Microsoft C++ Code Analysis is a powerful static analysis tool integrated into Visual Studio that helps you identify and fix potential issues in your C++ code. Large projects require effective management of analysis warnings to maintain code quality and you sometimes need to suppress warnings, but must do so in a clear and auditable way.
To that end, we are excited to announce significant updates to the warning suppression mechanisms in Microsoft C++ Code Analysis. These enhancements provide better tracking, justification, and overall management of warning suppressions, leading to a more maintainable and robust codebase.
What’s New in the SARIF Output?
We enhanced the Static Analysis Results Interchange Format (SARIF) output to include detailed information about warning suppressions, most notably the justification provided by you. This allows teams to easily review why a specific warning was silenced.
To generate a SARIF file, use the /analyze:log:format:sarif compiler option. To ensure
that details about suppressed warnings (including their justifications) are included in
this SARIF log, you must also use the /analyze:log:includesuppressed option.
What’s New in gsl::suppress?
We have updated our support for gsl::suppress to align with the latest C++ Core
Guidelines syntax. Warnings can now be suppressed by using the gsl::suppress attribute
in the following way:
[[gsl::suppress( "<warning_id>", justification: "<justification>" )]]Where <warning_id> is the ID of the warning you want to suppress, and the optional
<justification> is a string that provides a justification for the suppression.
For now, [[gsl::suppress]] is only available for C++ codebases. For C codebases, you
must use the #pragma warning(suppress) syntax.
Example:
// CoreCheckExample.cpp
// Add CppCoreCheck package and enable code analysis in build for warnings.
int main()
{
int arr[10]; // warning C26494
int* p = arr; // warning C26485
[[gsl::suppress("bounds.1", justification : "This attribute suppresses Bounds rules #1")]]
{
int* q = p + 1; // warning C26481 (suppressed)
p = q++; // warning C26481 (suppressed)
}
return 0;
}What’s New in #pragma warning?
We have extended #pragma warning to support the justification field. Here is how
you can use it starting in Visual Studio 2022 version 17.14:
#pragma warning(suppress : <warning_id>, justification : "<justification>")Where <warning_id> is the ID of the warning you want to suppress, and the optional
<justification> is a string that provides a justification for the suppression.
Choosing Between #pragma warning and gsl::suppress
Both #pragma warning(suppress) and [[gsl::suppress]] offer fine-grained control over
warning suppression.
#pragma warning(suppress)is a general MSVC mechanism that can be used for any compiler warning. It’s particularly useful when you need to suppress a warning in a specific code block without altering the code’s structure significantly.[[gsl::suppress]]will only suppress warnings emitted by Microsoft C++ Code Analysis. It is intended for use with the C++ Core Guidelines checks and can be applied to a scope or a specific declaration.
Whenever possible, we recommend using [[gsl::suppress]] for suppressing Microsoft C++
Code Analysis warnings.
Why These Updates Matter
These enhancements to warning suppression offer several key benefits:
- Improved Auditability and Review: With justifications recorded directly in the code and optionally in SARIF logs, code reviews become more effective. Team members can quickly understand the rationale behind a suppression without needing to consult external documentation or the original author.
- Enhanced Code Maintainability: Clear justifications prevent accidental re-introduction of issues when code is refactored or suppressions are reviewed. They provide a history of why certain warnings were deemed acceptable at a particular point.
- Better Management of Technical Debt: Suppressed warnings can be a form of technical debt. Justifications help in tracking and prioritizing which suppressions should be revisited and potentially fixed.
- Consistency Across Suppression Mechanisms: By adding justification support to both
#pragma warningandgsl::suppress, we provide a consistent experience for you. This allows old code to use#pragma warningwhile new code can use[[gsl::suppress]], all while maintaining the ability to provide justifications.
Impact on Existing Workflows
These new features are additive. Existing suppression mechanisms (without
justifications) will continue to work as before. However, we encourage you to
start using the justification attribute for new suppressions and to gradually update
existing ones where clarity is beneficial. There is no automatic migration, but the
process of adding justifications is straightforward.
Availability
These enhancements are available in the MSVC compiler toolset shipping with Visual Studio 2022 version 17.14 and newer, and will be part of future Visual Studio releases. Ensure your Visual Studio is updated to leverage these improvements.
Try It Out
// example.cpp
// Compile with: cl /analyze:only /analyze:plugin EspxEngine.dll /analyze:log:format:sarif /analyze:log:includesuppressed example.cpp
int main()
{
int arr[10]; // warning C26494
int* p = arr; // warning C26485
[[gsl::suppress("bounds.1", justification : "This attribute suppresses Bounds rules #1")]]
{
int* q = p + 1; // warning C26481 (suppressed)
p = q++; // warning C26481 (suppressed)
}
return 0;
}You can run the above code with the following options:
/analyze /analyze:log:format:sarif /analyze:log:includesuppressed to generate a SARIF
file that includes the suppression details.
(Note: EspxEngine.dll is the plugin that enables C++ Core Guidelines checks, which are
the target of gsl::suppress.)
> cl /analyze:only /analyze:plugin EspxEngine.dll /analyze:log:format:sarif /analyze:log:includesuppressed .\example.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.50.35305.95 for x64
Copyright (C) Microsoft Corporation. All rights reserved.
example.cpp
D:\tmp\example.cpp(7) : warning C26485: Expression 'arr': No array to pointer decay (bounds.3).
D:\tmp\example.cpp(6) : warning C26494: Variable 'arr' is uninitialized. Always initialize an object (type.5).You will also find a file named example.nativecodeanalysis.sarif, you can open it with
VSCode (don’t forget to install the latest version of the
SARIF Viewer extension).
After filtering to include suppressed warnings, you will see the warning details which
include the suppression information. Here is an example of what you will see:
Feedback
We would love to hear your thoughts on the new changes to warning suppressions! Please share your feedback and suggestions in the comments below. If you run into any issues, please let us know by filing a feedback ticket on Visual Studio Developer Community.
0 comments
Be the first to start the discussion.