Articles about C++

Compilation database: An alternative way to configure your C or C++ analysis

Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of this information, called the build wrapper. Recently we introduced another way to configure your analysis, the compilation database. Learn more about the pros and cons of each option.
By loic joly | August 24, 2021
Supercharge your C++ analysis with SonarLint for CLion

This article talks about the powerful capabilities of the C++ analyzer with SonarLint and highlights some unique and interesting quality and security rules you might find useful. Through that lens, we demonstrate how you can leverage these rules to elevate your CLion built-in static analysis capabilities for your C++ projects.
By phil nash-and-geoffray-adde | September 28, 2021
Getting timely, accurate feedback on your C++ from the SonarQube ecosystem

Late feedback is a pain in the butt. Regardless of how it comes, hearing "that thing you did two weeks ago was wrong" is unwelcome at best. Good feedback is immediate, actionable and at least dispassionate, if not compassionate. That's why we help you integrate C++ static analysis throughout your workflow, so you and your team get the feedback you need when and where it's most useful.
By g. ann-campbell | September 08, 2020
False positives are our enemies, but may still be your friends

When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. In this post, I’ll discuss how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help. I’ll end with insight into how issues that are false positives can still be true indicators that the code needs to change.
By loic joly | September 15, 2020
Lay a strong foundation by writing secure C and C++ utilities

By g. ann-campbell | October 14, 2020
Winning the race against TOCTOU vulnerabilities in C & C++

Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I'm proud to announce a step forward for defenders with a new rule to detect a literal race condition: TOCTOU (or TOCTTOU) vulnerabilities, known in long-form as Time Of Check (to) Time Of Use.
By g. ann-campbell | October 07, 2020
MISRA C++ 2008 support is on its way

By alexandre gigleux | May 27, 2019
Detect C++ buffer overflows in POSIX functions

By g. ann-campbell | May 20, 2020
Security Hotspots bring a new approach to C++ SAST

A lot of people associate Static Application Security Testing (SAST) with false positives, but it doesn't have to be that way. The fact is that there are really three classes of SAST issues: true positives, false positives, and what we call Security Hotspots - security-sensitive pieces of code that need human review. We feel that introducing the distinction between Vulnerabilities and Security Hotspots is the SAST innovation developers have sorely needed to face analysis results with clear expectations about what they'll get and how to deal with it.
By g. ann-campbell | July 30, 2020
The NeverEnding Story of writing a rule for argument passing in C++

Here is a story of a rule, from concept to production. While the selected rule is for C++, this story contains interesting insight on the craft of rule development, no matter the target language.
By loic joly | May 15, 2019
Continuously Improving Analysis of C/C++/Objective-C Code

Today we have improved the functionality of SonarCloud centered around the analysis of C/C++/Objective-C code. It’s an important change and we’d like to take a moment to provide you with the reason behind our decision.
By nicolas bontoux | November 12, 2018

Sign up today & never miss an update from SonarSource

We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!

We respect your privacy.

In-IDE

IDE extension that lets you fix coding issues before they exist!

Discover SonarLint

In-Cloud

Setup is effortless and analysis is automatic for most languages

Discover SonarCloud

On-premise

Fast, accurate Code Quality and Code Security analysis for most languages

Discover SonarQube

SonarSource blog delivered directly to your inbox!

We respect your privacy.

We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!

© 2008-2021, SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource SA.
All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy Terms and Conditions