Fortify C rules aren't visible in sonar for C language quality profile

As of now, we are on sonarqube 4.5.7 and are using below plugin for c files.

C (Community) [cxx] 0.9.2

Recently we integrated fortify functionality with sonar and all the relevant fortify xml's were read by sonar.We could see Fortify Repository now being shown if we search in Rules tab. However it was noticed that Fortify C repository wasn't added although core_cpp.xml and extended_cpp.xml files were present in the relevant fortify folder.

While trying for various alternatives I did changed the language="cpp" to language="c " in both core_cpp.xml amd extended_cpp.xml. Henceforth restarted the sonar server and Fortify c repository was available with 460 Blocker rules.

Please guide if this workaround is correct or am I missing something in this case ?


  • Hi Prashant, 

    I'm a bit confused as to what you're trying to accomplish. When you say you've integrated fortify functionality with sonar, and the relevant xmls were read by sonar, what specifically do you mean ?  What Sonar plugin are you using for that, and what's your goal ? 





  • Hi Fish,

    What I understand is that for sonar to identify the fortify violation's for generated fpr files and then show them in dashboard it needed 2 things

    One is plugin for sonar (we are using the sonar-fortify-plugin-2.0.jar)

    Secondly the rules xml's for each language (These we generated after unzipping the HP bin files)

    For me the problem is all rules of different languages  except c (like java , objective c,javascript) got imported and I can see Fortify - <language> repository in Rules tab of sonar except for c .

    Not sure why sonar is not picking c fortify xml.Please correct me incase I am missing something here.