MISRA C++ 2008 support is on its way

by alexandre gigleux|

Hello C++ Developers,

We’re making some changes to how SonarQube implements and supports MISRA standards in our C++ language analyzer. In the blog post, we’ll give you an update on our plans.

At the end of 2018, the refactoring of our C++ analyzer (based on CLANG) was completed and the associated 377 rules were rewritten in C++.

On this solid foundation, we asked ourselves what could be the next step to enhance our C++ analyzer. We looked at what our community was requesting and supporting MISRA standards seemed a natural fit.

MISRA stands for “Motor Industry Software Reliability Association”. This collaborative group of professionals produce multiple C and C++ safety standards for embedded systems. They are ubiquitous in the automotive industry and widely considered the de facto standard for embedded C programming in the majority of safety-related industries.

If you have followed us for years, you may ask: “Wait, don’t you already have MISRA support?”. The answer is “not really”. While it’s true we added a ‘misra’ tag to some of our rules, we weren’t strictly adhering to the standard. In reality, it’s more accurate to say that these rules were based on MISRA standards.

We want you to know that we’re changing all that. From now on, a given rule will be:

  • either fully following one or several of the MISRA standards
  • or based on a MISRA rule, but implemented with significant differences, to better target generic programs (MISRA can be quite demanding on the way to write code)
  • or not related to MISRA at all.

SonarQube changes to guide you on the MISRA specifics?

When a rule is fully compliant with a MISRA standard, it will have one of these tags:

  • “misra-c++2008”
  • “misra-c2004”
  • “misra-c2012”

When a rule is inspired by MISRA, it will have the tag “based-on-misra”. The sloppy “misra” tag will then disappear.

How can the  MISRA standards improve my projects?

MISRA rules are not the best fit for every project. If you are not working on safety-critical systems, full compliance with MISRA standards is likely overkill. For this reason, many rules tagged with one MISRA standard will be disabled by default.

On the other hand, if your project demands MISRA-level compliance, then scanning your projects with the appropriate quality profile can help ensure you meet the necessary safety standards.

We will provide 3 quality profiles to help you:

  • “Sonar way”: as of today, it represents a set of rules we recommend at SonarSource for general-purpose projects
  • “MISRA C++ 2008”: only contains rules fully compliant with MISRA
  • “MISRA C++ 2008 recommended”: same as “MISRA C++ 2008” plus “Sonar way” rules. While MISRA focuses only on safety, “Sonar way” also covers other aspects of code quality (readability, maintainability…), and the two complement each other nicely to provide a good starting profile for safety-critical projects.

When Can I Expect This Functionality?

We have already started the effort to support MISRA C++ 2008 standard! In the coming months, we will incrementally deliver rules fully compliant with this standard with the goal to fully cover rules that can be automated.

You can expect a version of the C++ analyzer bringing a first set of 30+ rules compliant with MISRA C++ 2008 standard in June 2019.

We trust that you’ll find these product evolutions useful and that they’ll make it easier for you to check if your code is compliant with MISRA C++ 2008.

As always, our goal at SonarSource is providing products that help you write consistently better code. Please give us your feedback and share your thoughts on our Community Forum. Thanks for reading!