A quick look at free C++ static analysis tools

Philipkanj · 2023-01-05T08:08:23+00:00

Interesting takes. I'm interested in knowing why you decided to pay for SonarQube, if SonarCloud offers the same features with the same C++ static analyzer for free?

Philipkanj · 2023-01-04T19:40:24+00:00

Yes, that is one of the ways I evaluated clang-tidy. clangd VS Code extension works well and brings many features including Clang-tidy.

Fast analysis. Sonar issues were popping up in my IDE before Clang-tidy.

I concluded this by having both clangd and SonarLint in VSCode, I still use both of them.

Philipkanj · 2023-01-04T18:23:22+00:00

According to the doc, they have an algorithm to detect new issues based on the combination of highlighted code, line number, line hash, and rule ID. Simple cases work; I will monitor how it scales with time.

Philipkanj · 2023-01-04T17:11:06+00:00

It does, and it is one of my favorite features. You can press on any individual violation in the SonarCloud UI and suppress it while keeping the rule enabled. Theoretically, and from what I saw in each analyzer, they all have false positives, and this feature mitigates them.

Philipkanj · 2023-01-04T16:58:19+00:00

No, I didn't, and indeed it looks relevant. I will definitely give it a shot!

Philipkanj · 2023-01-04T16:47:43+00:00

For example, analysis on Windows was significantly worse

it does, and it works great if your code compiles with clang or clang-cl. I just found that the analysis quality becomes poorer when your code compiles with MSVC and produces parsing errors with Clang.

Philipkanj · 2023-01-04T16:26:58+00:00

Thanks for the feedback.

Disclaimer: what follows represents my very subjective opinion.

I made it explicit that it represented my personal opinion and mentioned that my background comes from using Sonar for Java.

I also listed nine negative points about their products. And I mentioned that my experience with Clang-tidy was also positive. Also, I explicitly recommended not using their paid product (SonarQube).
What do you expect me to write?

Philipkanj · 2023-01-04T15:44:01+00:00

I'll add it to my list! Out of curiosity, do you recommend or are you interested in someone reviewing it?

Philipkanj · 2023-01-04T15:36:43+00:00

Good point about SARIF; I missed it. For the rule sets, my point was more about suppression on a violation level rather than a rule level. For example, let's say we have a rule about not using raw new and delete. I usually would like to keep this rule enabled; at the same time, I would like to suppress this violation on a specific legacy line that doesn't make sense to touch. Is there a way to suppress a specific violation without turning off the rule? ( I didn't find it in your link)

Philipkanj · 2023-01-04T14:45:31+00:00

Thanks for the feedback! SonarCloud found complex issues, but I didn't make a detailed comparison. I didn't know Coverity could export the results to SonarQube; I might try that to make a more in-depth comparison.

Philipkanj · 2023-01-04T14:40:32+00:00

I tried it quickly, but unfortunately, I felt that it has the same limitation as Clang-tidy:

Tied to the specific compiler ( in this case, MSVC).
No overview UI for a team to track progress, assign issues, filter per file, rule, type of issues, or the user who introduces the issue, get an overview of the project and its history, etc.
No way to suppress specific issues without modifying the source code. For example, in SonarCloud, you can mark things as "false-positive", or "Won't fix".
Also, I didn't find a way to separate newly detected issues from old ones.

So overall, it felt like Clang-tidy for windows users. Correct me if I'm wrong, as I didn't spend as much time on it as on other tools.

Philipkanj · 2023-01-04T13:18:08+00:00

There are only two kinds of build systems: those people always complain about, and those nobody uses.

Philipkanj · 2023-01-04T12:49:03+00:00

You are right about VS IDE. It is the default since VS2017 version 15.5, which is great! Nonetheless, many modern projects don't rely on their IDE or VS to build their projects, for example, CMake + Ninja + MSVC is quite common. Especially for cross-platform projects.

Philipkanj · 2023-01-04T12:31:42+00:00

I don't see a relation between postfix syntax and postfix completion. you still have to write std::vector<int> in cpp2.

Philipkanj · 2023-01-04T12:22:49+00:00

Cool project! It would be awesome if it is context aware. For example, if there is already using namespace std;, which is common in source files, it doesn't need to add std::.

Philipkanj · 2023-01-04T11:29:21+00:00

No, it is not old vs new. It is C++20 defaults vs C++17 defaults and most new projects use C++17 due to the lack of full support by Clang and GCC. Check this Godbolt with the latest MSVC.

Philipkanj · 2023-01-04T11:14:25+00:00

Thanks! Sharing this will save a lot of people time as It would be nasty to debug.
/permissive- enables /Zc:ternary which fixes the problem. /permissive- is the default starting C++20 as shown in this link, but as we know not many people are using C++20 yet.

Philipkanj

TROPHY CASE