> For the complete documentation index, see [llms.txt](https://docs.sonarsource.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/languages/c-family/customizing-the-analysis.md).

# Customizing the analysis

### Language-specific properties <a href="#language-specific-properties" id="language-specific-properties"></a>

Discover and update the C/C++/Objective-C specific properties in the project settings. Go to *Your project* > **Administration** > **General Settings** > **Languages** > **C/C++/Objective-C**.

### Analyzing test files <a href="#analyzing-test-files" id="analyzing-test-files"></a>

The scanner property `sonar.tests` is used to pinpoint the directories that contain test source files. Recognizing these test files aids the analyzers in adjusting their rules accordingly. For instance, analyzers can activate rules specific to tests and deactivate those not applicable in a testing context.

Currently, the CFamily analyzer treats main and test source files identically. As a result, the `sonar.tests` scanner property is not supported at this time and is disregarded by the analyzer.

To analyze test source files, they should be incorporated into the `sonar.sources` scanner property. In that case, please note that the test code is considered part of the overall code and counts toward the license usage.

### Quality profiles <a href="#quality-profiles" id="quality-profiles"></a>

* Like all other languages supported by SonarQube Server, C, C++, and Objective-C come with the **Sonar way** profile. This is Sonar’s recommended quality profile, designed to fit most projects. To learn more, see the Understanding quality profiles page.
* The **Sonar MISRA C++: 2023 Compliance** quality profile checks your code against a set of software development guidelines for the C++ programming language used in safety and mission-critical systems. MISRA guidelines are published by the [MISRA](https://misra.org.uk/) (Motor Industry Software Reliability Association) consortium. The quality profile helps you make your code compliant with the standard, which facilitates code safety, security, portability, and reliability. Read [The intelligent approach to achieve MISRA C++:2023 compliance](https://www.sonarsource.com/blog/achieve-misra-c-2023-compliant-source-code/) blog post on the Sonar website for more information. This quality profile is available for the [Enterprise](https://www.sonarsource.com/plans-and-pricing/sonarcloud/) plan.\
  MISRA and MISRA C are the registered trade marks of [The MISRA Consortium Limited](https://misra.org.uk/).
* The **Mission critical** legacy quality profile is maintained for backward compatibility.

### Targeted C++ standard <a href="#targeted-cpp-standard" id="targeted-cpp-standard"></a>

The analyzer targets a specific version of the C++ language to tune the rules in the activated quality profile. This reporting standard is used to:

* Suppress rules that cannot be applied, such as rules that suggest using C++20 features while compiling the code with C++17.
* Adjust rules’ messages to suggest the proper fix according to the used standard. For example, a rule that suggests using `std::ranges::any_of` with C++20 will be tuned to suggest using `std::any_of` with an older standard.

In compilation database mode, the reporting standard defaults to the version used to compile the code. This is ideal for most projects. However, there are some edge cases where there is a need to use a reporting standard different from the compilation standard. For this reason, we provide the following scanner property to adjust the reporting standard:

```properties
sonar.cfamily.reportingCppStandardOverride=c++98|c++11|c++14|c++17|c++20|c++23
```

This property is only recommended for use in cases where a project has to comply with a standard older than the one it is compiled with. This can happen if:

* The compiler doesn’t allow setting a specific standard. For example, MSVC doesn’t allow specifying a standard older than C++14.
* The project wants to be compiled with the latest standard while still complying with an older one.

In Automatic Analysis and AutoConfig modes, the reporting standard defaults to the latest version. In this case, we recommend setting the property if the project needs to comply with an older standard.

### C++20 Modules <a href="#cpp-20-modules" id="cpp-20-modules"></a>

Support for C++20 modules is currently experimental and not enabled by default.

