Marketplace disabled in non-Community versions?

I just upgraded to v8.9.0 LTS Developer.

Looked through the release notes for the this and the past few versions and didn’t see anything about the Marketplace going away for paying customers.

Needless to say, plugin developers seem to be similarly surprised (the main plugins I use have open issues around binary release availability, build dependencies for local compile, etc.).

With the Marketplace disabled to the point of not even notifying about plugin updates, it really limits the value in licensing /paying for SonarQube.

Is there any guidance on this from SonarSource around how this should be handled? Are those of us with paid versions just out of luck and we should start researching alternative platforms?


Hey there.

The Marketplace still exists in non-Community editions, but plugin installation/updates are manual (adding the plugin to your extensions/plugins directory of your SonarQube instance). The Marketplace still serves as a place to let users know about available plugins and updates to existing plugins installed on your instance.

Why the change? We know that the ability to extend SonarQube with plugins is an important feature, but these plugins are by definition not written by SonarSource and they can be a potential vector of vulnerability for SonarQube instances. To be clear, plugins are not vetted at each release by SonarSource for their security.

We want users to take it seriously and weigh potential impacts when they install/update a plugin, especially in a commercial setting.

Can you point to some of these issues? The changes should not have had an impact on them building/releasing their plugins.

Checkstyle, Code Smells, Dependency-Check, Shell Check Analyzer and YAML Analyzer to name a few.

From a “Tech Support” perspective, I get it.

From an End-User perspective, this came as a surprise. There was no announcement, nothing I spotted here or on other boards that this might be coming, etc.

And while manual install isn’t horrible (well, presuming that projects release build guides and/or binaries), disabling the update /compatibility view is a terrible choice (e.g. the “Updates Only” tab) since it removes a centralized relatively easy way to spot when a plugin needs to be updated manually.

Despite your screenshot, the plugins above have updated, are not flagged in my console and are failing to compile on my local system with cascading dependency issues (no released documentation).

The alleged Compatibility Matrix is nearly unusable in it’s current form, so that’s not a workable alternative either.

If SonarSource could have found another, even more annoying, way to drive existing /paying customers to other platforms, I can’t think of it…

I don’t see any issues on their GitHub repository about having trouble compiling. If you have trouble compiling them yourself, I would suggest raising an issue on their Github repository.

Honestly, I have no disagreement here. To be transparent, it happened fairly last-minute.

Maybe something should have been added to the Upgrade Notes (beyond the change of requiring risk consent). I’ll take a note internally and see if there’s something that could be done here.

The Marketplace relies on the fact that binaries are published somewhere (they have to be, usually tied to a GitHub release)

I think maybe some wires are crossed (some metadata not updated, your instance not connecting to the marketplace) – because the goal is absolutely that plugin updates are still visible. Can you share a screenshot of your Installed tab (where plugins you expect to show an update are visible) as well as the Updates Only of the Marketplace?

Thank you for the transparency. It already “smelled like that” to me, tbh.

That was my trigger for asking the following question in May 6th (sadly - ann somehow found no words to address it :smiling_imp: :innocent: )

Reading her answers last sentence there, triggers me to continue that thread now :sweat_smile: :dash: