Quantcast

can Sonar be extended to include tools such as clang or cpp-check?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

can Sonar be extended to include tools such as clang or cpp-check?

Jeffrey Wright
I like the overall look and feel of Sonar, but right now it seems pretty
useless to me and the developers I work with; it appears to be mainly a
fancy number-of-lines checker that complains loudly about trivial things
like if-else statements must use braces, or commenting out sections of
code.  (Those are blockers?  Really?)  I do like the complexity
analyzer, it is true.  But Sonar misses very important things that
simple open-source tools like clang (scan-build) and cpp-analyzer
find...things like dereferencing null pointers, malloc/realloc
discrepancies, etc.

Is there some way to bring those tools into Sonar?  I would very much
like to use Sonar, because it has excellent tracking and graphing
capabilities...but I need to be able to track and graph meaningful
things, not just LOCs.

Regards,

Jeff

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: can Sonar be extended to include tools such as clang or cpp-check?

Dinesh Bolkensteyn-2
Hi Jeffrey,
 
Thanks for your input.
 
Clearly, null pointer dereferencing or invalid memory reads/writes are good example of valuable bugs that Sonar should ultimately be able to catch.
However, it's not that easy to implement them with decent accuracy.
 
From your email, I guess that you are talking about the support of C / C++ in Sonar.
Compared to Sonar's support for Java, the C / C++ one is still fairly new.
 
Both our C freeware and C++ commercial plugins now start offering more and more MISRA rules.
 
One thing to keep in mind is that the goal of Sonar is not only to find actual bugs (as in "you may get unexpected results at runtime"),
but also to monitor the general quality and maintainability of your code base.
 
For instance, having variables that do not follow the naming convention of your organization will not have any impact at runtime,
but will reduce the maintainability of your program as others developers looking at the code may have a hard time to understand what this variable does.
(for instance if they were named "a", "b", "c", etc.)
 
The same applies to the complexity rules, it's really about quality and maintainability and not about bugs.
 
CppCheck is already currently supported by the commercial C++ plugin and will shortly be supported also by the C freeware one.
clang's support is not yet planned.
 
On the one hand, we could add support of dozens of external tools to make the plugins more valuable, but on the other hand we should keep the dependencies
on external tools small to still have something easy to use, that does not require a lot of configuration.
 
There is a possibility to create additionnal custom plugins to support any tool though.
 
Regarding commented code, we indeed feel like this is a blocker issue.
It is fine to comment it on your own box while you develop a feature, but we do not expect commented code to be commited.
In the C / C++ world, conditional compilation can be used to activate portions of code only in debug mode for instance, so the need of commented code should be even lower.
But if your opinion is that this is a very minor issue, you are free to change the severity of this rule in your quality profile and set it to INFO or MINOR, or perhaps even disable this rule alltogether.
 
So long story short:
 
 1) CppCheck is already supported for C++ and will soon be for C
 2) Sonar is not only about bugs but also about quality and maintainability
 3) For sure we will add more and more bugs checks such as null pointer dereferencing and invalid memory access ASAP, but it will take some time as it is not trivial
 
Kind regards,
On Thu, Oct 11, 2012 at 3:46 PM, Jeffrey Wright <[hidden email]> wrote:
I like the overall look and feel of Sonar, but right now it seems pretty
useless to me and the developers I work with; it appears to be mainly a
fancy number-of-lines checker that complains loudly about trivial things
like if-else statements must use braces, or commenting out sections of
code.  (Those are blockers?  Really?)  I do like the complexity
analyzer, it is true.  But Sonar misses very important things that
simple open-source tools like clang (scan-build) and cpp-analyzer
find...things like dereferencing null pointers, malloc/realloc
discrepancies, etc.

Is there some way to bring those tools into Sonar?  I would very much
like to use Sonar, because it has excellent tracking and graphing
capabilities...but I need to be able to track and graph meaningful
things, not just LOCs.

Regards,

Jeff

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: can Sonar be extended to include tools such as clang or cpp-check?

Waleri Enns
In reply to this post by Jeffrey Wright
Hi Jeffrey,

I need some more context to give you a more accurate answer. What
programming language and what sonar plugin do you use?

Cheers,
--
Waleri

On 10/11/2012 03:46 PM, Jeffrey Wright wrote:

> I like the overall look and feel of Sonar, but right now it seems pretty
> useless to me and the developers I work with; it appears to be mainly a
> fancy number-of-lines checker that complains loudly about trivial things
> like if-else statements must use braces, or commenting out sections of
> code.  (Those are blockers?  Really?)  I do like the complexity
> analyzer, it is true.  But Sonar misses very important things that
> simple open-source tools like clang (scan-build) and cpp-analyzer
> find...things like dereferencing null pointers, malloc/realloc
> discrepancies, etc.
>
> Is there some way to bring those tools into Sonar?  I would very much
> like to use Sonar, because it has excellent tracking and graphing
> capabilities...but I need to be able to track and graph meaningful
> things, not just LOCs.
>
> Regards,
>
> Jeff
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>      http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: can Sonar be extended to include tools such as clang or cpp-check?

Jeffrey Wright
Hi Waleri,

Currently we write our code in C, C++, with a little Perl and Python
scattered around.