* Since the analyzer is based on Clang 20, not all features of C++20 modules are supported. For more information, see the [official documentation for Clang](https://releases.llvm.org/20.1.0/tools/clang/docs/StandardCPlusPlusModules.html).
* Header units are not currently supported.
* The CFamily analyzer needs to know where to find the module units and how to build their corresponding Binary Module Interfaces (BMI). Hence, the compilation database must contain the necessary compiler calls for a complete clean build. This is also true for import std. Module units do not need to be indexed by Sonar unless you want them to be analyzed.
* Support for this feature is only available through the Sonar Community; commercial support is not currently available.
* When modules are involved, there may be some False Positives or Negatives. If you find any, [please report them via the Sonar Community](https://community.sonarsource.com/t/how-to-report-a-false-positive-false-negative/37022/1) or mark "*Share* *comment with Sonar to help improve our analyzers*" when flagging an issue as a False Positive in SonarQube Cloud.

Use the following scanner property to enable C++20 module support:

```properties
sonar.cfamily.enableModules=true
```

There are some aspects to keep in mind when analyzing code with C++20 modules:

* The property above will enable module support only for source files compiled with C++20 or later.
* Using modules requires building intermediate *BMIs*, which, by default, will be put under the directory configured by **`sonar.working.directory`** (usually, `.sonarscanner` under the project root directory). You must account for some extra space to store these files, which SonarScanner will remove at the end of the analysis.
* Analysis results and module dependencies are cached, but the intermediate BMIs are not. Hence, when re-analyzing a file, the analyzer will have to build its full tree of dependencies.

### AutoConfig and Automatic Analysis properties <a href="#autoconfig-and-automatic-analysis-properties" id="autoconfig-and-automatic-analysis-properties"></a>

While Automatic Analysis and AutoConfig modes automatically deduce the low-level configurations, optionally tuning some high-level configurations can be beneficial to force the analysis of specific project variants and improve the analysis quality. Those high-level configurations fall into four categories: custom preprocessor, custom analysis target, custom includes directories *(AutoConfig only)*, and C++ standard override.

* Set a custom preprocessor to tune which parts of the code are analyzed and which features macros are enabled or disabled.
* Set custom targets to tune the size of types and inform the analyzer about the environment the project aims to run on. This can be especially useful for embedded projects with custom architecture.
* Set custom includes directories to inform the analyzer about private dependencies installed in your build environment that are not part of the project directory. This can improve the quality of the analysis. By default, the analyzer can simulate dependencies that are part of the analyzed project codebase and popular public dependencies.
* Override the default C++ language standard if the project needs to comply with a standard other than the latest.

{% hint style="info" %}
Custom includes directories are only available in AutoConfig mode.
{% endhint %}

You can find more on those settings and how to set them in the project administration settings. Go to *Your project* > **Project Settings** > **General Settings** > **Languages** > **C/C++/Objective-C** > **AutoConfig and Automatic Analysis Settings**.

While it is recommended and easier to set these properties from the UI, they can also be set from the scanner side:

* For Automatic Analysis mode, add them to your repository’s `.sonarcloud.properties` file. See the #additional-analysis-configuration section on the automatic-analysis.md page.
* For AutoConfig mode, add them to `sonar-project.properties` in your CI configuration.

For example:

```properties
# Set a multiline custom preprocessor to disable C++ exceptions and define a `custom_macro` to 1
sonar.cfamily.customPreprocessor=#undef __cpp_exceptions\n#define custom_macro 1\n

# Set custom targets, possible values are listed in the UI
# This is equivalent to Clang command line argument: "-target aarch64-pc-linux-gnu"
sonar.cfamily.customTargetArch=aarch64
sonar.cfamily.customTargetVendor=pc
sonar.cfamily.customTargetSystem=linux
sonar.cfamily.customTargetEnv=gnu

# AutoConfig only: set comma-separated relative or absolute custom includes directories for C and C++
sonar.cfamily.customCIncludes="/absolutePath/Cdir1","relativePath/Cdir2"
sonar.cfamily.customCppIncludes="/absolutePath/CPPdir1","relativePath/CPPdir2"

# Override the default C++ language standard with c++14
sonar.cfamily.reportingCppStandardOverride=c++14
```

Note that you don’t need to worry about these properties by default. UI warnings are raised when the analysis quality is considered too low, suggesting providing the relevant properties or moving to compilation database mode. In AutoConfig mode, an analysis quality score is additionally computed and printed in the analysis log, representing the percentage of the analysis scope the analyzer understood.

