To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

Just for fun: PVS-Studio team came up w…

Just for fun: PVS-Studio team came up with monitoring quality of some open source projects

Feb 11 2021

Static code analysis is a crucial component of all modern projects. Its proper application is even more important. We decided to set up a regular check of some open source projects to see the effect of the analyzer's frequent running. We use the PVS-Studio analyzer to check projects. As for viewing the outcome, the choice fell on SonarQube. As a result, our subscribers will learn about new interesting bugs in the newly written code. We hope you'll have fun.


After all, why is it necessary to check projects regularly? If you rarely run static analysis, for example, just before the release, you may be snowed under with a great number of warnings. Looking through them all, you can miss the very significant analyzer triggerings that indicate serious errors. If you run the analysis regularly, for example, every day, then there won't be so many of those. Thus, you can easily identify crucial problems. Another reason is the cost of an error: the sooner the problem is detected, the less costly it is to fix it. For example, if you run static analysis just before the release, then by that time most of the bugs will have been found and fixed by the testing department. However, such fixes cost more. That is, the only right way to use static analysis is regular analysis.

As you probably know, our team often publishes articles about open source projects checks. Such articles are certainly curious to read. They bring some benefits to checked projects themselves. We always report on suspicious places to developers. However, such isolated checks have the same disadvantages as the scenario described above with an irregular code check only before the release. It's difficult to perceive a large report. Many errors end up being fixed at other levels of quality control (for example, using tests) instead of being found and fixed immediately after they hit the code.

Therefore, we decided to try a new work format with open source projects. That is a regular, daily code review of one (for a start) project. In this case, the check will be set up in a way that we'd have to view analyzer warnings covering only changed code or newly written code. It's faster than viewing the full analyzer report, and most importantly, it will allow discovering a potential error very quickly. When we find something really exciting, we'll make short notes or even write a post on Twitter.

We hope that this format will allow us to better promote more correct practices of static analysis regular use and will bring additional benefits to the open-source community.

We decided to choose the Blender project as the first project to analyze. You can tell us what additional projects you'd like us to analyze. Also, we'll describe the errors found in them.

Regular analysis configuration

For our task, we consider the joint effort of PVS-Studio – SonarQube tools to be the best solution for regular analysis. Further, we'll talk about the configuration of the selected tools: how to run and configure SonarQube; we'll describe how to analyze the project and how to upload the results to be displayed.

Why we chose SonarQube

PVS-Studio can do a lot: analyze, send out notifications about warnings, and filter them. Moreover, it can also integrate into different systems to display warnings. Not only to get the check results but also to additionally test more PVS-Studio operating modes, we decided to try to configure the display of results for our task in SonarQube.

You can find more information about this application here. Now let's proceed to the deployment. SonarQube stores all the data in the database. You can use different databases, but the recommended one is PostgreSQL. Let's set it up first.

Configuring PostgreSQL

Download the latest version here. Install it and create a database for SonarQube. To do this, first, create a user named sonar. Run the following command in the psql command line:


You can also use pgAdmin for this and other operations. Now we need to create the database named sonarqube using the CREATE DATABASE command. It looks like this in our case:

CREATE DATABASE sonarqube OWNER sonar;

The database is ready, let's start configuring SonarQube.

SonarQube configuration

Download and install SonarQube. You can get the latest version here. The distribution itself is an archive. We need to unpack the archive to the C directory:\sonarqube\sonarqube-

Then, edit the file C:\sonarqube\sonarqube-\conf\ We'll add there the following info on our created database:


SonarQube will see the database that we created and will start working with it. Next, you'll need to install the plugin for PVS-Studio. The plugin is in the directory where PVS-Studio is installed. It is C:\Program Files (x86)\PVS-Studio by default. We need a sonar-pvs-studio-plugin.jar file. Copy it to the directory with SonarQube C:\sonarqube\sonarqube-\extensions\plugins. You also need to download the sonar-cxx-plugin, click here to do it. At the time of writing, this is sonar-cxx-plugin- We need to copy this plugin to the C:\sonarqube\sonarqube-\extensions\plugins directory.

Now you can run SonarQube. To do this, run C:\sonarqube\sonarqube-\bin\windows-x86-64\StartSonar.bat.

Let's start setting up via the web interface. Go to the browser at sonarServer:9000. Here sonarServer is the name of the machine where SonarQube is installed.

Quality Profile configuration

The quality profile is a key component of SonarQube, which defines a set of rules for the codebase. The PVS-Studio plugin provides a set of rules that correspond to the analyzer warnings. We can add all of them to the quality profile or disable any rules if necessary. According to the configured quality profile, SonarQube will display or not display warnings after analyzing our code.

Now, we need to configure the Quality Profile. To do so go to the Quality Profiles tab and click Create as shown in the picture below.


In the appeared window enter a profile name (it can be random). In our case, the name is PVS-Studio Way. Then, select the language. C++ is relevant for us now. After that, click Create.


Then go to the Rules tab, select the Repository category, and select PVS-Studio C++. Next, click Bulk Change and Activate In, in the appeared window select our created profile, that is, PVS-Studio Way.


SonarQube is set up and ready to go.


Then, we'll configure the project analysis directly using the PVS-Studio analyzer.

Download the source code with the following command:

git clone

generate the project files:

make.bat full nobuild

generate the necessary additional files, compile the build_windows_Full_x64_vc15_Release\INSTALL.vcxproj project for that.

Run the analysis with the following command

"c:\\Program Files (x86)\\PVS-Studio\\PVS-Studio_Cmd.exe" \
 -t build_windows_Full_x64_vc15_Release\\Blender.sln \
 -o blender.plog --sonarqubedata -r

So, we have the files blender.plog and, and we can push the results of our analysis to SonarQube. Use the sonar-scanner utility to do this.

Sonar scanner

You can download the utility here. Download the archive by the link, unzip it. For example, in our case, it is placed in the directory D:\sonar\sonar-scanner- Edit the D:\sonar\sonar-scanner-\conf\ file by adding the following line to it:

Where sonarServer is the name of the machine where SonarQube is installed.

Run the following command:

D:\sonar\sonar-scanner-\sonar-scanner.bat \
-Dsonar.projectKey=blender -Dsonar.projectName=blender \
-Dsonar.projectVersion=1.0 \

Note that the command is called from the directory with the analysis results (blender.plog and

To run the analysis on a project regularly, all above commands can be easily automated using a Continuous Integration server, such as Jenkins.


Regular projects analysis allows you to eliminate errors at the earliest stage when the cost of such a correction is minimal. We hope that this new format of checking open source projects and the article about it will be interesting to our readers and will diversify the "usual" articles about checking, as well as benefit the open source community. Let me remind you once again that we accept requests for the inclusion of additional projects in our regular review. We can't guarantee that we'll add a project, but we will definitely consider all your suggestions.

Popular related articles
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities

Date: Nov 21 2018

Author: Andrey Karpov

A brief description of technologies used in the PVS-Studio tool, which let us effectively detect a large number of error patterns and potential vulnerabilities. The article describes the implementati…
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →