Hi all,
It’s been a minute. Hope you had a great time over the holidays. Personally, I spent too much and drove (to family) a lot and ate too much. All in all, perfect. 
Like every week (or two, or three, but who’s counting 
), we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing the ongoing gift 
of your feedback to drive continuous improvement in our products.
SonarQube MCP Server
- @robertsa1-els ran into problems using the MCP server with the latest VSCode. It’s already fixed!
SonarQube for IDE:
-
@plev ran into problems getting started with connected mode in SonarQube for IntelliJ when the UI wasn’t clear that he’d picked the wrong token type to connect with. We hope to work on that in first quarter this year.
-
@aandre very patiently helped us work through broken C# analysis in SonarQube for Visual Studio. We appreciate your help!
-
Visual Studio developers using Microsoft cloud accounts can’t set up connected mode because the accounts don’t have permissions to write credentials in the file system. Thanks @rybowdenAccess and @nandjelkovic for all your patience with the long process to figure this out! This is fixed in code and should be available soon.
SonarQube Cloud:
-
@vg-anirudh-vasudevan, @Mikko_Kupsu, and @ebg reported an incident in mid-December where we’d changed the IPs we use without communicating as well as we should. It caused problems for some GitHub Enterprise users, so we’re grateful for their help and patience on this one.
-
@Bernardab0806 and @Ana_B hit another mid-December incident, this one caused by some changes on the front end that prevented the creation of new projects. Sorry for the inconvenience!
-
Another mid-December incident was caused by the automatic inclusion of JSON and YAML Secrets scanning for some organizations. It pushed a few organizations over their license limits, and we’re taking a step back here and doing some deep thinking about turning things on automatically. Thanks for the feedback @dougiewright and @groogiam.
-
Significant latency made it look like analyses weren’t working in another (
) mid-December incident. Fortunately nothing was lost, only delayed. Thanks @alexypuli, @MarcelBirkner, @foobar-1337, @Michael_C, @audunmo, and @RBische, and sorry for the trouble.
SonarQube Server / SonarQube Community Build:
-
In the December releases, we upgraded the SQL Server driver, and that exposed a collation conflict when there’s a mismatch between your Azure SQL Server’s collation and your database collation. Thanks @C_S and @progs! We’ve patched SonarQube Server and will fix it in Community Build 26.1.
-
December’s releases also saw Oracle DBs failing one of the migrations in the release. Thanks @Piotr_Krol, @Manish_Patil, @mstockhammer and @stefan.delaet! It’ll be fixed in the next releases.
-
@justus_bunsi’s server-side analysis processing failed after upgrading to 2025.5. It seems the background task was stumbling on a Security Hotspot that unexpectedly had a status of
Reopened. SONAR-26786
-
Recent versions of Community Build emit an error to the logs about not being able to reach the
/api/v2/entitlements/licenseendpoint. That would be because there is no ‘license’ endpoint in Community Build. We’ll get that cleaned up @Nick_Hindley. SONAR-26854
Scanners:
- We put out a new version of the SonarScanner for NPM this week. And within a couple of hours @klemen, @Tomaz_Majerhold, and @steg let us know it wasn’t working like we thought it did (i.e. at all. ) That led to a quick rollback, and a real fix the next day. Thanks, y’all!
Rules & Languages Improvements:
-
Back in October, @AlexUiPath found a problem with his Go coverage that boiled down to Go’s own coverage engine. This wasn’t actually the first time our users had stumbled across this, and our developers had lobbied for attention to the problem back in August. The Go maintainers said that if it was important to us, we should fix it ourselves. So we did.
Thanks everyone! Hopefully this will be merged and released soon. -
@ivandalbosco let us know about a fase positive in
java:S1258on the Spring@Valueannotation. Thanks! SONARJAVA-5929
-
@rkrisztian fundamentally disagrees with
java:S2440and thinks we should drop the rule altogether. We won’t go that far, but we will adjust the recommended fix and add a quick fix to the rule. SONARJAVA-5927 & SONARJAVA-5928 -
@Sax388 pointed out that
java:S4605is raised on perfectly valid code in a SonarQube for IDE context, but not in full analysis. That’s because the rule needs information from other files to be accurate. We’ll make sure it either pulls that data or doesn’t run at all. SONARJAVA-5945
-
We’ve fixed three JS/TS rules that don’t correctly rely on the
globalsnpm package. Thanks @ptandler and @jilles-sg! JS-1026 is already fixed and will part of the next updates. -
An architectural cycle is reported when two TypeScript files import each other. But as @hoh points out once the files are converted to JavaScript there’s no actual cycle. We’ll get it fixed.
-
@Gameplushy let us know the issue highlighting for
csharpsquid:S4275is confusing. Thanks! We’re on it. -
We got a twofer from @dalestan, who reported false positives with awaitables on both
csharpsquid:S1186andcsharpsquid:S2325. Internally, we created not one, but two tickets for this and hope to get to them soon. -
java:S4454should detect whenequalsmethod parameters are implicitly non-null due to a@NullMarkedannotation at the class or package level. Thanks @ahubold! SONARJAVA-5937
-
javaxhas been replaced withjakarta, butjava:S5128doesn’t know that yet. Thanks @Yanghua! SONARJAVA-5931
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann