Boost Code Quality with CppDepend's SonarQube Plugin Integration

Enhance Your C/C++ Development with CppDepend's SonarQube Plugin


This documentation pertains to the complete C/C++ SonarQube integration, eliminating the need to install any SonarQube C++ plugins for source code parsing. If you are using a different C/C++ SonarQube plugin and only wish to import CppDepend issues, please consult the documentation for the SonarQube Light Integration.

To operate CppDepend on a machine, you must first activate your professional DevOps license or evaluation period. Once the CppDepend files are unzipped on the machine, run VisualCppDepend.exe once. If the machine is connected to the internet, a brief activation process will occur.

If the machine is offline, an alternative offline activation procedure will be provided, which must be completed to use the SonarQube CppDepend plugin.

The CppDepend SonarQube plugin is compatible with SonarQube version 5.6 and above.

Introduction: CppDepend and SonarQube rule-sets are complimentary

Both CppDepend and SonarQube are static analyzers that offer a rule-based system to detect problems in C/C++ code. However the CppDepend default Rules-Set has very few overlap with the SonarQube rules

Basically the SonarQube rules are good at analyzing what is happening inside a method, the code flow while the CppDepend code model, on which the CppDepend rules are based, is optimized for a 360 view of particular higher-scale areas including OOP, dependencies, metrics, breaking changes, mutability, naming...

Concretely SonarQube rules can warn about problems like a reference that doesn't need to be tested for nullity because in the actual scope it cannot be null, while CppDepend can warn you about too complex classes or components, and offer advices about how to refactor to make the code cleaner and more maintainable.

Another point that makes the CppDepend ruling system unique is how easy it makes to write custom rules. With CppDepend a rule is a LINQ query, that queries a code model dedicated to code quality, edited live in Visual Studio, compiled and executed live at edition time.
Concretely, this piece of code below is a fully functional rule, could it be simpler?

// <Name>Classes must start with an I</Name>
warnif count > 0 
Application.Types.Where(t => t.IsClass && !t.SimpleName.StartsWith("C"))

When defining a custom rule with CppDepend, the user doesn't need to create a Visual Studio project, create a source file, step into the edit/compile/debug cycle, maintain a binary dll that requires effort to be shared, versioned and integrated.
With CppDepend custom rules are raw texts, embedded as XML CDATA into the CppDepend project or rule files. Also, the documentation and how-to-fix guidelines can be embedded in the rule source code as comments.

Editing Code Query

Also each CppDepend rule can present its issues with extra data that will help understanding the problem and fix it.
Moreover each rule can embed two C# formulas that attempt to estimate both the cost to fix the issue and the annual cost to let the issue unfixed, also called the technical-debt and the annual interest of the issue. Since these formulas rely on what really matter at fix time, this makes the debt estimations smart.

Architecture Rule with CppDepend

Finally, with CppDepend each rule is run in a few milli-seconds even on a large code base. As a consequence all rules can be passed in a few seconds (typically 2 or 3 seconds on a real-world code base), both in Visual Studio and in the Continuous-Integration system.
As a benefit, after each compilation and also at check-in time, the developer instantly knows about the new and fixed issues since the baseline, and the impact in terms of technical debt fixed or created.

Now let's explain how to integrate CppDepend rule results into the SonarQube system to cumulate the strength of both products.

Getting Started Video

C/C++ Plugin Prerequisites

  • Install SonarQube.
  • Install SonarQube Scanner or the old Sonar Runner.
  • Add the SonarQube Scanner or the SonarRunner bin directory to the PATH environment variable.

Plugin installation and configuration

  • Copy the sonar-cxx-plugin-cppdepend-1.0 from $CppDependInstallDir$/SonarPlugin to the $SonarQubeInstallDir$\extensions\plugins directory and restart SonarQube.
  • The default CppDepend rules are loaded to the SonarQube rules repository. However, if you need to customize these rules you can define your own custom rules using the .cdproj file path located under the SonarQube Administration Tab.

    CppDepend rules in SonarQube
  • You have to log in as an admin and activate the CppDepend rules in the profile you want.

    Activating the CppDepend rules
  • Run Sonar-Scanner

  • Here is the SonarQube documentation concerning runnig Sonar-Scanner from the command line argument.

    The cppdepend project file parameter is mandatory -D sonar.cpp.cppdepend.projectPath={the path of cdproj}.

    >sonar-scanner  -D sonar.cpp.cppdepend.projectPath={the path of cdproj}

    Don't use any environment variable in paths and if the path contains a space character, surround it with double quotes -D sonar.cpp.cppdepend.projectPath="C:\work with space\project.cdproj"

Plugin features

  • Multi Module analysis: a CppDepend project could contain many C/C++ projects.
    After the analysis, CppDepend does not put all the code in the same SonarQube module. However, it creates a multi module sonarqube project to isolate each project into a separate module which makes the code navigation very easy.

    Multi Module sonarqube analysis

  • Issues: CppDepend provides by default more than 250 rules, which you can easily customize completely.
    CppDepend provides a powerful way to compute the technical debt of the issues. The CppDepend technical debt and the issue severity are given to SonarQube.

    CppDepend issues in SonarQube
  • Standard metrics: the plugin calculates all the standard SonarQube metrics.

    Standard Metrics in SonarQube
  • Code duplication: The duplications are detected by the CPD tool embedded in SonarQube.

    Code Duplication in SonarQube
  • Coverage: The plugin loads the coverage result from Cobertura and Microsoft Visual Studio XML result files.
    However, you have to set the path where the xml coverage files exist.
    Code Coverage Configuration

    Code Coverage in SonarQube

CppDepend offers a wide range of features. It is often described as a Swiss Army Knife for C and C++ developers.

Start Free Trial