Sonar Community Highlights, July 15 - July 21

Hi all,

@Colin is in Prague this week for EuroPython. So I’m on my own this week for compiling the list of shout-outs. If I don’t mention you here, it’s not because we don’t value your contributions. We absolutely do!

And this week, we’d like to explicitly thank:

Rule feedback:

  • @leine for reporting a nicely detailed false positive on java:S2259, which finds hard-coded credentials. We created SONARJAVA-4554 to address it.

  • @andrzej-talare for reporting a false positive in kotlin:S6624, which we’ll fix with SONARKT-351

  • @Lutti1988 let us know of a false positive he found in csharpsquid:S3900, which overlooks the use of the null coalescing operator, ??=, before a dereference. We logged a ticket to fix it.

  • In the broader community, Marco Carvalho, started a discussion in GitHub Issues about why csharpsquid:S3247 is tagged with performance, and about the expanded descriptions we’ve implemented for some rules (more to come!). Knowing that the expanded descriptions really do give developers a deeper understanding of our rules is very helpful for us, and validates both the assumptions we’ve been making and the work we’ve been doing.

Clean as You Code Quality Gate
We release frequently in order to get feedback about our changes. So the ongoing feedback on the changes in recent versions around Clean as You Code is very valuable to us. In particular, I’d like to call out @BardMorgan, @Rebse, @josemaria.oca and @TinaF for their thoughtful, reasoned discussion this week on the Clean as You Code Quality Gate topic. There’s much more to come in this area, and user feedback is very valuable to us in understanding the impacts of our changes, and calibrating future plans.


  • @chris.forbes.tindeco reported a problem with a shared library being double-counted, license-LOC-wise, because it was analyzed as part of two different projects. And then he came back to document for posterity his fix to the problem.

  • @v587zzy got the Samaritan badge retroactively this week. We grant the badge when a user’s first post in the community is made to help another user. In this case, it was to helped someone understand an error they were seeing in Azure DevOps.

  • @Rebse for his report that while you can increase the value, SonarScanner doesn’t actually care when it’s downloading the plugins at the beginning of analysis. It still uses the default timeout, which can be problematic if you have “helpful” intermediaries on your network. We created SONAR-19994 to fix that, and allow a custom timeout to be defined for plugin download. And while you’re waiting for the fix you can use the workaround, @Rebse thoughtfully included in his initial report

  • Of course @Rebse also deserves a general shout-out for all the help he gives other users - and has given over the years - here in the community. :tada:

Again, thanks to everyone we’ve listed here - and to everyone we’ve forgotten :flushed: - for helping make this community and Sonar products great.

Feel free to leave your own kudos below – whether it’s another community member or SonarSourcer who helped you out this week. And if there’s someone you’d like to see us mention next week, feel free to ping us.

@ganncamp & @Colin