One of the original plans for the Linux Foundation infrastructure was to use Sonar to run the SonarQube C++ plug-in. We have run into a few problems using the commercial plug-in, however there are several community plug-ins for C/C++ code:
* vera++ (for checking style) * cppcheck (static analysis checking for buffer overflows, memory, and other problems) * RATS (checking for security problems, including buffer overflows) We could enable these checks to run through Jenkins during verification builds. The idea would be that the static analysis checkers could point out potential problems and be an aid to code reviewers. The tools are all open source so contributors could run them locally, too. The implementation plan would be to first make the static analysis information available, but not have it give a +1 or -1. After some period (and tweaking of rules), if the community thinks it is helpful, Sonar could give a -1 when certain checks fail based on the observed track record. Before implementing this, we would like to know if there is community support for it. Is this something people would find useful? Are there any objections to just making the analysis available (without automatic +/-1)? Thanks, Bill.
