The latest release does not include signatures which keeps this plugin locked out from Gradle Dependency Verification workflow. Almost all living projects are signed nowadays, Sonar ought to be as well.
https://docs.gradle.org/current/userguide/dependency_verification.html
https://plugins.gradle.org/m2/org/sonarqube/org.sonarqube.gradle.plugin/6.0.0.5145/
This means that users of Sonar are required to update the checksum in verification-metadata.xml every single update instead of just accepting a dependabot PR that passes CI execution. Please fix.