Hello Sonar Community!
Happy (almost) Halloween! Ann has continued her “spooky” Slack handle escalation. Last week she was “Mother-Ann-Law” and this week she has been “We need to talk”. Leith, meanwhile, switched to “LEITHal”.
I remain unconvinced.
Some of you may have noticed new badges popping up on your profiles. We love it when users help each other, and we’re trying to be more intentional about acknowledging when it happens. There’s more to come on this topic, but know already how much we appreciate you!
It’s been yet another busy week in the Sonar Community! Like every week we want to spend some time saying thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.
SonarCloud:
- @CuiMaldonado pointed out that SonarCloud is warning about a deprecated external issues report format that we haven’t published the successor to. That’s coming next week. Thanks for nudging us along.
SonarQube:
- There’s a bug in how
ruffdata are being imported into SonarQube. Thanks @tiangolo for the detailed report (it makes all the difference) that we’ll work on with SONARPY-1533. - Several users, myself included, have faced issues with running analysis against .NET 8 projects on macOS. Thanks for the reports @Christopher_Stephan, @SimonB, @pkurzok, and @albanur. And thanks to SonarSourcer @antonio.aversa for investigating all week and posting a workaround until we have a fix.
- @ld_singh let us know about an issue when integrating with Bitbucket Cloud that was resolved by using a separate user from the integration than they were using with Jenkins. We’ll add this advice to the documentation! Thanks!
SonarLint:
- Thanks @StefanR for posting about a bug in SonarLint for IntelliJ where the new “Focus on new code” checkbox does not stay checked. We’ll fix this in the next release (coming next week) with SLI-1141.
- On the VSCode side, thanks to @abond for posting about this error which is being thrown when trying to access files that SonarLint doesn’t have access to. SLLS-185
- @Jose_Rodrigo_Moraes reported an exception in SonarLint for IntelliJ caused by a temporary inability to read a file. SLCORE-606 will address it
Rule Improvements:
- Thanks @IRC for raising an issue with
csharpsquid:S1264where the rule description wasn’t matching the implementation. We’ll fix that with SonarSource/sonar-dotnet #8249 - Thanks @traso56 for your kind words and also for contributing to an existing issue about
csharpsquid:S2583, SonarSource/sonar-dotnet #8007 - Kudos to @bers for challenging us on an issue raised by
python:S5806regarding the Ellipsis and the ellipsis type. This will get worked on with SONARPY-1530! - A few months ago we started to spec out support for JSpecify in our rules that deal with Nullability. It’s great to see users like @jskov asking for it, as it helps us prioritize our work! You can track some of this work at SONARJAVA-4544.
- Thanks @avl for raising an issue (and putting a lot of effort into reproducing a false-positive) about
java:S2118where a false-positive was being raised when inspecting array access expressions. We’ll fix this with SONARJAVA-4686! - A long time after @fxmi posted about a false-positive with
java:S4684, we can share SONARJAVA-4680 which we’ll work on soon. Sorry for the delay! - Output parameters allow you to return data to the caller, which would seem to require their being assigned to. @ArminPrieschl reported a T-SQL false positive on doing just that, which we’ll fix with SONARTSQL-324
- Java’s S1149 urges you to use
Dequeinstead ofStack, which is all well and good when you’re usingStackmethods that also exist forDeque, but not so great when the methods are missing, as @mfroehlich pointed out. SONARJAVA-4687 will address it. - After updating to 10.2, @DarioFlores started to see false positives in S2259 for C# when
.Any()is used. Well fix it with SonarSource/sonar-dotnet#8266. - Meanwhile @mfroehlich also reported a problem with S2259, this time for Java. We already had SONARJAVA-4439 in the backlog for a very similar problem with the rule.
- Our symbolic execution engine necessarily makes tradeoffs between thoroughness and analysis duration. @samyonr ran into one of those tradeoffs with a false positive in S2589. We’re hoping to improve the situation, but the path forward is still nebulous.
Language Improvements
- Kudos to @galit who asked if we support the CCAC Compiler from MetaWare Development Toolkit for C and C++ analysis. Right now we don’t (it might be very simple), but for now we’ll continue to track requests at CPP-4764
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.
Colin, Ann and Leith