Customizing the analysis

How to customize your CFamily code analysis.

Language-specific properties

Discover and update the C/C++/Objective-C specific properties in Administration > Configuration > General Settings > Languages > C/C++/Objective-C.

Analyzing test files

The scanner property sonar.tests is utilized to pinpoint the directories that contain test source files. Recognizing these test files aids the analyzers in adjusting their rules accordingly. For instance, analyzers can activate rules specific to tests and deactivate those not applicable in a testing context.

There are no specific rules for tests and no specific support for the analysis of tests, so files specified in sonar.tests are ignored by the C/C++/Objective-C analyzer. If you wish to analyze test files, you should include them in sonar.sources, so that normal rules will be applied to them.

To analyze test source files, you should incorporate them into the sonar.sources scanner property. In that case, please note that the test code is considered part of the overall code and counts toward the license usage.​​

Quality profiles

  • Like all other languages supported by SonarQube Server, C, C++, and Objective-C come with the "Sonar way" profile. This is Sonar’s recommended quality profiles, designed to fit most projects.

  • We also provide the "Mission critical" quality profile for C++. It is our recommendation for modern C++ development (C++17 and beyond) for mission-critical software. It is based on MISRA C++ 2023 and trades more constraints on your code for more code safety.

Targeted C++ standard

The analyzer targets a specific version of the C++ language to tune the rules in the activated quality profile. This reporting standard is used to:

  • Suppress rules that cannot be applied. For example, the rules that suggest using C++20 features while compiling the code with C++17.

  • Adjust rules’ messages to suggest the proper fix according to the used standard. For example, a rule that suggests using std::ranges::any_of with C++20 will be tuned to suggest using std::any_of with an older standard.

In Compilation Database mode, the reporting standard defaults to the version used to compile the code. This is ideal for most projects. However, there are some edge cases where there is a need to use a reporting standard different from the compilation standard. For this reason, we provide the following scanner property to adjust the reporting standard:

sonar.cfamily.reportingCppStandardOverride=c++98|c++11|c++14|c++17|c++20|c++23

This property is only recommended for use in cases where a project has to comply with a standard older than the one it is compiled with. This can happen if:

  • The compiler doesn’t allow setting a specific standard. For example, MSVC doesn’t allow specifying a standard older than C++14.

  • The project wants to be compiled with the latest standard while still complying with an older one.

In AutoConfig mode, the reporting standard defaults to the latest version. In this case, we recommend setting the property if the project needs to comply with an older standard.

C++20 Modules

Support for C++20 modules is currently experimental and not enabled by default.

  • Since the analyzer is based on Clang 19, not all features of C++20 modules are supported. For more information, see the official documentation for Clang.

  • Header units are not currently supported.

  • The CFamily analyzer needs to know where to find the module units and how to build their corresponding Binary Module Interfaces (BMI). Hence, the Compilation Database must contain the necessary compiler calls for a complete clean build. This is also true for import std. Module units do not need to be indexed by Sonar unless you want them to be analyzed.

  • Support for this feature is only available through the Sonar Community; professional support is unavailable.

To enable C++20 modules support, add the following to your sonar-project.properties file at the root of your project:

sonar.cfamily.enableModules=true

There are some aspects to keep in mind when analyzing code with C++20 modules:

  • The property above will enable module support only for source files compiled with C++20 or later.

  • Using modules requires building intermediate BMIs, which, by default, will be put under the directory configured by sonar.working.directory (usually, .sonarscanner under the project root directory). You must account for some extra space to store these files, which SonarScanner will remove at the end of the analysis.

  • Analysis results and module dependencies are cached, but the intermediate BMIs are not. Hence, when re-analyzing a file, the analyzer will have to build its full tree of dependencies.

AutoConfig-specific properties

While AutoConfig mode automatically deduces the low-level configurations, optionally tuning some high-level configurations can be beneficial to force the analysis of specific project variants and improve its analysis quality. Those high-level configurations can be tuned through settings AutoConfig-specific properties that fall into four categories: custom preprocessor, custom analysis target, custom includes directories, and forcing a C++ language standard.

  • Set a custom preprocessor to tune which parts of the code are analyzed and which features macros are enabled or disabled.

  • Set custom targets to tune the size of types and inform the analyzer about the environment the project aims to run on. This can be especially useful for embedded projects with custom architecture.

  • Set custom includes directories to inform the analyzer about the project’s private dependencies that are not part of the project directory. This can improve the quality of the analysis. By default, AutoConfig can simulate dependencies that are part of the analyzed project codebase and popular public dependencies. Note that the analysis logs contain the list of top missing dependencies.

  • Override the default C++ language standard if the project needs to comply with a standard other than the latest.

If you’re interested in understanding the context in which your project is analyzed, you can activate a feature that generates a JSON file. This JSON file groups the computed analysis configuration for each analyzed C and C++ file in the project.

You can find more on those settings and how to set them in the project administration settings. From the project homepage, go to Project Settings > General Settings > Languages > C/C++/Objective-C > AutoConfig Analysis Settings.

