cppcheck

Analyze C/C++ code for defects

TLDR

Recursively check the current directory, showing progress on the screen and logging error messages to a file

$ cppcheck . 2> cppcheck.log

Recursively check a given directory, and don't print progress messages

$ cppcheck [[-q|--quiet]] [path/to/directory]

Check a given file, specifying which tests to perform (by default only errors are shown)

List available tests

$ cppcheck --errorlist

Check a given file, ignoring specific tests

$ cppcheck --suppress [test_id1] --suppress [test_id2] [path/to/file.cpp]

Check the current directory, providing paths for include files located outside it (e.g. external libraries)

$ cppcheck -I [include/directory_1] -I [include/directory_2] .

Check a Microsoft Visual Studio project (*.vcxproj) or solution (*.sln)

$ cppcheck --project [path/to/project.sln]

SYNOPSIS

cppcheck [OPTIONS] [FILES_OR_DIRECTORIES]

PARAMETERS

--enable=
Enables specific checks or categories. Common values: all, style, performance, portability, information, unusedFunction, missingInclude.

-I

or --include=
    Adds a directory to the include path. Useful for resolving header files.

-D or --define=
    Defines a preprocessor macro. Simulates compiler definitions.

-U or --undef=
    Undefines a preprocessor macro.

--std=
    Specifies the C/C++ standard. E.g., c++11, c99, c++20.

-j or --jobs=
    Number of concurrent analysis jobs. Speeds up analysis on multi-core systems.

--xml
    Outputs results in XML format. Facilitates integration with other tools.

--xml-version=
    Specifies the XML output version.

--check-config
    Checks project configuration and include paths. Helps debug setup issues.

--force
    Forces analysis even if include paths are missing. May lead to more false positives.

--suppress=
    Suppresses specific warnings by ID. Can be used multiple times.

--language=
    Forces analysis as C or C++. Values: c or c++.

-q or --quiet
    Suppresses progress messages. Only errors/warnings are printed.

-v or --verbose
    Prints verbose information. Includes progress and detailed analysis info.

--project=
    Analyzes a project defined in a build file. E.g., .sln, compile_commands.json.

--error-exitcode=
    Sets exit code when errors are found. Useful for CI.

--platform=
    Specifies platform-specific integer sizes. E.g., unix64, win32.

--template=
    Customizes the output message format.

DESCRIPTION

cppcheck is a static analysis tool for C and C++ code. It detects various types of errors and potential issues that compilers might miss, such as buffer overflows, memory leaks, resource leaks, uninitialized variables, unused code, and various style and performance problems.

Unlike compilers, cppcheck does not compile the code; instead, it parses it and applies a set of predefined rules and heuristics to identify problematic patterns. This allows it to find errors without requiring a complete build environment, making it suitable for integration into Continuous Integration (CI) pipelines or as a pre-commit hook. It aims to minimize false positives and provides customizable checks, enabling users to focus on specific categories of issues like portability or information-level warnings. It supports various C/C++ standards and can analyze entire projects or individual files.

CAVEATS

cppcheck performs static analysis and does not execute the code. Therefore, it cannot find all runtime errors. It might produce false positives (warnings about non-existent issues) or false negatives (miss real bugs) depending on code complexity and configuration. For optimal results, it often requires correct include paths and preprocessor definitions to be provided, similar to a compiler. It focuses on undefined behavior and dangerous coding constructs rather than logical errors or algorithmic flaws.

<I>INTEGRATION WITH BUILD SYSTEMS</I>

cppcheck can integrate with build systems like Make, CMake, and Visual Studio. For CMake projects, CMAKE_EXPORT_COMPILE_COMMANDS can generate a compile_commands.json file which cppcheck can use with --project. This simplifies providing include paths and defines.

<I>SUPPRESSION FILES</I>

For managing warnings, cppcheck supports suppression files (--suppress-file=<file>). These files list warnings to ignore, allowing teams to filter out noise or acknowledge known issues without modifying the code.

HISTORY

cppcheck was initially developed by Daniel Marjamäki in 2007. It was created with the goal of being a simple yet powerful tool to detect common errors in C/C++ code, emphasizing low false positive rates. Its development has been community-driven, with contributions from many developers, leading to continuous improvements in its analysis capabilities, performance, and support for newer C/C++ standards. It gained popularity due to its ease of use, open-source nature, and ability to be easily integrated into various development workflows, including CI/CD pipelines.