Sonar Community Roundup, April 20 - 26

Hello Sonar Community!

It’s been a big week here in the Community, with lots of help and guidance from you, our members, to improve our products and your experience with them.

We’re grateful when you take the time to do that, so like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.

It’s also been a big week for me because it was my birthday on Sunday! 29 years old. Just one more year until I start lying about my birthday!

SonarQube:

• We’re going to start allowing users to choose the shell program for init containers when using SonarSource/helm-chart-sonarqube. Thanks a lot for the feedback @totobaa. SONAR-22158

• We also plan to make the helm chart follow semantic versioning after feedback from @verdel. Thanks! SONAR-22147

• SonarQube sends an e-mail when a token is about to expire, but it’s not using the E-Mail prefix that admins configure. Thanks @scm_invn for the report. We’ve created SONAR-22155.

• SonarQube v10.5 introduced Cross-Origin Resource Policy headers, which have broken the display of logos configured with sonar.lf.logoUrl. We’ll fix this with SONAR-22149. Thanks @jonesbusy!

• Another shoutout to @jonesbusy for reporting an issue with the SonarQube v10.5 helm chart which broke passing configuration as secrets. A fix is on the way.

• The SonarScanner for Maven only sets HTTP Proxy System properties, while there are no covered cases where HTTPS Proxies are required. SCANMAVEN-219 will add those. Thanks @weisskopf for the investigation (and thanks for the pull request!)

• The SonarScanner isn’t handling non-Latin characters in a project name well. Thanks for letting us know @Vinod_Singh. SCANJLIB-214

• Thanks to @daniel for telling us that when a user’s screen size is small, the issue resolution popup is not completely visible. SONAR-22163

• Yikes! It turns out that we’ve made GitLab project permissions read-only when auto-provisioning is turned on. That shouldn’t happen until we’ve actually started to sync project permission with Gitlab. Thanks for the reports @Alexander_Zerbe and @FredericS. SONAR-22115

• In SonarQube v10.5, GitLab authentication tries to sync groups even when group sync is disabled. This breaks the authentication, without a workaround (unless you want to lose all your manual group permissions). We will fix this issue in SonarQube v10.5.1 next week. Thanks for the reports @maudin, @gysel, @mcujba, @Modjo, @pst, and @TribuneX!

SonarCloud:

• When there are 0 new lines in a pull request, SonarCloud is making it look like coverage isn’t configured at all (even when it is). We’ve created an internal ticket to solve this. Thanks for the reports @long-tran-dss and @shijigopinathan!

• A weird bug is resulting in a 500 error on SonarCloud. A comment structured a certain way breaks the internal search query. A fix is on the way. Thanks @hzpc-joostk!

SonarLint:

• Thanks @skywalkerAlex and @marcellopato for reporting an issue with SonarLint in IntelliJ 2024.1+ when a background task has no ProgressIndicator or Job. SLI-1381!

We’d also like to make room here to mention that there have been some new SonarLint releases this week, addressing current issues and providing some new features. Upgrade today!

Rule and Languages Improvements:

• Thanks @um78 for your false-positive report on csharp:S2589 showing us that mutations captured variables are being ignored. We’ll fix that with SonarSource/sonar-dotnet #9204!

• Binary characters are valid in the Python interpreter but tripping up our Python analyzer. Thanks a lot, @sodul. SONARPY-1792

• Thank you @NathanEckert for your feedback on java:S5838. SONARJAVA-4954

• java:S6204 is throwing an IndexOutOfBoundsException when lombok.val is used. We learned this thanks to the great reproducer provided by @mmoayyed! Thanks! SONARJAVA-4950

• Kudos to @MartinX3 for pointing out a false positive for kotlin:S6518 on classes that don’t support the indexed access operator. SONARKT-386

• @Theodoor_van_Donge let us know that our Apex analyzer doesn’t currently support the new null coalescing operator. We’ve created a ticket to track that. SONARSLANG-646 Thanks!

• Our terraform analysis currently ignores any conditions when evaluating terraform:​​S6270. We’ve created an internal ticket to work on that. Thanks @ericrichter!

• Thanks @mocres for restarting a conversation about the word TODO in comments. Unfortunately, our analyzers are always flagging these as TODO comments (an INFO level issue in Sonar)… but sometimes it’s just spanish speakers using the word todo (which means “all”). No ticket to share, but it’s on our radar to find a solution for all languages to kill at least some of the noise!

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

@ganncamp, @Colin, and @leith.darawsheh