While it is recommended and easier to set these properties from the UI, they can be set from the scanner side. For example, in sonar-project.properties:

# Set a multiline custom preprocessor to disable C++ exceptions and define a `custom_macro` to 1
sonar.cfamily.customPreprocessor=#undef __cpp_exceptions\n#define custom_macro 1\n

# Set custom targets, possible values are listed in the UI
# This is equivalent to Clang command line argument: "-target aarch64-pc-linux-gnu"
sonar.cfamily.customTargetArch=aarch64
sonar.cfamily.customTargetVendor=pc
sonar.cfamily.customTargetSystem=linux
sonar.cfamily.customTargetEnv=gnu

# Set comma-seperated relative or absolute custom includes directories for C and C++
sonar.cfamily.customCIncludes="/absolutePath/Cdir1","relativePath/Cdir2"
sonar.cfamily.customCppIncludes="/absolutePath/CPPdir1","relativePath/CPPdir2"

# Override the default C++ language standard with c++14
sonar.cfamily.reportingCppStandardOverride=c++14

Note that you don’t need to worry about these properties by default. An analysis quality score is computed and printed as part of the analysis log. The score represents the percentage of the Analysis scope that the analyzer understood. A UI warning is raised when the quality score is considered too low, suggesting providing the AutoConfig-specific properties or moving from AutoConfig to Compilation Database mode.

Analysis Cache

The C/C++/Objective-C analyzer uses the analysis cache mechanism to perform incremental analysis.

Incremental analysis is activated by default and uses server cache storage. It’s possible to change the cache storage to the local file system.

You should consider changing the cache storage to the local filesystem when:

  • The server cache size becomes a concern.

  • You want to optimize the cache lifecycle based on your project workflow. In particular, if you have long-living pull request branches, you may want to persist the cache for each pull request analysis.

With the filesystem cache, you define a path to the cache. The analyzer loads the cache provided in this directory at the beginning of the analysis and overwrites it at the end. Persisting this directory at the end of the analysis, and loading the cache of the most relevant analysis at the beginning becomes the responsibility of the CI configuration. For example, for the first analysis of a pull request branch, a good option is usually to load the target branch cache to the location of the pull request branch analysis cache.

To configure the filesystem cache:

  1. Set the sonar.cfamily.analysisCache.mode property to fs (filesystem) on your CI/CD host (the default value is server for server-side cache). See the corresponding SonarScanner section for more information about the setup methods.

  2. To set the path to the cache, use the sonar.cfamily.analysisCache.path property in your CI process configuration.

Incremental symbolic execution

The analyzer provides an experimental incremental analysis mode that incrementally updates the analysis results computed for the rules with a a symbolic-execution tag (see the Understanding the analysis > Implementation-related rule tags section). It may be used to shorten the analysis.

Incremental symbolic execution is deactivated by default. It acts as an additional layer on top of the analysis cache and uses the same storage to maintain the required information as selected for the analysis cache (server cache or local file system). For more details on analysis cache, see the section above.

In contrast to the analysis cache, incremental symbolic execution detects code changes on an intra-file level rather than treating a file and its dependencies as a whole. This allows it to skip parts of the analysis or to reuse parts of the previous analysis results that are still valid even in cases where a file or its dependencies did undergo edits.

To enable the incremental symbolic execution mode, configure the property sonar.cfamily.experimental.symbolicExecution.useIncrementalMode=true at the scanner level.

Note that this is an experimental feature:

  • Enabling incremental symbolic execution mode might increase the hardware requirements on RAM.

  • Incremental symbolic execution mode cannot be used when analyzing several code variants yet (see the "Analyzing several code variants" section below).

Feedback on this experimental feature is highly appreciated and can be provided in the Sonar Community.

Parallel code scan

By default, the analyzer tries to parallelize the analysis of compilation units; it spawns as many jobs as the machine’s logical CPUs allow.

If required, the number of scheduled parallel jobs can be customized by configuring the property sonar.cfamily.threads=n at the scanner level, where n is an integer indicating the maximum number of parallel jobs.

You should consider setting the sonar.cfamily.threads property only when the desired number of logical CPUs cannot be detected automatically. A typical example is when the analysis should not consume all the available computing resources to leave room for other tasks running in parallel on the same machine.

When setting the sonar.cfamily.threads property, you should set it to a value less or equal to the number of logical CPUs available. Over-committing doesn’t accelerate the analysis and can even slow it down.

Analyzing several code variants

In Compilation Database mode, you can analyze different variants of the very same version of your code (different target architectures, different build options, etc) and see aggregated results on the server. All variants are analyzed in the same environment and during the same analysis. We do not support analyzing two variants requiring the code to be built on two different machines.

You should define two properties:

  • sonar.cfamily.variants.names, which contains a comma-separated list of the names of all the variants that need to be analyzed.

  • sonar.cfamily.variants.dir, which contains a path to a folder with one subfolder per variant. Each subfolder should contain a compile_commands.json file.

These properties are mutually exclusive with sonar.cfamily.compile-commands.

The following example defines three variants:

sonar.projectKey=myFirstProject
sonar.projectName=My First C++ Project
sonar.projectVersion=1.0
sonar.sources=src
sonar.cfamily.variants.names=Linux x64,Linux ARM,Linux ARM64
sonar.cfamily.variants.dir=compilation-databases
sonar.sourceEncoding=UTF-8
sonar.host.url=YourSonarQubeURL

And the folder structure should look like this:

Project root

|- compilation-databases

|  |- Linux ARM

|  |  |- compile_commands.json

|  |- Linux ARM64

|  |  |- compile_commands.json

|  |- Linux x64

|  |  |- compile_commands.json

...

Data from all variants will usually be aggregated when analyzing code for several variants. For instance, a particular issue was present in the previous configuration in Linux ARM and Linux ARM64 but not in Linux x64.

Last updated

Was this helpful?