Sonar Community Highlights, October 7 - October 13

Hi all,

I hope this spooky October, Friday the 13th is finding you well. At Sonar we have a tradition of changing our Slack handles to something Halloween-related in October. Last week I was “bANNshee”. I’m currently masquerading as “frAnnKenstein”, and hope to get scarier as the month progresses. Colin, who was out this week, is too cool for that, but Leith jumped onboard with “Leith DRACULA”. Do you do anything for Halloween at work?

And now, on to the highlights! It’s been yet another busy week in the Sonar Community! Like every week we want to spend some time saying thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.

SonarQube

• @Carsten_HB, @yevhenhnes and @romanb52 reported problems with issue status [1] [2] and Security Hotspot resolution flickering back and forth from Open to Closed with each subsequent analysis, and @sheilemann earned the Samaritan badge chiming in to help! This is actually a long-standing but elusive problem. Thanks to these reports, we’ve now created SONAR-20695 to gather details and hopefully, eventually track this down and fix it. If you’ve seen these behaviors yourself, please don’t hesitate to chime in!

• We’ve made significant efforts over the last few years to make our products more accessible, but there are still things we miss. @kirkpabk was kind enough to raise the fact that the announcement message doesn’t quite hit the mark, resulting in SONAR-20692.

• @nkojuharov found a bug in the license usage reporting after manual deletion of branches. SONAR-20733 will fix it.

• Thanks to @Adrian_Garcia_Gonzal for noticing that if you use sonar.web.context in SonarQube 10.2, images don’t load in the Marketplace. SONAR-20728 is slated for a 10.3 fix.

• @andrew-garland reported that when you “Test Configuration” for GitHub integration, it will come back as correctly configured even if your secret key is wrong. SONAR-20741 will fix it.

SonarCloud

• Some of our users with a lot of projects were experiencing timeouts when adding monorepo projects in SonarCloud. @Marcus_Soo helped us find that, and we’re working on a fix.

• While we have partial support for Git submodules in SonarQube, @ealmeida brought it to our attention that there isn’t any for SonarCloud, so we’ve added a ticket to the backlog for that.

SonarLint

• We’ve put a lot of effort into our rule descriptions and example code, but that doesn’t do any good if you can’t read them. @JakeAtON reported a problem viewing the Noncompliant Code Example in SonarLint, which resulted in SLI-1127.

• @bers noted that we’re showing some misleading curly braces in the VS Code settings editor. SLVSCODE-592 will fix it.

Scanners

• We’ve been working on improving the SonarScanner for Gradle recently, but no one gets it right the first time every time. @Laurynas and @ms-tng reported a ClassCastException which we’ll fix with [SONARGRADL-133].

• @pkubowicz reported a different problem in SonarScanner for Gradle. When adwords-axis is a dependency, the scanner fails with a ZipException. We’ll fix that with SONARKT-364.

Rule / language improvements

• Thanks to @matsgottenbos and @dgonzalezr who both joined the Community to report false positives when using the class attribute in JSX without React. We’ve created SonarJS/4250 to fix it.

• @FlorentP42 shared struggles with cpp:S4963, which will result in us improving the rule description to better explain when the Rule of Zero can be followed.

• Is there anything worse than getting extraneous warnings from an analyzer? Probably, but it’s still pretty annoying. @mahmoud reported a warning he was seeing about unsupported Kotlin highlighting, which we’ll fix with SONARKT-365.

• Spring dependency injection doesn’t just happen in constructors or on member declarations, as @Jaff pointed out, so we’ll be updating java:S3749 to recognize setter injection as well, with SONARJAVA-4646.

• @kedarjoshi reported a false positive from kotlin:S1128 when an import alias is used. We’ve created SONARKT-366 to fix it.

• And last, but very much not least, @mfroehlich had a big week, for which we’re particularly grateful:

  • JavaScript’s S3800 shouldn’t raise an issue when this is returned. He was kind enough to provide a report, complete with working reproducer and we’ve created SonarJS/4251 to fix it.
  • He appears to be a polyglot because he also started a discussion about java:S2129 which will lead to its expansion with SONARJAVA-4641.
  • Java has certain naming conventions, which we’ve codified into rules, including a rule about how packages should be named. But it’s overkill, as @mfroehlich pointed out (he’s on a roll!), to raise an issue on each and every single class in a mis-named package. We’ll fix that with SONARJAVA-4647.
  • He went on to propose two new rules, one requiring curly braces around else blocks and another requiring them around outer blocks. We’ve created SONARJAVA-4656 and SONARJAVA-4655, respectively to get them added.

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

 
Ann , @colin & @leith.darawsheh