Static code analysis tools for your C++

We gather the information required for analysis by unobtrusively monitoring your build, so analysis is compatible with:

• Code compiled on Windows, Linux (x86_64 and AArch64), macOS (x86_64 and arm64)
• Any build system
• Incremental code analysis
• Parallel code analysis

We provide support for most popular compilers: (check here for full list)

• Clang, GCC, MSVC, ARM, QNX compilers
• Intel compilers for Linux, macOS
• Compilers based wholly on GCC, for instance: Linaro GCC
• Wind River Diab and GCC
• IAR compilers for 8051, ARM, AVR32, AVR, Renesas RL78, Renesas RX, Renesas V850, Renesas H8, and Texas Instruments MSP430
• Texas Instruments compilers on Windows and macOS for ARM, C2000, C6000, C7000, MSP430, PRU

C++03, C++ 11, C++14, C++17, C++20, C++23

GNU extensions

CPP Core Guidelines

MISRA C++:2023

SonarQube C++ static code analysis is an automated process that examines C and C++ source code to identify bugs, vulnerabilities, code smells, and maintainability issues before the code is run. By analyzing code without executing it, Sonar tools help developers detect potential problems early in the development lifecycle, reducing the risk of defects making it to production.

Using SonarQube, SonarQube Cloud, or SonarQube for IDE, teams can continuously monitor their codebase for quality issues and enforce coding standards. This proactive approach supports the creation of quality code, improves maintainability, and helps ensure that new code meets high standards from the start, aligning with the principle of quality at the source.

Integrating SonarQube C++ analysis with your build system or CI/CD pipeline typically involves configuring your project to use SonarQube or SonarQube Cloud scanners. These scanners can be invoked as part of your build process, such as with CMake, Make, or other build tools, and can be automated within popular CI/CD platforms like Jenkins, GitHub Actions, GitLab CI, and Azure DevOps.

By embedding static analysis into your pipeline, you ensure that every code change is automatically checked for quality issues. This integration supports a focus on new code quality, allowing teams to catch and address problems as soon as they are introduced, rather than after they accumulate.

SonarQube C++ analysis can detect a wide range of issues, including bugs, security vulnerabilities, code smells, and maintainability concerns. It covers common pitfalls such as memory leaks, buffer overflows, null pointer dereferences, and improper use of language features, as well as adherence to coding standards like MISRA and CERT.

In addition to these technical issues, Sonar tools also highlight areas where code could be simplified or made more readable, supporting the development of quality code. This comprehensive coverage helps teams maintain high standards and reduce technical debt over time.

SonarQube Server is a self-hosted platform that provides in-depth static code analysis for C++ and other languages, suitable for organizations that want full control over their environment. SonarQube Cloud offers similar capabilities as a managed, cloud-based service, reducing the need for infrastructure management and enabling easier scaling.

SonarQube for IDE is an extension that brings real-time static analysis directly into popular development environments like Visual Studio, CLion, and VS Code. This allows developers to receive instant feedback on code quality as they write, supporting quality at the source and helping prevent issues before code is committed.

SonarQube C++ analysis emphasizes the importance of focusing on new code quality, meaning that every new change or addition to the codebase is analyzed for issues before it is merged. This approach, often referred to as quality at the source, ensures that problems are addressed immediately, preventing the accumulation of technical debt.

By integrating SonarQube tools into your workflow, you can set quality gates that block merges or deployments if new code does not meet predefined standards. This helps teams maintain a consistently high level of code quality and reduces the effort required for future maintenance.

C++ analysis requires SonarQube Server Developer Edition or higher (on prem) or a paid SonarQube Cloud plan (Team or Enterprise) For advanced security rules, MISRA compliance, and full taint analysis, the commercial editions are required.

Regardless of the edition, SonarQube tools help teams of all sizes improve code quality, enforce coding standards, and reduce the risk of introducing defects into their projects.

SonarQube C++ analysis supports a variety of industry-recognized coding standards, including MISRA C/C++, CERT C/C++, and others. These standards are crucial for industries like automotive, aerospace, and finance, where code reliability and safety are paramount.

By automatically checking code against these standards, Sonar tools help ensure compliance and reduce the likelihood of critical errors. This not only improves code quality but also streamlines audits and certification processes for regulated industries.

SonarQube C++ analysis includes rules specifically designed to detect security vulnerabilities such as buffer overflows, injection flaws, and improper error handling. By identifying these issues early, developers can address them before they become exploitable in production environments.

The security-focused analysis provided by SonarQube tools is regularly updated to reflect the latest threats and best practices, helping organizations maintain a strong security posture and protect their applications from potential attacks.

SonarQube C++ analysis supports a wide range of compilers and platforms, including GCC, Clang, and Microsoft Visual C++. The specific system requirements depend on the version of SonarQube or SonarQube Cloud being used, as well as the size and complexity of the codebase.

To ensure optimal performance, it is recommended to review the official documentation for the latest compatibility information and hardware recommendations. This helps teams set up their analysis environment efficiently and avoid potential integration issues.

To get started with SonarQube C++ static code analysis, you can sign up for SonarQube Cloud (Team plan or above) or set up SonarQube Server with a Developer Edition license. C++ analysis is bundled in SonarQube Server Developer Edition with no separate plugin installation required.

Once configured, you can run your first analysis and review the results in the SonarQube or SonarQube Cloud dashboard. For real-time feedback during development, consider installing SonarQube for IDE in your preferred editor, enabling you to address quality issues as you code.