Hi all,
Hope you’re enjoying the end of summer 
– it’s cooled down a lot where we are.
Meanwhile, the Community was on 
this week! This has to be one of our longest roundups to date.
As always, we want to take a moment to recognize everyone who sparked interesting discussions and gave us valuable feedback to drive continuous improvement. 
SonarQube Server & Community Build:
-
@mkarchev asked about the impact of upcoming Bitnami Catalog changes on the SonarQube Helm chart. We created SONAR-25700 to update the default PostgreSQL image (though remember, please use a proper managed database for production!).
-
@mvermef-foreflight reported UI twitching issues when viewing issue details in Chrome. Good news—we’re working on a new layout that will fix this bug!
-
@acalero noticed noisy warning and error logs in SonarQube Community Build 25.8.0 when accessing administrator pages. We created SONAR-25687 to quiet those logs. Thanks for the heads up!
-
@Pieter experienced an issue with GitLab SSO where users see a redirect link for ~20 seconds that results in an “unauthorized” error if clicked, though waiting for the automatic redirect works fine. I can personally reproduce this – and a ticket will be created to investigate this!
-
@Greg_Sullivan did a trial of SonarQube Advanced Security that is causing weird side-effects even after the trial is over. We’ve identified a workaround and will fix the root cause.
SonarQube Cloud:
-
@bousselham-mhidi experienced confusing error messages when multiple CI pipelines submit analysis reports out of order. We’re improving the messaging to make it clearer that a new pipeline run is needed.
-
@dansemakula and @stahamnguyen helped us discover that Automatic Analysis is using lower values for
sonar.javascript.node.maxspacethan we thought, causing larger projects to fail analysis. Thanks for the reports!
SonarQube for IDE:
- @EclipseWizard encountered a display glitch with the new Dependency Risks tab in PyCharm. The fix was deployed in version 10.30! Thanks for testing our new feature.
Rule & Languages Improvements:
-
@ChristopheS pointed out (a while ago) that
web:S1085incorrectly requires table descriptions when WCAG only considers them a good practice. The rule was deprecated based on this feedback!
-
@huh reported false positives with
web:S6807when aria attributes are bound in Vue templates. We updated SONARHTML-288 to support Vue alongside Angular. Nice catch! -
@mbastardo.excentia discovered that the scanner crashes when encountering obsolete
_moduleAliasessyntax in package.json files. This crash has been fixed—kudos for the detailed investigation!
-
@roman-belkov and @pazeltma both experienced analysis timeouts in JavaScript/TypeScript projects. After extensive debugging, we tracked it down to JS-840 and a PR is already in progress! Thanks for your patience and detailed logs.
-
@yogesh encountered a taint analysis crash due to invalid line offset calculations with Java text blocks. A ticket has been created to resolve this. Great report!
-
@Victor_Ciresica found limitations with Python SAST engine custom sink configurations for the
clickhouse-connectlibrary’squery_dfmethod. We created tickets to improve type resolution and enhance custom configuration capabilities. Excellent analysis!
-
@CrushaKRool identified a common pitfall where calling
Statement.execute(String)methods onPreparedStatementobjects causes runtime exceptions during refactoring. We’re exploring a new rule with SONARJAVA-5748! Fantastic suggestion. -
@lnschroeder reported false positives with
kotlin:S1862when using Kotlin 2.2.0’s new guard conditions feature. Ticket created—thanks for keeping us up to date with the latest Kotlin features! -
@RiversJohn found that
csharpsquid:S2123incorrectly flags useless assignments by matching variable names textually rather than tracking actual scopes. We’ll fix this scope tracking issue. Well spotted! -
@tadjan discovered that
kotlinsecurity:S5145incorrectly flags logging of enum request parameters as security vulnerabilities, even though Spring’s validation makes them safe. A ticket was created to fix this false positive. -
@luyiourwong spotted an incorrect dash character in our .NET test coverage documentation. Sharp eyes—the docs have been fixed!
-
@fernandopj82 found that hardcoded passwords in Terraform aws_db_instance resources aren’t detected by secret analysis. S6437 isn’t implemented for Terraform yet, and we’d welcome a community contribution. Looking forward to your PR!
-
@guilhermesimoes highlighted concerns about
eslint-plugin-sonarjsbundle size due to problematicjsx-ast-utilsdependencies. After investigating the ecosystem issues, we merged a PR switching tojsx-ast-utils-x, shrinking the plugin by ~5MB. Amazing!
-
@zorglub encountered a false positive with
csharpsquid:S2953when implementing the standard Dispose pattern in classes inheriting from BackgroundService. This false positive is now in our backlog for a fix. Thanks for the clear example!
Scanners:
- @moritzwiechers encountered issues with the sonarqube-scanner npm package when using custom CA certificates. We created SCANNPM-113 and SCANNPM-114 to support default truststore locations and noproxyhost respectively. Thanks for highlighting these configuration gaps!
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!