CppDepend SonarQube Light Integration

Integrate CppDepend with SonarQube

  • This documentation concerns the light C/C++ SonarQube integration. In this case you need to install a SonarQube C++ plugin to parse your source code.
    In case you want a full C/C++ SonarQube plugin, please refer to the documentation of the full SonaQube integration.
  • To run CppDepend on a machine you need first to activate your pro BuildMachine licensing or your evaluation period.

    To do so, once CppDepend files unzipped on the machine, just run once VisualCppDepend.exe. You'll go through a few seconds activation procedure if the machine is connected to internet.

    If the machine is not connected to internet, an offline activation procedure will be proposed instead, and must be fulfilled in order to run the SonarQube CppDepend plugin.
  • The CppDepend SonarQube plugin supports SonarQube version 5.6 and higher.

Introduction: CppDepend and SonarQube rule-sets are complimentary

Both CppDepend and SonarQube are static analyzers that offer a rule-based system to detect problems in C/C++ code. However the CppDepend default Rules-Set has very few overlap with the SonarQube rules

Basically the SonarQube rules are good at analyzing what is happening inside a method, the code flow while the CppDepend code model, on which the CppDepend rules are based, is optimized for a 360 view of particular higher-scale areas including OOP, dependencies, metrics, breaking changes, mutability, naming...

Concretely SonarQube rules can warn about problems like a reference that doesn't need to be tested for nullity because in the actual scope it cannot be null, while CppDepend can warn you about too complex classes or components, and offer advices about how to refactor to make the code cleaner and more maintainable.

Another point that makes the CppDepend ruling system unique is how easy it makes to write custom rules. With CppDepend a rule is a LINQ query, that queries a code model dedicated to code quality, edited live in Visual Studio, compiled and executed live at edition time.
Concretely, this piece of code below is a fully functional rule, could it be simpler?

// <Name>Classes must start with an I</Name>
warnif count > 0 
Application.Types.Where(t => t.IsClass && !t.SimpleName.StartsWith("C"))

When defining a custom rule with CppDepend, the user doesn't need to create a Visual Studio project, create a source file, step into the edit/compile/debug cycle, maintain a binary dll that requires effort to be shared, versioned and integrated.
With CppDepend custom rules are raw texts, embedded as XML CDATA into the CppDepend project or rule files. Also, the documentation and how-to-fix guidelines can be embedded in the rule source code as comments.

Also each CppDepend rule can present its issues with extra data that will help understanding the problem and fix it.
Moreover each rule can embed two C# formulas that attempt to estimate both the cost to fix the issue and the annual cost to let the issue unfixed, also called the technical-debt and the annual interest of the issue. Since these formulas rely on what really matter at fix time, this makes the debt estimations smart.

Finally, with CppDepend each rule is run in a few milli-seconds even on a large code base. As a consequence all rules can be passed in a few seconds (typically 2 or 3 seconds on a real-world code base), both in Visual Studio and in the Continuous-Integration system.
As a benefit, after each compilation and also at check-in time, the developer instantly knows about the new and fixed issues since the baseline, and the impact in terms of technical debt fixed or created.

Now let's explain how to integrate CppDepend rule results into the SonarQube system to cumulate the strength of both products.

Plugin Prerequisites

Install the CppDepend Plugin

    Copy the sonar-cxx-cppdepend-lightplugin-VERSION.jar

    • from the $CppDependInstallDir$\SonarPlugin directory
    • to the $SonarQubeInstallDir$\extensions\plugins directory
    • Restart the SonarQube server for it to take account of the CppDepend plugin.


If you are not using the CppDepend plugin on SonarQube install, make sure to remove its sonar-cxx-cppdepend-lightplugin-VERSION.jar file from the $SonarQubeInstallDir$\extensions\plugins directory and then restart the SonarQube server.
Else the CppDepend plugin will check for certain pathes and parameters, and if not found, it will break the SonarQube analysis with an error.

Define the CppDepend Rules-set that will be configured into the Sonar server
  • In the SonarQube user interface, go to Administration. You need to be logged with the appropriate administrator privileges for that.

  • MANDATORY Specify the path to NDepend.SonarQube.RuleRunner.exe. This path is $CppDependInstallPath$\SonarPlugin\CppDepend.SonarQube.RuleRunner.exe. Don't prefix the path with an environnement variable path, write the entire absolute path (follow this advice for all paths writing you'll find in this documentation).
  • OPTIONAL Specify the CppDepend project file path (.ndproj extension) to fetch the rules from. If it's not specified the default CppDepend rule set will be used.
    If you specify the CppDepend project file path, the rules taken account are activated rules defined in:
    • The CppDepend project file,
    • Rules defined in the CppDepend Rules Files referenced by the CppDepend project file

Activate the CppDepend Rules in the Sonar server

The CppDepend rules are now loaded in the SonarQube repository but not activated yet.
To activate them, you have to:

  • Log as admin in the SonarQube UI:
  • Go to the Rules tab:
  • Choose Language C++ and Repository: CppDepend

  • Activate these rules in the profile you want by clicking on Bulk Change - Activate In:

  • Notice that the handle of a rule is the rule name with also the parent group(s) names and the rule source code. This remark is important in this situation when:
    - The NDepend project used for analysis contains a custom rule-set
    - The NDepend project specified in the SonarQube configuration to define the rules in the SonarQube system (parameter CppDepend rules from ndproj, see the previous section) is different from the NDepend project used for analysis.

    In such situation if the two rules-set don't correspond exactly, the rules won't be resolved in the SonarQube system and the issues won't be computed.
  • If some rules have been added or removed in your custom rule-set:
    1) Restart the SonarQube server to let it parse the NDepend project specified in the SonarQube configuration to define the rules
    2) go again in the Rules tab logged as administrator, to activate/deactivate these new/removed rules through eventually a Bulk Change action.

Run Sonar-Scanner

Here is the SonarQube documentation concerning runnig Sonar-Scanner from the command line argument.

To let the SonarQube Scanner also runs CppDepend analysis and rules, you need to append the mandatory parameter -D sonar.cpp.cppdepend.projectPath={the path of cdproj}.
By default the plugin load the latest analysis result done for the cdproj. And not launch the analysis of the project by CppDepend. In this case an anlysis must be done by CppDepend first.

If you want to launch the cppdepend analysis from the plugin the -D sonar.cpp.cppdepend.runAnalysis=true is required

Command without the CppDepend analysis from the plugin, In this case we will use an existing analyzed result:
>sonar-scanner  -D sonar.cpp.cppdepend.projectPath={the path of cdproj}

Command with the CppDepend analysis from the plugin:
>sonar-scanner  -D sonar.cpp.cppdepend.projectPath={the path of cdproj} -D  sonar.cpp.cppdepend.runAnalysis=true

Don't use any environment variable in paths and if the path contains a space character, surround it with double quotes -D sonar.cpp.cppdepend.projectPath="C:\work with space\project.cdproj"

Browse CppDepend Rules Issues in the SonarQube UI

    CppDepend Rules Issues are now reported as any issues in the SonarQube UI.

    You can browse it, go to source code declaration (in the UI), assign it, change its status...

  • If some issues are missing in the SonarQube UI:
    - Check that you followed all rules activation steps explained in this document.
    - Then double check that the concerned rule is indeed activated by checking if it emits at least one issue.
    - In such case, if some issues are missing, this is because the source file declaration of their parent types hasen't been found. Typically this happens with types and their members generated by the compiler.