Sonar Community Roundup, December 28 - January 10

Hi all,

This week we welcome @carmen.m / Carmen Musat, who joins us as our new Community Program Manager. She’ll be focusing on community advocacy programs where she will help us reward and recognize our most active and enthusiastic community members.

If you’ve been around for a while, you may remember that in previous years we’ve disappeared for a while in early/mid-January for the annual company off-site. Well, that’s next week, so we’d appreciate it if you could be patient when we don’t respond immediately, and - if you have a few minutes to spare - look after each other for a little bit. We’ll be back soon to catch up on what we missed.

And in the meantime, we’re grateful for the feedback we’ve gotten this week, and for every time you give us feedback. So like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.

SonarQube Server & SonarQube Community Build:

• @Scott reported a bad in-app link to the SAML docs in Community Build. The link was (theoretically) correct, but the page was missing. It’s already been fixed!

• @andi recommended updating the docs to be clear that the SARIF import supports “stacks”. Great idea! We’ll get it done.

• A very long time ago (in 6.2 IIRC) we deprecated file-level complexity metrics. In SonarQube Community Build 25.1 we finally removed them. @guwirth pointed out that it’s probably worth documenting. We’ve updated the docs already and will take a look at the package information.

• More significantly, back in October @guwirth flagged a performance degradation in analysis with SonarQube Server 10.x versus 9.9. His granular testing was significant in helping us isolate and address the problem(s). SONAR-22998, SONAR-24006, SONAR-23974, SONAR-24057

• It seems refreshing an application - for example by reanalyzing one of its projects - no longer triggers the refresh of portfolios that include the application. Thanks @james_mck! It’s fixed in SONAR-24122

• @Ricetrac helped us realize that AI Code Fix doesn’t use the proxy settings you’ve configured for SonarQube Server. Doh! SONAR-24165.

SonarQube for IDE:

• macOS users of SonarQube for IntelliJ are noticing a Java icon in their doc when using SonarLint. That’s not something we expect. Thanks @Kyle! SLCORE-1105

SonarQube Cloud:

• @buraksak and @fransiscl reported that the issue severity filter was disabled - even after reanalyzing like the UI warning told them too. We appreciate the heads-up and got it fixed the same day.

• After helping @stephencurtis connect with SonarQube Cloud Enterprise organization with SSO, it became clear to us that we should highlight in our documentation the fact that IDP-initiated connections are not supported. Thanks!

Rule & Languages improvements:

• We pick up issues raised by Roslyn analyzers during the .NET build automatically and import them as 3rd-party issues. But we fail to attach a language to them. Thanks @Paul_Hickman. NET-925

• @lbenedetto clued us in to the @Contract annotation, which we don’t yet support (because we didn’t know about it. ). SONARJAVA-5269

• Custom HTML tags are being flagged for invalid attributes by web:S6840. Thanks @RichyAplinClements! SONARHTML-283

• @Moustafa_Atef_Saad let us know that typescript:S2068 only considers string literals and doesn’t examine template expressions. ESLINTJS-68

• We support the xc8 compiler for C++… if you’re not using the -mdf argument. With it, @pmcgaugh found that no files were analyzed. CPP-5941

• @Chanon_Jitrapitugoon’s analysis seemed to get stuck running symbolic analysis on his Angular JavaScript project. That helped prompt us to take another run at our Angular support, and the improvements will be part of the next SonarQube Server release.

• csharpsquid:S1172 doesn’t recognize that captured parameters used in a switch or switch expression actually are used. Thanks @Cheesebaron! We’ll get it fixed.

• It seems that azureresourcemanager:S6949 is a bit overzealous in flagging hardcoded resource locations. As @vedion points out, Global should be allowed. SONARIAC-1491

• @lbenedetto noted that java:S5411 complains about use of a boxed boolean retrieved from an Optional (and thus not-nullable). We already had our sights on the rule with SONARJAVA-5146 and we’ll take this into account too.

• The Apache license triggers a false positive from java:S125. Sorry for the late response @jedgar and @tzaeschke. We’ll take care of it. SONARJAVA-5273

• It’s not often that a user can actually make a rule crash, but @surecloud-jleite succeeded beautifully with java:S6906. We’re on it. SONARJAVA-5265

Scanners:

• @Lostfields was struggling with a .NET analysis failure for a double-indexed file. While the latest versions of SonarScanner for .NET ignore user-set sources and test configurations, automatic analysis hasn’t caught up to that yet. In the meantime, we’ll update the documentation for this. Thanks!

• @AidarGatin is experiencing a timeout during his Python analysis, and even debug logs aren’t helpful figuring out why. As a first step, we’ll improve the logging. SCANENGINE-58

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

 
Ann