sonar-cxx
sonar-cxx copied to clipboard
SonarOpenCommunity
Is the cxx plugin still needed?
SonarQube was originally an open platform for measuring technical debt. SonarSource realized relatively quickly that there was no money in it so they started selling static code analysis.
Many programming languages were initially not or only very rudimentarily supported, including C++. From the initially unsatisfactory C++ support, the cxx plugin was born.
The cxx plugin has always taken a different approach than SonarSource's built-in C++ analysis. The idea was to use tools available in the C++ context and integrate their output into SonarQube. Probably also by the cxx plugin SonarSource was motivated to create own open interfaces (Generic issue import format, Generic test execution report format, Generic test coverage report format, ...).
How many users the cxx plugin (still) has is difficult to find out. Mostly the plugin is downloaded and installed by a few administrators, but eventually used by many.
Can you please give feedback:
- Do you use the cxx plugin?
- Which parts and functionalities do you use?
Thank you very much for your input.
At my workplace the other team uses the CXX plugin and my team has been using the builtin but now looking at the pros and cons when comparing the two. From what I learnt, the two alternatives work different so I've done two analyses to compare the two. Here are some of my findings: The builtin will not work with Apple Silicon so it needs custom fixing anyway for that platform. I need to provision the environment with cppchceck and ran cppcheck for cxx plugin, whereas the builtin uses the build-wrapper which requires compilation (I think) which is more than static analysis.
whereas the builtin uses the build-wrapper which requires compilation (I think) which is more than static analysis.
@montao thanks for your feedback.
Both plugins have to parse the source code and generate an abstract syntax tree (AST). The AST is used to generate the metrics and, in the case of the commercial plugin, also to check the rules. The comercial plugin uses for this internally the Clang frontend, the community plugin SSLR. Since C++ brings out in the meantime every three years an update, the care of the grammar produces a substantial expenditure.
I'm currently importing data from:
- cppcheck
- VS2019 static analysis
- BullseyeCoverage
I've also tried to import MSBuild log file for includes/compile definitions but it's too slow to be usable. Probably because of thirdparties like Boost. Maybe in future I'll also try to import warnings from GCC build, but I'm not sure that it will work even if I'll do text replacements from Linux to Windows paths.
@Nekto89 thanks for your feedback.
I've also tried to import MSBuild log file for includes/compile definitions but it's too slow to be usable.
Here this feature #2279 could be useful, maybe we can add it in one of the next versions.
Maybe in future I'll also try to import warnings from GCC build, but I'm not sure that it will work even if I'll do text replacements from Linux to Windows paths.
Should work, we are also doing it. Hints to paths: https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Troubleshooting-Reports#file-path-issues
We also use heavily the plugin for all our C++ development. cppcheck and coverage, mostly thanks
We are also using CXX plugin for our embedded C development with cppcheck and gcov coverage. Thank you very much for this plugin.
We use the plugin for our C/C++ libraries. The tools we use are Cppcheck, Clang-tidy and Cpplint on Linux, Mac Intel, Mac ARM and Windows; Gcov on Linux, Mac Intel, Mac ARM; DrCov and DrMemory on Windows; Valgrind on Linux.
I would be interested to know if SonarSource's built-in C++ analysis is as complete.
in any case we highly appreciate your plugin. Thank you so much.
We use this plugin for all our C++ projects with logs from clang-tidy, Visual Studio code analysis, cppcheck and rats. Thank you for your work!
We are evaluating it for cppcheck and gcc compiler warnings for multiple projects... still first POC phase
I work at Inria (research institute for applied mathematics and computer science in France) and we are using the plugin for our instance of Sonarqube.
I can't speak for all the projects that use the cxx plugin on that instance, but for my part I really appreciate to get in one place the diagnostics provided by many C++ checking tools; thanks for your work in it!
I work at Inria too with @srpgilles and we completely depend on this plugin to import analysis report for C++ in our sonarqube instance (community edition). There are something like several dozens of projects analyzed.
We use it with to import in the same place reports of GCC/Clang warnings, clang-sa, cppcheck, valgrind, unitary tests coverage, and of course what is analyzed by sonarqube itself: size of code, duplication, complexity, etc. We like being able to get a view of the code quality in a single place and being able to access it through the web api to get measures and badges elsewhere (e.g. in a gitlab). Here an example of what we do in a simple example:
- https://gitlab.inria.fr/gitlabci_gallery/pipelines/complete_cpp_example
- https://gitlab.inria.fr/gitlabci_gallery/pipelines/complete_cpp_example/-/blob/main/.gitlab/lint.sh?ref_type=heads
We also like to manage the rules/issues (quality profile) that are enabled/disabled on each project. We do not use it to import custom reports or metrics.
Our company's projects all use this plugin and cppcheck and gcov coverage as long as they are written in C++.
I appreciated your time and effort.
In the same situation as @mikeqoo1: we are using this plugin for nearly all of our projects, we were quite happy with it, and we appreciate all the work done. Recently, we're facing an issue with CxxUnitTestResultsAggregator class raising ClassNotFoundException. Our CI configuration uses GitLab runners, and sonarscanner runs into a sonarsource/sonar-scanner-cli:latest container. Is there an official or community image currently supporting CxxUnitTestResultsAggregator ?
I'm also a happy user of this plugin at work. C++ is a niche category in development there, so a free solution is much preferred over an expensive commercial alternative...
So far only cppcheck is integrated but clang output shall be added as well.
We're using it here as well; integrating the output of many tools into SonarQube (coverage, clang-tidy, you-name-it).
