clangtidy metrics not same in warnings ng plugin and sonarqube

[dsakilesh]

Hi Team,

We have clangtidy.log file with below 6 warnings:

/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:33: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:34: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                 ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:35: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                  ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:57: warning: 0x0f is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                                        ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:72: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                                                       ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:95: warning: 6 is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                                                                              ^

Warnings NG plugin displays number of issues: 6, But the sonar is only picking 1 warning in sonarqube.

We understand that because the line number 53 contains multiple duplicate warnings so sonar-cxx will consider them as single warning. warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]

But why are the below warnings ignored completely by sonarqube?

/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX:53:57: warning: 0x0f is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                                        ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:95: warning: 6 is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                                                                              ^

Actual sonarqube clangtidy issue displayed in sonarqube: 1
Expected sonarqube metrics : 2 or 3(ignoring the duplicates)

Is it because the warning is associated with multiple rules? [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]

Please help us resolve the issue.

Thanks in advance!

Regards,
Akilesh D S

[guwirth]

Hi @dsakilesh,

thanks for your feedback.

If an issue is not displayed, you should always check first whether the associated rule is activated in the Quality Profile used.

Duplicates of issues are filtered out by the cxx plugin. This is done by comparing the filename, rule id, line, column and issue text.

Base64.cpp:53:95: warning: 6 is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers,readability-magic-numbers]

Issues always have only one ruleId. That an issue has multiple ruleIds is not supported so far (I have never seen it before). Is this new in Clang-Tidy?

The SQ API unfortunately does not support this, an issue with multiple ids. The question is also what the plugin should do here. Is this one issue or two?

Regards,

[dsakilesh]

Hi @guwirth

The SQ API unfortunately does not support this, an issue with multiple ids. The question is also what the plugin should do here. Is this one issue or two?

We expect to pick 2 clangtidy issues/warnings here. (If the rule id for a warning was only one). We will check why there are 2 rule ids for a single warning.

Duplicates of issues are filtered out by the cxx plugin. This is done by comparing the filename, rule id, line, column and issue text.

Since you have mentioned that filtering happens based on columns also, we expect then sonar to display 4 warnings for the below clangtidy log but it shows only 1 warning. Why?

/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:33: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:34: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                 ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:35: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];
                                  ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:53:72: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
    output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2) | (input[inputPos + 2] >> 6)];

Regards,

[guwirth]

Hi @dsakilesh,

we expect then sonar to display 4 warnings for the below clangtidy log but it shows only 1 warning. Why?

Good question, I don't know why?

The code doing this is here, maybe you can also have look:

1. sonar-cxx/cxx-sensors/src/main/java/org/sonar/cxx/sensors/utils/CxxIssuesReportSensor.java

   Line 75 in 4f9280b

   public void saveUniqueViolation(CxxReportIssue issue) {

2. sonar-cxx/cxx-squid/src/main/java/org/sonar/cxx/utils/CxxReportIssue.java

   Line 80 in 4f9280b

   public boolean equals(Object obj) {

3. sonar-cxx/cxx-squid/src/main/java/org/sonar/cxx/utils/CxxReportLocation.java

   Line 77 in 4f9280b

   public boolean equals(Object obj) {

By the way: Which version of the plugin are you using?

Regards,

[dsakilesh]

Hi @guwirth

We are using sonar-cxx 1.3 version.

[guwirth]

Hi @dsakilesh,

I created an additional unit test with your use case and there it is working #2168?
Is there an additional hint in the LOG file?

Regards

[guwirth]

Hi @dsakilesh,

I saw that 1.3 does not support column information, only 2.0.

sonar-cxx/cxx-sensors/src/main/java/org/sonar/cxx/sensors/clangtidy/CxxClangTidySensor.java

Line 90 in 248fdc6

//String column = m.group(3);

Regards,

[guwirth]

Hi @dsakilesh,

messages with multiple rule IDs seems to be new in Clang-Tidy 12:
https://github.com/llvm/llvm-project/blob/1202f559bdeebb62dbba29ee05ffafbfecd57d92/clang-tools-extra/clang-tidy/ClangTidy.cpp#L127

We will add the support to 2.0.x.

