Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is the cxx plugin still needed? #2533

Open
guwirth opened this issue May 25, 2023 · 16 comments
Open

Is the cxx plugin still needed? #2533

guwirth opened this issue May 25, 2023 · 16 comments
Assignees
@guwirth
Labels
discussion

Comments

@guwirth
Copy link
Collaborator

guwirth commented May 25, 2023

SonarQube was originally an open platform for measuring technical debt. SonarSource realized relatively quickly that there was no money in it so they started selling static code analysis.

Many programming languages were initially not or only very rudimentarily supported, including C++. From the initially unsatisfactory C++ support, the cxx plugin was born.

The cxx plugin has always taken a different approach than SonarSource's built-in C++ analysis. The idea was to use tools available in the C++ context and integrate their output into SonarQube. Probably also by the cxx plugin SonarSource was motivated to create own open interfaces (Generic issue import format, Generic test execution report format, Generic test coverage report format, ...).

How many users the cxx plugin (still) has is difficult to find out. Mostly the plugin is downloaded and installed by a few administrators, but eventually used by many.

Can you please give feedback:

  • Do you use the cxx plugin?
  • Which parts and functionalities do you use?

Thank you very much for your input.
@guwirth guwirth self-assigned this May 25, 2023
@guwirth guwirth pinned this issue May 25, 2023
@montao
Copy link

montao commented Jun 2, 2023

At my workplace the other team uses the CXX plugin and my team has been using the builtin but now looking at the pros and cons when comparing the two. From what I learnt, the two alternatives work different so I've done two analyses to compare the two. Here are some of my findings: The builtin will not work with Apple Silicon so it needs custom fixing anyway for that platform. I need to provision the environment with cppchceck and ran cppcheck for cxx plugin, whereas the builtin uses the build-wrapper which requires compilation (I think) which is more than static analysis.

@guwirth
Copy link
Collaborator Author

guwirth commented Jun 2, 2023

whereas the builtin uses the build-wrapper which requires compilation (I think) which is more than static analysis.

@montao thanks for your feedback.

Both plugins have to parse the source code and generate an abstract syntax tree (AST). The AST is used to generate the metrics and, in the case of the commercial plugin, also to check the rules. The comercial plugin uses for this internally the Clang frontend, the community plugin SSLR. Since C++ brings out in the meantime every three years an update, the care of the grammar produces a substantial expenditure.

@Nekto89
Copy link
Contributor

Nekto89 commented Jun 6, 2023

I'm currently importing data from:

  • cppcheck
  • VS2019 static analysis
  • BullseyeCoverage

I've also tried to import MSBuild log file for includes/compile definitions but it's too slow to be usable. Probably because of thirdparties like Boost. Maybe in future I'll also try to import warnings from GCC build, but I'm not sure that it will work even if I'll do text replacements from Linux to Windows paths.

@guwirth
Copy link
Collaborator Author

guwirth commented Jun 8, 2023

@Nekto89 thanks for your feedback.

I've also tried to import MSBuild log file for includes/compile definitions but it's too slow to be usable.

Here this feature #2279 could be useful, maybe we can add it in one of the next versions.

Maybe in future I'll also try to import warnings from GCC build, but I'm not sure that it will work even if I'll do text replacements from Linux to Windows paths.

Should work, we are also doing it. Hints to paths: https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Troubleshooting-Reports#file-path-issues

@rglarix
Copy link

rglarix commented Jul 28, 2023

We also use heavily the plugin for all our C++ development. cppcheck and coverage, mostly
thanks

@JuPrgn
Copy link
Contributor

JuPrgn commented Aug 21, 2023

We are also using CXX plugin for our embedded C development with cppcheck and gcov coverage.
Thank you very much for this plugin.

@gndl
Copy link

gndl commented Aug 22, 2023

We use the plugin for our C/C++ libraries.
The tools we use are Cppcheck, Clang-tidy and Cpplint on Linux, Mac Intel, Mac ARM and Windows;
Gcov on Linux, Mac Intel, Mac ARM;
DrCov and DrMemory on Windows;
Valgrind on Linux.

I would be interested to know if SonarSource's built-in C++ analysis is as complete.

in any case we highly appreciate your plugin. Thank you so much.

@rendevor
Copy link

rendevor commented Oct 6, 2023

We use it for PCLint reports.

@consulion
Copy link

We use this plugin for all our C++ projects with logs from clang-tidy, Visual Studio code analysis, cppcheck and rats.
Thank you for your work!

@jenspopp
Copy link
Contributor

We are evaluating it for cppcheck and gcc compiler warnings for multiple projects... still first POC phase

@srpgilles
Copy link

I work at Inria (research institute for applied mathematics and computer science in France) and we are using the plugin for our instance of Sonarqube.

I can't speak for all the projects that use the cxx plugin on that instance, but for my part I really appreciate to get in one place the diagnostics provided by many C++ checking tools; thanks for your work in it!

@fpruvost
Copy link

I work at Inria too with @srpgilles and we completely depend on this plugin to import analysis report for C++ in our sonarqube instance (community edition). There are something like several dozens of projects analyzed.

We use it with to import in the same place reports of GCC/Clang warnings, clang-sa, cppcheck, valgrind, unitary tests coverage, and of course what is analyzed by sonarqube itself: size of code, duplication, complexity, etc.
We like being able to get a view of the code quality in a single place and being able to access it through the web api to get measures and badges elsewhere (e.g. in a gitlab). Here an example of what we do in a simple example:

We also like to manage the rules/issues (quality profile) that are enabled/disabled on each project.
We do not use it to import custom reports or metrics.

@mikeqoo1
Copy link

Our company's projects all use this plugin and cppcheck and gcov coverage as long as they are written in C++.

I appreciated your time and effort.

@qathy
Copy link

qathy commented Jun 25, 2024

In the same situation as @mikeqoo1: we are using this plugin for nearly all of our projects, we were quite happy with it, and we appreciate all the work done.
Recently, we're facing an issue with CxxUnitTestResultsAggregator class raising ClassNotFoundException.
Our CI configuration uses GitLab runners, and sonarscanner runs into a sonarsource/sonar-scanner-cli:latest container.
Is there an official or community image currently supporting CxxUnitTestResultsAggregator ?

@amai2012
Copy link

I'm also a happy user of this plugin at work. C++ is a niche category in development there, so a free solution is much preferred over an expensive commercial alternative...

So far only cppcheck is integrated but clang output shall be added as well.

@opajonk
Copy link

opajonk commented Aug 8, 2024

We're using it here as well; integrating the output of many tools into SonarQube (coverage, clang-tidy, you-name-it).

@guwirth guwirth unpinned this issue Nov 20, 2024
@guwirth guwirth pinned this issue Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guwirth guwirth

Labels
discussion
Milestone
No milestone
Development

No branches or pull requests