The plugins I have loaded:

Sonar Plugins
C    1.6
C++    1.0
Motion Chart    1.4
PDF Report    1.3
Python    1.1
Quality Index    1.1.3
SIG Maintainability Model    1.0.1
Sonar C++ Plugin    0.1
Technical Debt    1.2.1
Timeline    1.3

-- Jeff


On 10/11/2012 11:28 AM, Waleri Enns wrote:

> Hi Jeffrey,
>
> I need some more context to give you a more accurate answer. What
> programming language and what sonar plugin do you use?
>
> Cheers,
> --
> Waleri
>
> On 10/11/2012 03:46 PM, Jeffrey Wright wrote:
>> I like the overall look and feel of Sonar, but right now it seems pretty
>> useless to me and the developers I work with; it appears to be mainly a
>> fancy number-of-lines checker that complains loudly about trivial things
>> like if-else statements must use braces, or commenting out sections of
>> code.  (Those are blockers?  Really?)  I do like the complexity
>> analyzer, it is true.  But Sonar misses very important things that
>> simple open-source tools like clang (scan-build) and cpp-analyzer
>> find...things like dereferencing null pointers, malloc/realloc
>> discrepancies, etc.
>>
>> Is there some way to bring those tools into Sonar?  I would very much
>> like to use Sonar, because it has excellent tracking and graphing
>> capabilities...but I need to be able to track and graph meaningful
>> things, not just LOCs.
>>
>> Regards,
>>
>> Jeff
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>      http://xircles.codehaus.org/manage_email
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>    http://xircles.codehaus.org/manage_email
>
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: can Sonar be extended to include tools such as clang or cpp-check?

Jeffrey Wright
In reply to this post by Dinesh Bolkensteyn-2
Hi Dinesh,

Thank you for your response.  I'll reply to a couple of things, and I have a couple other questions.

As I replied to Wasili, we mostly use C and C++.  We have a bit of Python and Perl.

I understand and appreciate your points re: tracking quality over time, and increasing maintainability.  I agree that those are important things, and the trackability issue ("Timelines" in Sonar) is one thing I really like.

I am also happy to see that the quality profile can be used to change the reported severity level of the violations.  This makes it much more usable to us.  We have several well-seasoned developers who have very good reasons for coding things a certain way, and if I can squelch the noise on those violations after they are well-understood, I think it would go a long way toward easing adoption of Sonar as a legitimate tool.

Is it possible to just use the source code from other open-source programs (like cpp-check, clang, even valgind) - I know that this is a development/integration issue, but it seems like they are already doing things that Sonar wants to do, so why not re-use their code?  Perhaps it is a license issue?  A technical issue?  Just not enough people to do the work?  I'd offer to do it myself, only I'm not much of a developer.  I'm just a QA manager with a programming background.  :-)

Alternatively, it might be possible to extend Sonar so that it can remotely call other executables and then report the results.  That way, any time someone finds a cool tool that gives them something they want, it can be brought into the Sonar environment and hopefully display results.

Regards,

Jeff


On 10/11/2012 11:02 AM, Dinesh Bolkensteyn wrote:
Hi Jeffrey,
 
Thanks for your input.
 
Clearly, null pointer dereferencing or invalid memory reads/writes are good example of valuable bugs that Sonar should ultimately be able to catch.
However, it's not that easy to implement them with decent accuracy.
 
From your email, I guess that you are talking about the support of C / C++ in Sonar.
Compared to Sonar's support for Java, the C / C++ one is still fairly new.
 
Both our C freeware and C++ commercial plugins now start offering more and more MISRA rules.
 
One thing to keep in mind is that the goal of Sonar is not only to find actual bugs (as in "you may get unexpected results at runtime"),
but also to monitor the general quality and maintainability of your code base.
 
For instance, having variables that do not follow the naming convention of your organization will not have any impact at runtime,
but will reduce the maintainability of your program as others developers looking at the code may have a hard time to understand what this variable does.
(for instance if they were named "a", "b", "c", etc.)
 
The same applies to the complexity rules, it's really about quality and maintainability and not about bugs.
 
CppCheck is already currently supported by the commercial C++ plugin and will shortly be supported also by the C freeware one.
clang's support is not yet planned.
 
On the one hand, we could add support of dozens of external tools to make the plugins more valuable, but on the other hand we should keep the dependencies
on external tools small to still have something easy to use, that does not require a lot of configuration.
 
There is a possibility to create additionnal custom plugins to support any tool though.
 
Regarding commented code, we indeed feel like this is a blocker issue.
It is fine to comment it on your own box while you develop a feature, but we do not expect commented code to be commited.
In the C / C++ world, conditional compilation can be used to activate portions of code only in debug mode for instance, so the need of commented code should be even lower.
But if your opinion is that this is a very minor issue, you are free to change the severity of this rule in your quality profile and set it to INFO or MINOR, or perhaps even disable this rule alltogether.
 
So long story short:
 
 1) CppCheck is already supported for C++ and will soon be for C
 2) Sonar is not only about bugs but also about quality and maintainability
 3) For sure we will add more and more bugs checks such as null pointer dereferencing and invalid memory access ASAP, but it will take some time as it is not trivial
 
Kind regards,
On Thu, Oct 11, 2012 at 3:46 PM, Jeffrey Wright <[hidden email]> wrote:
I like the overall look and feel of Sonar, but right now it seems pretty
useless to me and the developers I work with; it appears to be mainly a
fancy number-of-lines checker that complains loudly about trivial things
like if-else statements must use braces, or commenting out sections of
code.  (Those are blockers?  Really?)  I do like the complexity
analyzer, it is true.  But Sonar misses very important things that
simple open-source tools like clang (scan-build) and cpp-analyzer
find...things like dereferencing null pointers, malloc/realloc
discrepancies, etc.

Is there some way to bring those tools into Sonar?  I would very much
like to use Sonar, because it has excellent tracking and graphing
capabilities...but I need to be able to track and graph meaningful
things, not just LOCs.

Regards,

Jeff

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email




Loading...