Sonar Community Highlights, October 28 - November 3

Hey everyone!

It’s been another busy week in the Sonar Community! Like every week we want to spend some time saying thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.

SonarQube:

• Shoutout to @pschwarzer-tt for raising awareness about an error message that occurs when we try to analyze your build.gradle.kts and settings.gradle.kts. We’ll investigate that with SONARKT-370.

• User sync with GitHub is failing entirely if a single user is causing an issue, preventing other users from being auto-provisioned. Thanks for letting us know @Bastian.Sieber, and we’ll fix that with SONAR-20924.

• @Deadstar2011 and @liuxl did a great job helping us track down a bug related to slow project creation on large instances. We’ll work on that with SONAR-20912.

SonarCloud:

• A few weeks ago we made a change on SonarCloud so that the scanner would only download the required analyzers, instead of every single one. This caused an issue with file indexing (and file exclusions) reported by @sodul. A fix is now deployed!

• @bherger, @ezrabrooks, and @william-keen-aptitud all faced an issue after a deployment of sonar-text started crashing analysis. The fix is now deployed to SonarCloud. Thanks for the quick reports, everybody!

• @Saurabh_Varma reported an issue when using NodeJS 14.17 (the minimum supported and deprecated version of NodeJS supported for analysis) because of a feature that only became available in NodeJS 14.18. Doh! SonarSource/SonarJS #4343 should make its way to production next week.

• @jessehwong very patiently helped us find a timeout problem in background task processing when a lot of large files are added in a single analysis. We’ve already deployed the fix.

• Our Jenkins extension properly sets sonar.token when you’re analyzing against SonarQube, but still uses sonar.login to pass the token value when you’re analyzing against SonarCloud. @mvillanueva’s pointing that out prompted SONARJNKNS-370.

SonarLint:

• @FrejSuomi reported that when using “phony” commands in his compile_commands.json, SonarLint wouldn’t analyze C and C++ code. We’ll start ignoring these entires with CPP-4779! Thanks!

• @Luca_Bottani reported an issue where the SonarQube icon in the Status Bar of Visual Studio is not being loaded correctly. Thanks for the report! You can track this at SonarSource/sonarlint-visualstudio #5004.

• Issues being raised by our secrets detection are being multiplied in the tooltip as @bonner-earle told us months ago. We finally have a ticket to work on this: SonarSource/sonarlint-visualstudio #5002!

Rule & Language Improvements:

• Thanks @daniel-almeida for pointing out a false-positive with python:S6735 (one of our new rules that targets the pandas framework). SONARPY-1536 is already merged!

• Our Vue parser has been dragging down analysis performance. @heybeckerj, @andre_s_ferreira, @Sirax, @Carl_G, and @JamesF helped us home in on that. We’ll address it with SonarSource/SonarJS#4352

• Similarly, @msobeslavsky reported that the javabugs sensor slowed down significantly on SonarCloud at the beginning of October. Working from that report, we fixed a number of performance problems in the sensor, and they’re already live on SonarCloud.

• @shnitze joined the Community to report that using a value larger than the int32 max in appsettings.json causes csharpsquid:S2068 to error-out during analysis. We’ve opened SonarSource/sonar-dotnet#8310 for it.

• We already knew there were problems in typescript:S6606, and @gthb provided an additional case to address when we next work on the rule. Thanks!

• If you open a Java resource, you need to close it, as @zchandikaz pointed out. We had specified java:S3074 for that, but never gotten around to implementing it. This report was the nudge we needed: SONARJAVA-4689.

Scanners

• We recently added sonar.gradle.skipCompile to allow SonarScanner for Gradle users who compile outside SonarQube analysis to not re-run compilation as part of analysis. @G00fY2, @JonatanPlesko, @markusheiden and @bostandyksoft pointed out that we’re reading the value from the System properties, which makes it impossible to set the property through Sonar configuration. We’ll fix that with SONARGRADL-134

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

Colin, Ann and Leith