Sensor to read reports from the RATS tool. RATS is a rough auditing tool for security. It is a tool for scanning C, C++, Perl, PHP, Python and Ruby source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Note: The cxx plugin itself does not run the tool, you have to do that yourself beforehand. The sensor only reads the report generated by the tool!

• Link to the tool page: https://github.com/andrew-d/rough-auditing-tool-for-security
• The sensor supports rules from RATS with version 2.4.

In order to run RATS and generate a fitting report, make sure:

• to call it from the projects root directory, so that the paths in the report fit
• that the parameter matches the sonar.sources list in sonar-project.properties

Sample command lines:

Tell RATS to create XML output and redirect the stdout into a file:

rats -w 3 --xml <sources> > rats.xml

If the tool was executed successfully, a report like the example below should be generated:

<?xml version="1.0"?><rats_output>
<stats>
<dbcount lang="c">1</dbcount>
</stats>
<analyzed>sources//utils/code_chunks.cpp</analyzed>
<vulnerability>
  <severity>High</severity>
  <type>fixed size global buffer</type>
  <message>
    Extra care should be taken to ensure that character arrays that are
    allocated on the stack are used safely. They are prime targets for
    buffer overflow attacks.
  </message>
  <file>
    <name>sources//utils/code_chunks.cpp</name>
    <line>19</line>
  </file>
</vulnerability>
<timing>
<total_lines>125</total_lines>
<total_time>0.009917</total_time>
<lines_per_second>12604</lines_per_second>
</timing>
</rats_output>

1. First check if the file extensions read in by the cxx plugin are set (sonar.cxx.file.suffixes).
2. The rules for which you want to generate issue must be activated in the Quality Profile of your project. You can find instructions on how to do this under Manage Quality Profiles.
3. Set the analysis parameter sonar.cxx.rats.reportPaths in the configuration file sonar-project.properties of your project. The Report Paths link describes the configuration options.
4. Execute the SonarScanner to transfer the project with the report to the SonarQube Server.

Sample for sonar-project.properties:

sonar.cxx.rats.reportPaths=rats.xml

• If no results are displayed after a successful scan, check Manage Quality Profiles first.
• If scanning is failing, check items listed under Troubleshooting Configuration.
• If no issues are displayed for your source code in SonarQube, check the items listed under Troubleshooting Reports.
• In the case of incomplete scans, Detect and fix parsing errors gives advice on how to fix this.