Hey everyone!
It’s another busy week in our Community, and we want to say thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.
Rule Improvements:
-
Kudos to @rsc for asking that we move some internal methods in SonarSource/sonar-java to our public API so that our users can benefit from them when writing custom rules. Great idea! This will become possible with SONARJAVA-4576.
-
java:S2755
makes sure that XML parsers are not vulnerable to XXE attacks. Last year @S0obi noticed a false-negative when using a SchemaFactory and an Unmarshaller. We’ll improve this rule with SONARJAVA-4577. -
It’s amazing for how long some issues don’t get reported on our analyzers – a trivial FP was reported on
java:S1318
which makes sure 0 can’t be a potential denominator. Thanks @Tamir_Adler – we’ll fix that up. SONARJAVA-4592 -
SonarLint offers Quick Fixes for a lot of rules (no or low-effort remediation with the click of a button). Thanks @Connor_Balin for reporting that the quick fix for
java:S1319
was misbehaving. SONARJAVA-4591 -
@Conor_Balin also reported a false-positive on the same rule! SONARJAVA-4590
-
Thanks to @kordum for calling out a false-positive with
php:S1144
when using new syntax from PHP 8.1. The fix is already on the way with SONARPHP-1440. -
Thanks @vincesp for reporting a false-positive on
cpp:S3230
– it generate a lot of interesting discussion and ultimately a ticket to improve the rule. CPP-4631 -
@golgor pointed out a false-positive with one of our newer secrets detection rules (
secrets:S6652
) when using environment variables. We’ve created an internal ticket to resolve this behavior. -
@Thomas_Mauch reported an issue that showed our compliant solution for
java:s2755
raising an issue. Looks like some of our XXE rules need updated. Thanks for the report!
SonarCloud
-
This week SonarCloud faced an issue with coverage exclusions that were set in the SonarCloud UI (alongside multi-criteria exclusions) This was caused by the update of a library that needed to be reverted. Thanks to all the folks who reported an issue: @AllanAlmeida, @Andrii_Yefimov, @neeldip_barot, @maxx-nomad, @Marine_Dos, @Christo_Nel, @thientd87, @patrickvol and @Jan_Milants
-
@janv8000 managed to notice that the text copied from a specific tutorial on SonarCloud didn’t match the text displayed. This issue is now fixed! Thanks.
-
DEBUG
logging should only be turned on to troubleshoot issues, but those logs still need to be readable. Thanks @Saqwel for helping us discover an issue where the logs are being extra chatty. SONARTEXT-65
Help others by helping yourself
-
@kislow gave comprehensive feedback on their experience setting up SAML and SCIM with Azure AD, along with advice for other users facing the same issues with claims and technical users he is.
-
@Luci4nom faced an issue where SonarQube would crash when trying to create a new project. There was some database-level configuration that needed to be fixed (setting
is_read_committed_snapshot_on
totrue
on SQL Server). Thanks for following-up and letting other users know what needed to be done!
Good Samaritans
Welcome to @mkon and @JonasR, who were both granted the Samaritan badge recently. The Samaritan badge is granted to users whose first posts in the community are attempts to help others.
-
@mkon shared how he handled a problem with coverage import.
-
And @JonasR shared how his organization worked around failing background tasks. That thread resulted in SONAR-20215 to address the underlying problem, so thanks also to the initial reporters, @roJa, and @smanning.
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.