LANG.COMM.CODE : Commented-out Code

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

C and C++

LANG.COMM.CODE : Commented-out Code

Summary

A comment appears to contain a lot of code.

Comment text is considered likely to be code if its proportion of operator characters (!#%^&*()+={}\[]:;<>/) is consistent with that typically seen in C and C++ source code. This heuristic can be thrown off by short comments, so warnings will not be issued for comments that contain only a small number of characters.

The various thresholds involved in this determination are controlled by configuration file parameters:

COMMENTED_OUT_CODE_SIZE_THRESHOLD specifies the minimum number of characters a comment must contain to be included in checks for this warning class.
COMMENTED_OUT_CODE_MIN_RATIO and COMMENTED_OUT_CODE_MAX_RATIO specify lower and upper bounds on the operator/non-operator character ratio that will be treated as indicating the presence of code.

See the linked individual parameter documentation for full details.

Properties

Class Name

Commented-out Code

Significance

style

Mnemonic

LANG.COMM.CODE

Categories

MisraC2025	MisraC2025:D.4.4	Sections of code should not be "commented out"
MisraC2023	MisraC2023:D.4.4	Sections of code should not be "commented out"
Misra2012	Misra2012:D.4.4	Sections of code should not be "commented out"
Misra2004	Misra2004:2.4	Sections of code should not be "commented out"
AUTOSARC++14	AUTOSARC++14:A2-7-2	Sections of code shall not be "commented out".
MisraC++2008	MisraC++2008:2-7-2	Sections of code shall not be "commented out" using C-style comments.
	MisraC++2008:2-7-3	Sections of code should not be "commented out" using C++ comments.
MisraC++2023	MisraC++2023:5.7.2	Sections of code should not be "commented out"
CWE	CWE:615	Inclusion of Sensitive Information in Source Code Comments
	CWE:1085	Invokable Control Element with Excessive Volume of Commented-out Code
JSF++	JSF++:127	Code that is not used (commented out) shall be deleted.
OWASP-2017	OWASP-2017:A5	Broken access control
OWASP-2021	OWASP-2021:A1	Broken access control
OWASP-2025	OWASP-2025:A01	Broken Access Control

Availability

Available for C and C++.

Enabling

Checks for this warning class are disabled by default. To enable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += allow class="Commented-out Code"

Example

int f (int i){
                 /* 'Commented-out Code' warning issued for following comment block */
  
    /* int b;
     * int a = i;
     * a = i++;
     * b = g(a);
     */

    i++;
 
    /* this comment is ordinary text */                  /* does not contain source code */
    return i;
}

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

To report problems with this documentation, please visit https://support.codesecure.com/.