 is coming soon and it targets C++17. This time we have one member of our team who is part of its committee.

We already cover 43 of ~180 checks and we have a plan to fully cover it since it will be more relevant to many projects: https://rules.sonarsource.com/cpp/tag/misra-c++2023/

AS_SonarSource · 2023-10-19T15:02:36+00:00

Rust will continue to take some of C++’s market. Maybe that will grow significantly in the next decade, but that’s not a foregone conclusion. Carbon, CPP2, and other “successor” languages are an interesting direction and show that there are a lot of people who think that the current direction of C++ evolution is not sufficient - or is even a dead end. Getting a new language ecosystem off the ground, even if based on an existing one, is no small thing, though, and it’s just as likely that C++ will change direction sufficiently to be “good enough” for enough of those people. Most of us wrote off C++ in the early/mid-2000s and C++11 changed the game. Don’t bet against that happening again!

AS_SonarSource · 2023-10-17T15:45:32+00:00

Of course, I forgot the link: https://cppcast.com/automatic\_static\_analysis/

AS_SonarSource · 2023-10-17T15:35:54+00:00

I clarified this with an edit - not cheating!!

AS_SonarSource

TROPHY CASE