### Analysis cache <a href="#analysis-cache" id="analysis-cache"></a>

The C/C++/Objective-C analyzer uses the Incremental analysis mechanisms to perform incremental analysis.

Incremental analysis is activated by default and uses server cache storage. It’s possible to change the cache storage to the local file system.

You should consider changing the cache storage to the local filesystem when:

* The server cache size becomes a concern.
* You want to optimize the cache lifecycle based on your project workflow.\
  In particular, if you have long-living pull request branches, you may want to persist the cache for each pull request analysis.

With the filesystem cache, you define a path to the cache. The analyzer loads the cache provided in this directory at the beginning of the analysis and overwrites it at the end. Persisting this directory at the end of the analysis, and loading the cache of the most relevant analysis at the beginning becomes the responsibility of the CI configuration. For example, for the first analysis of a pull request branch, a good option is usually to load the target branch cache to the location of the pull request branch analysis cache.

{% hint style="warning" %}
Be aware that the setup of a filesystem cache is complicated since you must implement the cache lifecycle management logic in your CI configuration.
{% endhint %}

To configure the filesystem cache:

1. Set the `sonar.cfamily.analysisCache.mode` property to `fs` (filesystem) on your CI/CD host (the default value is `server` for server-side cache). See the corresponding SonarScanner section for more information about the setup methods.
2. To set the path to the cache, use the `sonar.cfamily.analysisCache.path` property in your CI process configuration.

### Incremental symbolic execution <a href="#incremental-symbolic-execution" id="incremental-symbolic-execution"></a>

The analyzer provides an incremental symbolic execution mode that incrementally updates the analysis results computed for the rules with a symbolic-execution tag (see the Understanding the analysis article). It may be used to shorten the analysis.

Incremental symbolic execution is enabled by default. It acts as an additional layer on top of the analysis cache and uses the same storage to maintain the required information as selected for the analysis cache (server cache or local file system). For more information on the analysis cache, see the corresponding section above.

In contrast to the analysis cache, incremental symbolic execution detects code changes on an intra-file level rather than treating a file and its dependencies as a whole. This allows it to skip parts of the analysis or to reuse parts of the previous analysis results that are still valid even in cases where a file or its dependencies did undergo edits.

To toggle the incremental symbolic execution mode, set the property `sonar.cfamily.symbolicExecution.useIncrementalMode` to `true` or `false` at the scanner level.

### Parallel code scan <a href="#parallel-code-scan" id="parallel-code-scan"></a>

By default, the analyzer tries to parallelize the analysis of compilation units; it spawns as many jobs as the machine’s logical CPUs allow.

If required, in compilation database mode, the number of scheduled parallel jobs can be customized by configuring the property `sonar.cfamily.threads=n` at the scanner level, where `n` is an integer indicating the maximum number of parallel jobs.

You should consider setting the `sonar.cfamily.threads` property only when the desired number of logical CPUs cannot be detected automatically. A typical example is when the analysis should not consume all the available computing resources to leave room for other tasks running in parallel on the same machine.

When setting the `sonar.cfamily.threads` property, you should set it to a value less or equal to the number of logical CPUs available. Over-committing doesn’t accelerate the analysis and can even slow it down.

### Automatic shallow mode for advanced bug detection

For large files that take a long time to analyze, you can activate the automatic shallow mode, which trades a potentially lower bug detection rate for a faster analysis time.

To activate shallow mode on files with more than `N` entry points set the property `sonar.cfamily.symbolicExecution.automaticShallowModeThreshold=N`. An entry point is essentially a (member-) function declaration with a body. The analyzer begins its work at every function declared with a body, so a file containing many entry points will require a longer analysis time.

By default `sonar.cfamily.symbolicExecution.automaticShallowModeThreshold=0` which means this feature is disabled.

If you are willing to reduce the bug detection rate in order to reduce analysis time, we recommend setting it to 70 entry points. Choosing a lower, non-zero value for `N` will reduce analysis depth on more files and will make the analysis even faster. Choosing a higher value for `N` restricts shallow mode only to the largest files, minimizing the impact on small and medium files.

## In-line suppression of issues <a href="#in-line-suppression-of-issues" id="in-line-suppression-of-issues"></a>

Adding the `//NOSONAR` comment at the end of the line will suppress all issues on that line.

