Without using the build-wrapper it's by definition impossible to get a fully error-free and accurate analysis. That's why we must enforce the use of the build-wrapper and make it explicit that not using the build-wrapper leads to switch to a "at best" mode which can increase both the number of false-negatives and false-positives.
Making the use of the build-wrapper mandatory is not yet possible due to the following limitations :
- The build-wrapper "only" supports the Clang, GCC and Visual C++ compilers
- Even when using those compilers some corner cases are not supported, ex:
So by default, the analysis should fail when the property 'sonar.cfamily.build-wrapper-output' is not defined or when the value of this property doesn't provide the path to a directory containing the output of a build-wrapper execution. It must remain possible to switch back to a manual configuration by setting the new property sonar.cfamily.build-wrapper-output.bypass to true.
When the property sonar.cfamily.build-wrapper-output is not defined, the error message must be :
The only way to get an accurate analysis of your C/C++/Objective-C project is by using the SonarQube build-wrapper. If for any reason, the use of the build-wrapper is not possible on your project, you can bypass it with the help of the "sonar.cfamily.build-wrapper-output.bypass=true" property. By using that property, you'll switch to an "at best" mode that could result in false-positives and false-negatives.
When the property sonar.cfamily.build-wrapper-output.bypass is set to true, the following warning message should be logged:
build-wrapper output is not used to analyse this project. This may result in false-positives and false-negatives.