因为我会使用声纳来检查我的C / C ++项目是否存在错误,漏洞以及我已安装声纳v5.6.3和sonar-cxx v0.9.6的其他人。 为了我的目的来评估声纳我已经采用了声纳示例的示例并扩展了main.c文件:
#include <stdio.h> /* NOK, according to the MISRA C 2004 20.9 rule, stdio.h must not be used in embedded system's production code */
#include <mylib.h>
int main(void) {
int a;
char buffer[10];
char index = 1;
int x = ADD(40, 2);
int y = fun(40, 2);
buffer[10] = 1; /* Vulnerability: Aray index out of bound */
buffer[a] = 'a'; /* Vulnerability: Array index ist used before limits check */
buffer[index] = '1'; /* Code smell: 'char' type used as array index */
if (1 == a) /* Bug: Access to an uninitialized value */
{
printf("a = 1");
}
a = 0;
if (x != 42)
{ /* NOK, empty code blocks generate violations */
}
x /= a; /* Bug: Division by zero */
printf("40 + 2 = %d\n", x);
printf("fun = %d\n", y);
}
int fun(int a, int b) {
return a * b;
}
此外,我更改了文件sonar-project.properties以使用sonar-cxx解析代码
# Required metadata
sonar.projectKey=org.sonarqube:c-simple-sq-scanner
sonar.projectName=C :: Simple Project :: SonarQube Scanner
sonar.projectVersion=1.0
# Comma-separated paths to directories with sources (required)
sonar.sources=src
sonar.cxx.includeDirectories=lib
# Language, needed for SonarQube < 4.2
sonar.language=c++
# The build-wrapper output dir
# sonar.cfamily.build-wrapper-output=/path/to/build-wrapper/output/dir
# Optional comma-separated list of additional libraries folders (such as /usr/include)
# sonar.cfamily.library.directories=lib
# Optional specific predefined macros
# sonar.cfamily.predefinedMacros=#define MY_MACRO(a) ((a)+1),#define DEBUG
# Encoding of the source files
sonar.sourceEncoding=UTF-8
在运行声纳 - 跑步者(v2.5)时,我没有看到错误消息:
INFO: Scanner configuration file: D:\RnD_Tools\sonar-scanner-2.5\bin\..\conf\sonar-runner.properties
INFO: Project configuration file: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\sonar-project.properties
INFO: SonarQube Scanner 2.5
INFO: Java 1.8.0_73 Oracle Corporation (64-bit)
INFO: Windows 7 6.1 amd64
INFO: User cache: C:\Users\ralfebert\.sonar\cache
INFO: Load global repositories
INFO: Load global repositories (done) | time=129ms
INFO: User cache: C:\Users\ralfebert\.sonar\cache
INFO: Load plugins index
INFO: Load plugins index (done) | time=5ms
INFO: Default locale: "de_DE", source code encoding: "UTF-8"
INFO: Process project properties
INFO: Load project repositories
INFO: Load project repositories (done) | time=193ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=1ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=118ms
INFO: Load active rules
INFO: Load active rules (done) | time=1528ms
INFO: SCM provider autodetection failed. No SCM provider claims to support this project. Please use sonar.scm.provider to define SCM of your project.
INFO: Publish mode
INFO: ------------- Scan C :: Simple Project :: SonarQube Scanner
INFO: Language is forced to c++
INFO: Load server rules
INFO: Load server rules (done) | time=250ms
INFO: Base dir: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner
INFO: Working dir: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\.sonar
INFO: Source paths: src
INFO: Source encoding: UTF-8, default locale: de_DE
INFO: Index files
INFO: 1 files indexed
INFO: Quality profile for c++: Sonar way
INFO: JaCoCoSensor: JaCoCo report not found : C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\target\jacoco.exec
INFO: JaCoCoItSensor: JaCoCo IT report not found: C:\Users\ralfebert\Downloads\sonar-examples-master\projects\languages\c\c-sonar-runner\target\jacoco-it.exec
INFO: Sensor Lines Sensor
INFO: Sensor Lines Sensor (done) | time=10ms
INFO: Sensor CxxSquidSensor
INFO: Scanner found '0' report files
INFO: Cannot find a report for 'sonar.cxx.compiler.reportPath'
INFO: Project 'org.sonarqube:c-simple-sq-scanner' Cycles:0 Feedback cycles:0 Tangles:0 Weight:0.0
INFO: Sensor CxxSquidSensor (done) | time=178ms
INFO: Sensor CxxCoverageSensor
INFO: Sensor CxxCoverageSensor (done) | time=0ms
INFO: Sensor SCM Sensor
INFO: No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: Sensor SCM Sensor (done) | time=0ms
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=6ms
INFO: Sensor Code Colorizer Sensor
INFO: Sensor Code Colorizer Sensor (done) | time=22ms
INFO: Sensor CPD Block Indexer
INFO: DefaultCpdBlockIndexer is used for c++
INFO: Sensor CPD Block Indexer (done) | time=9ms
INFO: Calculating CPD for 1 files
INFO: CPD calculation finished
INFO: Analysis report generated in 50ms, dir size=31 KB
INFO: Analysis reports compressed in 7ms, zip size=11 KB
INFO: Analysis report uploaded in 141ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/org.sonarqube:c-simple-sq-scanner
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AVgF6GhDsPC8lDzvfGdL
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 7.584s
INFO: Final Memory: 49M/250M
INFO: ------------------------------------------------------------------------
在我的浏览器中查找结果后,我看到:
错误:0
漏洞:0
Code Smells:0
债务:0
重复:0%
重复块:0
代码行:24
出乎意料。为了检查我的安装,我已经使用java示例进行了类似的测试,对于这个项目,我看到了bug和漏洞。
sonar-cxx是一个特例,我必须手动激活检查吗?有人可以帮我解决我的问题吗?
感谢Ralf Ebert的建议
答案 0 :(得分:1)
在GitHub上Sonar-cxx Wiki的Running the Analysis页面上:
C ++社区插件本身不会执行测试运行程序,覆盖率跟踪程序或静态检查程序。所有这些数据都必须以报告的形式提供。
此页面上也提供指向Running Tools页面的链接。此链接链接到其他几页,这些页面解释了如何生成Sonar-cxx使用的报告。例如,您可以使用Cppcheck对代码进行静态分析。将输出保存到项目内某个目录中,并设置 sonar.cxx.cppcheck.reportPath 属性(请参见here)以指向该目录。
答案 1 :(得分:0)
请参阅有关sonar-cxx插件的重要说明:
https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Running-tools
我正在Sonarcloud.io上为C语言家族Sonar插件使用build-wrapper配置。
然后,您需要在声纳扫描仪之前运行包装器,以make源并从编译器中输出一些有意义的结果(您也可以使用上述的cppcheck等)。
设置了sonar.cfamily.build-wrapper-output路径后,扫描仪将使用输出。
sonar-scanner \
-Dsonar.cfamily.build-wrapper-output=bw-output \
... your other options
有关详细信息,请参见https://docs.sonarqube.org/latest/analysis/languages/cfamily/。