The check is case-insensitive, so variants like `//nosonar` also work. Block comments are not supported.

{% hint style="warning" %}
Rather than relying on this method, we suggest refining your analysis scope to avoid creating major gaps in your code review. Because the `NOSONAR` comment silences all current and future issues on a line without regard for their severity, it is an imprecise tool. Even if you only intend to hide a minor stylistic point, you could unintentionally obscure a serious security flaw.
{% endhint %}

{% hint style="info" %}
The rules `NoSonar` allows tracking in-line suppression comments in C, C++, or Objective-C code.
{% endhint %}

### Taint analysis (beta) <a href="#taint-analysis" id="taint-analysis"></a>

The analyzer provides a taint analysis implementation that aims at identifying security-related issues for common, critical CWE-classified vulnerabilities.

#### About the feature

Taint analysis tracks untrusted data (taint) from sources (user input, external APIs) to sensitive sinks (system calls, database queries, etc.) and reports an issue if it detects such an undesired flow. The analyzer tracks how data generated by a source flows through your code. It detects when data that is potentially manipulated by a malicious user reaches a sensitive piece of code where an attack might occur. This potentially malicious data is also called tainted data because it is tainted by user inputs.

**Taint analysis rules**

The rules used for taint analysis are tagged with a `taint-analysis` tag. Rule examples:

* S2076: OS commands should not be vulnerable to command injection attacks
* S2083: I/O function calls should not be vulnerable to path injection attacks

For more information, see Understanding the analysis.

**Default configuration**

Taint analysis is enabled by default. It runs automatically if your quality profile includes rules tagged with a `taint-analysis` tag.

Our analyzer comes with a comprehensive default configuration for commonly used sources and sinks. However, you can specify additional sources and sinks as well as sanitizers.

See [Specifying a custom configuration](#specifying-a-custom-configuration) below for more information.

**Taint analysis skips if quality index is low**

Running the taint analysis requires the project under analysis to compile successfully. The analyzer computes a quality index based on how much of the code it managed to compile. If this index is too low, the taint analysis will not run. A warning will be logged detailing the issue.

**Limitations**

The following features are currently incompatible with taint analysis and hence, may not be used when running taint analysis:

* Automatic configuration (AutoConfig) mode
* Analyzing several code variants
* C++20 modules
* SonarLint analysis

If taint analysis detects that any of the above features is enabled, it will automatically disable taint analysis.

Beyond these feature incompatibilities, there are additional constraints on what the taint analysis can process. First, taint analysis cannot process non-8-bit character targets such as the AVR target architecture because the compiler backend is unable to generate the required intermediate representation for such targets.

Second, taint analysis can only find taint flows in code that is available for analysis and compiles successfully. In particular, the analysis will not see files that are excluded from the analysis or other unavailable third-party code.

Finally, due to aliasing and pointer arithmetic, it may happen that our analyzer raises issues for rules tagged with `taint-analysis` -- even if you apply correct sanitization to a user-controlled, tainted value. In that case, ensure that sanitization is correct and complete, and then mark the issue as `False Positive`. We are continuously improving on our taint analysis' pointer analysis to mitigate these situations to the extent possible.

#### Disabling the taint analysis

To explicitly disable taint analysis, set the `sonar.cfamily.taintAnalysis` property to `false`.

#### Defining resource limits to avoid overtainting

Taint analysis can be resource-intensive because it operates on the whole program and builds a complex model of the code. When it runs into a situation that the literature describes as "over-tainting" or "taint explosion", the analysis will consume excessive resources (time and memory) while exploring only limited new parts of the program. To prevent the analysis from getting stuck, you can set resource limits using the following properties:

* `sonar.cfamily.taintAnalysis.timeout`: Sets a time limit in milliseconds. (Set to 0 or omit for no time limit.)
* `sonar.cfamily.taintAnalysis.dataflowMemoryLimit`: Sets a memory limit in bytes. (Set to 0 for the analyzer to automatically determine a suitable memory limit.)