Regards,

[dsakilesh]

Hi @guwirth

It seems that Clang-Tidy 11 also has multiple rule IDs feature. I downgraded to Clang-Tidy 10 and do not have the issue.

Thanks for creating a feature/enhancement issue.

Regards,
Akilesh D S

[dsakilesh]

Hi @guwirth

We have upgraded the sonar-cxx plugin to latest version 2.0.2.

We still have got the same issue.

Content of the clang tidy log (4 warnings):

/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:66:36: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
      output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2)];
                                   ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:66:37: warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]
      output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2)];
                                    ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:66:59: warning: 0x0f is a magic number; consider replacing it with a named constant [cppcoreguidelines-avoid-magic-numbers]
      output[outputPos++] = table[((input[inputPos + 1] & 0x0f) << 2)];
                                                          ^
/var/jenkins/0/workspace/XXXX/XX/XXX/XXXX.cpp:66:59: warning: 0x0f is a magic number; consider replacing it with a named constant [readability-magic-numbers]

SonarQube shows only 3 warnings:

Even though the column number is different for first 2 warnings it seems to consider it as a single warning. Is it because the first 2 warnings have the same error text and rule id?
warning: use of a signed integer operand with a binary bitwise operator [hicpp-signed-bitwise]

Regards

[guwirth]

Hi @dsakilesh,

I wrote a unit test that verifies exactly your case and it works. There must be still another problem? => #2168
Did you verify the LOG file with debug info on?

Regards,

[dsakilesh]

Hi @guwirth

clangtidy analysis didnot happen. hence clangtidy metrics are not populated post update from 1.3.2 to 2.0.2

I updated the parameters according to the release notes.
https://github.com/SonarOpenCommunity/sonar-cxx/releases

PFB sonar properties before update:

# Project key, must be unique in a given SonarQube instance 
sonar.projectKey=XXXXXXXXXXXXX
# Project name and version displayed in the SonarQube UI 
sonar.projectName=XXXXXXXXXXX
sonar.scm.disabled=true
sonar.c.file.suffixes=.disable_sonarcfamily_c
sonar.cpp.file.suffixes=.disable_sonarcfamily_c
sonar.cxx.suffixes.headers=.hpp,.h
sonar.cxx.suffixes.sources=.cpp,.c
sonar.cxx.clangtidy.reportPath=${env.WORKSPACE}/XXXX/XX/XXX/XXXX/build.log
sonar.exclusions=./**/*.html

After update we have updated to 2.0.2 the clangTidy warnings are actually not displayed in Sonarqube.
We replaced sonar.cxx.suffixes.sources and sonar.cxx.suffixes.headers with sonar.cxx.file.suffixes

Also replaced sonar.cxx.clangtidy.reportPaths with sonar.cxx.clangtidy.reportPath but no luck

# Project key, must be unique in a given SonarQube instance 
sonar.projectKey=XXXXXXXXXXXXX
# Project name and version displayed in the SonarQube UI 
sonar.projectName=XXXXXXXXXXXXX
sonar.scm.disabled=true
sonar.c.file.suffixes=.disable_sonarcfamily_c
sonar.cpp.file.suffixes=.disable_sonarcfamily_c
sonar.cxx.file.suffixes=.cpp,.c,.hpp,.h,.cxx,.hxx
sonar.cxx.clangtidy.reportPaths=${env.WORKSPACE}/XXXXXXXXXXXXX/build.log
sonar.exclusions=./**/*.html

Please let me know if we are missing anything here.

Regards

[guwirth]

Hi @dsakilesh,

the 2.0 cxx plugin provides a new sensor validating the scanner parameters. Turning debugging on you should get messages which obsolete settings are in your configuration.

• https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Troubleshooting-Configuration

What I see from the sample above:

• sonar.cxx.suffixes.headers => use key sonar.cxx.file.suffixes instead
• sonar.cxx.suffixes.sources => use key sonar.cxx.file.suffixes instead
• sonar.cxx.clangtidy.reportPath => use sonar.cxx.clangtidy.reportPaths instead

Regards,

[guwirth]

Hi @dsakilesh,

I added also an integration test (using scanner and SQ server) to 2168. It detects 4 issues in the same line.

Regards,

[guwirth]

Hi @dsakilesh,

please close this issue if everything is working. For multiple id support we have #2170.

Regards,