Hi all!
You may have noticed that we’ve gone through some rebranding in the last few months. We renamed all the products to be “SonarQube for” something. And now we want to rename ourselves too. Previously the company went by SonarSource, which made us SonarSourcers. But now the company goes by Sonar in all but the most formal of legal documents. Which makes us… what? Sonar-ers? Too hard to say. Sonar-ists? Kinda weird. And hard to say. Given what we do, I proposed SoNarcs, which… no one liked. 
So. What are your thoughts? Give us your best suggestions below for what people who work for Sonar should be called. (But keep it clean, please. 
)
And speaking of your input, as always, we are grateful for the feedback we’ve gotten this week, and for every time you give us feedback. So like every week, we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.
SonarQube Cloud:
- The SonarQube Cloud Free tier allows up to 50k private Lines of Code, but we missed turning that on in the monorepo flow. Thanks @EricB1. We’re on it.
SonarQube Server & SonarQube Community Build:
- You can configure SonarQube with multiple LDAP servers, but they won’t work as failovers. That part is documented. What isn’t very clear, and what @acsipak struggled with, is that each user is tied to the LDAP server they initially logged in with. Logging back in with the same credentials and a different LDAP server is a different user. We’re going to make that explicit in the docs.
SonarQube for IDE:
- Java and JavaScript architecture rules aren’t run in SonarQube for IDE, and @aaschlote’s question about them made us realize that’s not in the docs. Thanks! We’re on it.
Rule & Language Improvements:
-
java:S2699doesn’t recognize assertions that are invoked via theAssertableApplicationContext. Thanks @francoissey . SONARJAVA-5480 will fix it. -
@Osmyslitelny doesn’t think
typescript:S2301should raise an issue when the selector parameter is an object property. As it happens, we agree: JS-685 -
@JonatanPlesko caught a regression in
kotlin:S7410after we changed the underlying implementation. Thanks! We’re on it. -
While the Drupal 7 standard was to use snake_case, for Drupal 8+, it’s camelCase instead. Thanks @borisson_ (oh_the_irony
)! SONARPHP-1655 -
@dt-fastec pointed out that
csharpsquid:S2629raises an issue in a log4net context, when it shouldn’t. We’re going to give the rule a general polish. -
web:S6851enforces a generally good idea: image alt descriptions don’t need words like “image” and “picture”. Which is all well and good, until you start parameterizing the alt text with sensibly named values likesection.start.headerImage. Doh! Thanks @wnmzzzz! JS-689 -
@blue42 points out that the suggested fix for
java:S4738might lead to NPEs because substituting one type of collection for another won’t always work. We’ll take another run at how we deal with Guava collections that manipulateNULLin SONARJAVA-5495 -
Lobbying from @frakman1 and @fgaultierD4 has put pytest results import on our radar. Vote to show your support.
-
java:S6856raises an issue when a Spring property is injected in a controller path. Thanks @mfillon. SONARJAVA-5496 -
The AWS CDK API uses the constructor pattern to create resources on AWS, but
typescript:S1848andjavascript:S1848raise an issue on that usage. Thanks @saurabh2590 and @reecebenson. JS-625 -
We’ve expanded the scope of JS-132 based on @John_Gwinner_nact’s report of a
javascript:S2189false positive when the index variable of aforloop isn’t declared withvar. -
We’ll update
csharpsquid:S3236to excludeDebug.Assertbecause it was updated in NET9. Thanks @omarjuul! -
@SAURABH-CARDANO pointed out that assigning the “None” string to variables is a fairly common mistake among junior Python developers. They think there should be a rule. We agree.
SONARPY-2808 -
An outdated stub version of Pydantic embedded in the Python analyzer is causing a false positive in
python:S930. Thanks for the report @vincentmorel! SONARPY-2804
Scanners:
-
We missed implementing the default truststore password of
sonarin the SonarScanner for .NET. Thanks @Philippe_Formulain. We’ll get it fixed. -
@Vincent_Van_Gestel let us know that in the SonarScanner for NPM, we wrongly use the underlying scanner binaries for x64 instead of the ARM binaries on ARM hosts. SCANNPM-84
-
When we enabled multi-language analysis in SonarScanner for .NET, we added a warning to help people understand why their LOC counts had increased as a result. Several months on, @davidkeaveny is getting a bit tired - and reasonably so - of seeing the warning. You can turn off the feature, but that’s not well-documented. We’re going to fix that.
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.