How to Scan C / C++ Code with SonarQube | C- Family Analysis

SonarQube provides robust support for analyzing C and C++ codebases across a wide variety of language standards, compilers, and build tools. Whether developers are working with custom scripts, Make, or MSBuild, SonarQube offers the flexibility needed to integrate code quality analysis into existing build pipelines. Before beginning any analysis, teams should consult the official documentation to confirm that their specific project configuration is supported by SonarQube.

Two Methods for C/C++ Code Analysis

SonarQube offers two distinct approaches for scanning C-based languages: the SonarQube Build Wrapper and compilation databases. The Build Wrapper is the recommended method for C++ analysis and works as a prefix to any clean build command for supported compilers. However, teams may opt for the compilation database approach—a file containing build commands generated by tools like CMake or Ninja—if their build system doesn't support the Build Wrapper, if they prefer to avoid clean builds, or if the Build Wrapper lacks compatibility with their hardware architecture.

Using the SonarQube Build Wrapper Method

To implement the Build Wrapper approach, developers must first download the SonarQube Scanner executable and add it to their system path. Next, they download the Build Wrapper from their SonarQube instance by appending the provided URL path to their server URL. After unzipping the Build Wrapper and adding it to the path, developers prefix their clean build command with the wrapper and specify an output directory using the --out-dir parameter. The scanner then locates this output directory through the sonar.cfamily.build-wrapper-output property in the sonar-project.properties configuration file. Running sonar-scanner subsequently initiates the analysis. It is critical to note that the Build Wrapper must be executed on the same machine performing the scan, run before each build, and always used with a clean build.

Alternative Approach: Compilation Database

For teams working with build systems unsupported by the Build Wrapper, such as CMake on macOS with M-series chips, the compilation database method provides a viable alternative. Developers generate a compile_commands.json file by running CMake in a designated build directory, then execute their build tool (such as Make) to verify the generated commands function correctly. The SonarQube Scanner can then reference this compilation database by setting the sonar.cfamily.compile-commands property to point to the file path, either within the properties file or as part of the scan command.

Setup and Troubleshooting Resources

SonarQube provides a Project Setup Wizard that guides teams through configuration across all supported operating systems, including analysis token generation and build wrapper downloads. When encountering issues during setup, developers should enable debug logging by setting the sonar.verbose parameter in their properties file. If problems persist, commercial support customers can submit help desk tickets through their support portal, while community users can create topics in the SonarQube forum, ensuring they include the appropriate tags and debug log files. Additionally, teams using commercial editions should explore the documentation for branch and pull request scanning capabilities, which leverage incremental analysis to expedite subsequent scans after the initial project analysis.

Key Takeaways

• SonarQube supports numerous C/C++ standards, compilers, and build tools through two primary scanning methods: the Build Wrapper (recommended) and compilation databases
• The Build Wrapper method requires the same machine for scanning, must precede each clean build, and should be downloaded before each automated analysis
• Compilation databases generated by CMake or Ninja provide an alternative for unsupported build systems or hardware incompatibilities
• The sonar-project.properties configuration file centralizes analysis parameters, including Build Wrapper output directories and compilation database paths
• Debug logging and community/commercial support resources are available to resolve configuration and scanning issues