Whenever a limit is reached, the taint analysis will be stopped early, but all of its findings up to that point will be reported. Still, the more resources given to the taint analysis, the deeper it can analyze the target program. Should explicit time and memory constraints not be defined, the analyzer will attempt to automatically determine appropriate limits.

#### Specifying a custom configuration

The CFamily analyzer allows you to customize the taint configuration by allowing you to add your own sources, sinks, sanitizers.

To customize the taint analysis performed by the CFamily analyzer:

1. Provide a custom taint analysis configuration file in JSON format. See below.
2. Set the path (relative to the project base dir or absolute) to this JSON configuration file through the `sonar.cfamily.taintAnalysis.taintConfig` property.

**About the customization**

The analyzer already knows a lot of APIs that are potential sources or targets of an attack. While we do our best to identify publicly available APIs, we cannot know everything about your homemade frameworks particularly when it comes to sanitizing your data. A sanitizer is a function whose invocation sanitizes ("un-taints") data. After a piece of data has been sanitized it will no longer be tracked by the analysis and can be safely passed to a sensitive sink function.

For example, you may wish to:

* Add a source to add support for a framework that our analyzer does not cover out of the box.
* Use a custom sanitizer to tell the analysis that all data going through that sanitizer shall be considered safe. This allows you to remove false positives and tailor the taint analysis to your company's needs.

**Custom taint analysis configuration file**

Through customization, you add an element (source, sink, or sanitizer):

* To a specific rule or to all rules.
* For one or several methodIds.

**Element**

You can add the following elements to your custom configuration:

* Source (key: `sources`): Where you get user data. You should always consider user data tainted and vulnerable to injection attacks.\
  Example: Calling `scanf` will generate tainted content.
* Sink (key: `sinks`): A piece of code that can perform a security-sensitive task. Data should not contain any malicious content once it reaches a sink.\
  Example: Calling `execl` with unchecked user data.
* Sanitizer (key: `sanitizers`): Finds and removes malicious content from one or more potentially tainted arguments.

**Rule**

A rule is identified by its number, for example `S2076`. Use the special rule key `common` to apply the given configuration to all rules.

**MethodId**

All custom configurations rely on the accuracy of the provided methodId. You can either specify a full methodId as a string or use a regular expression, which may be useful for specifying class or function templates as well as overload sets in C++.

**File example**

An exemplary configuration is shown in the following to help you understand the expected format.

```json
{
"common": {
"sources": [
{
"methodId": "getPassword",
"args": [
-1
]
},
{
"methodId": "getPassword()",
"args": [
-1
]
}
]
},
"S2076": {
"sinks": [
{
"methodId": "executeCommand",
"args": [
0
]
},
{
"methodId": "execute\\(.*\\)",
"isRegex": true,
"interval": {
"fromIndex": 0
}
},
{
"methodId": "logMessage(char const*)",
"args": [
0
]
}
],
"sanitizers": [
{
"methodId": "verifyCommand",
"args": [
0
]
}
]
}
}
```

This configuration tells the analyzer that the `getPassword` and `getPassword()` functions' return values shall be considered tainted across all taint-based rules. To identify a function in the C programming language, use its symbol name (`getPassword`). To identify a function in C++, a function's name and its parameter list must be specified to disambiguate static function overloads (`getPassword()`).

The C function `executeCommand` and the C++ functions whose name matches the regular expression `execute\\(.*\\)` as well as the C++ `logMessage(char const*)` function shall be considered sinks for rule S2076. When specifying methodIds using regular expressions (`"isRegex": true`), metacharacters need to be escaped with two backslashes (`\\`). If the analysis discovers that a tainted value is passed as the first parameter to executeCommand, it will report a security issue. If any of its potentially many parameters receives tainted data, any function matching `execute\\(.*\\)` will be considered a security leak, and an issue will be reported. Note that C++'s parameter lists use "east const" and `&` and `*` are not space-separated, e.g. `logMessage(char const*)`.

The configuration also specifies the C function `verifyCommand` to be a sanitizer that sanitizes – or "un-taints" – its first parameter, which tells the analyzer that a tainted piece of data that is passed as the first parameter will no longer be tracked as it is considered safe to use after sanitization.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/analyzing-source-code/languages/c-family/customizing-the-analysis.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
