Sonar Community Highlights, November 18 - December 1

Hey everyone!

We decided to take last week off from posting our weekly Sonar Community Highlights since the whole team took a break for Thanksgiving. If you were celebrating, we hope you had a Happy Thanksgiving! If you weren’t, we hope the absence of Americans wasn’t too jarring.

Now that we’re back, like every week we want to spend some time saying thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.

SonarQube:

• @wsmelton, in the context of changing passwords on a SonarQube instance deployed via Helm, was having the password changed to unexpected values because the query parameter inputs aren’t being encoded. We’ll work on that with SONAR-21136!

• Thanks @anon67236913 for reporting a bug (SONARJNKNS-369) with v2.16 of the Jenkins extension for SonarQube and its HttpClient throwing a java.lang.UnsupportedOperationException

• @kunal-mazumdar reported an issue with GET api/authentication/validate when validating user tokens. Thanks for the report! SONAR-21116

• @zhangjiuwang reported that information from the default branch of a project was being shown when refreshing a page in SonarQube that showed measures from another branch. Yikes! SONAR-21056 will resolve this in SonarQube v10.4.

• @garlicbread reported that project links can’t be deleted in newly created projects (but it works fine in old projects). SONAR-21109 will address this. Thanks!

• SonarQube uses HTML encoding on the subject line of e-mail notifications, which breaks when using non-latin characters as reported by @AlexPC. We’ve created SONAR-21059 to improve this.

• .NET 8 support is very fresh, and thanks to @steve123 and @marcinavionworx, we have our first bug to fix! SonarSource/sonar-dotnet #8417

• Thanks @jswartwood for extensively documenting how you worked around an issue with Bamboo and SonarQube’s Git integration.

SonarCloud:

• Thanks @Joao_Victor_Dias for reporting a crash when analyzing .sass files. The issue is with a specific rule, and we’ll fix that with SonarSource/SonarJS #4449.

• The latest version of the SonarScanner for Gradle is causing longer analysis times in some cases, as reported by @Nikolay_Metchev. Two bug tickets have been created after the investigation: SONARKT-377 and SONARKT-378.

SonarLint:

• Shoutout to @viuginov.nickolay for reporting a bug where SonarLint for IntelliJ is holding references to multiple disposed projects and leading to a memory leak. A fix is on the way with SLI-1187!

• Thanks @rooby for pointing out some memory-related settings that could be made clear in our documentation. The docs have been updated!

• @OddMathisenNOV let us know that the auto-save-vs-extension is conflicting with SonarLint for Visual Studio. Thanks! SonarSource/sonarlint-visualstudio #5065

Rule Improvements:

• @youngroman was kind enough to point to some missing configuration for our advanced injection vulnerability rules, specifically related to the Apache Commons Fileupload package. We think we’ll be able to merge that configuration update before the end of the year!

• Thanks @Valentijn for reporting two false-positives with csharpsquid:S2583, and another on chsarpsquid:S4158. Two of these limitations are already known (SonarSource/sonar-dotnet #7871 and SonarSource/sonar-dotnet #8028) and another has been added to our backlog (SonarSource/sonar-dotnet #8428)!

• Same rule, different language. Thanks @zasmazka for the false-positive report on java:S2583 when using lomboks slf4j logger. SONARJAVA-4718

• Does a week go by without @Jos_Abrahams reporting an issue with our support for AcuCobol? Here’s another one! And another one! Thanks for the reports – we’ll work on these with SONARCOBOL-1690 and SONARCOBOL-1691.

• Thanks @mfroehlich for reporting an issue with java:S1612 where the error message could be made abundantly more clear. SONARJAVA-4720

• After a headsup from @Khrystyna_Turok, we’ll improve our support of javax packages migrated to Jakarta, specifically in the context of java:S107. Thanks! SONARJAVA-4640

• Hats off to @bers for reporting that python:S6542 should not raise an issue on overrides and overloads. SONARPY-1568

• Kudos to @jgh713 for reporting a false-positive with typescript:S4782 when TypeScript’s compiler option exactOptionalPropertyTypes is enabled. SonarSource/SonarJS #4415

New Rules:

• Thanks @mfroehlich for suggesting a new rule for Java developers to use String.strip() instead of String.trim()! SONARJAVA-4704

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

Colin, Ann and Leith