Hi all,
After a couple years of debating about how to refer to individual users here in the roundup (“Hmm… Does that avatar look like a ‘she’ or a ‘they’?”) I’ve added a ‘pronouns’ user field. It’ll be presented to all new users at signup going forward, but you can go backfill in your profile if you like. The field is optional, and will show up on your user summary.
Administrative business aside, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback that drives continuous improvement in our products.
SonarQube MCP Server
-
@Mike_Coughlin let us know about a couple problems interacting with the Codex CLI. Thanks for your patience as we work out the kinks!
-
@gavinclarkeuk wants better access to Security Hotspots via the MCP server. Great point! MCP-221
SonarQube for IDE:
- @CWDev had a heck of a time after an automatic update of SonarQube for Visual Studio. @jaromir chimed in too to provide their details as well. In the end, it came down to case-sensitiving pathing. SLVS-2761
- SonarQube for IntelliJ uses Intelli’s PasswordSafe API to store credentials, which delegates to the system’s native password storage. That’s gnome-keyring in @desckapg’s case. Unfortunately, when the native keyring fails or is unavailable, we’re swallowing the exceptions and only giving generic error messages. SLI-2398 will fix it.
SonarQube Cloud:
- @shfunke was remarkably patient while we figured out the bug that kept his portfolio from updating like it should. We deployed a fix this week.
Rules & Languages Improvements:
-
@Stine’s pipeline was set up to insert tokens before deploying the code. Unfortunately analysis was happening in between those two steps, so she was getting issues from
secrets:S8135seemingly out of the blue.
We can’t change the pipeline, but we can detect which files have been modified since checkout, so we’ve created a ticket to skip them during analysis. -
tssecurity:S2083doesn’t catch sinks that come fromresolveorjoin. Thanks @rkg! We’re on it. -
@nickbhasin hit a stackoverflow error trying to analyze some complex regexes. Thanks for a great initial report. We’ve added a ticket to the backlog.
-
roslyn.sonaranalyzer.security.cs:S3649doesn’t recognize that a method annotated withFunctionis a source of tainted data. Thanks @tonyh! We’re on it! -
csharpsquid:S1144is confused by debugger display attributes. Thanks @Corniel! There’s a ticket in the backlog. -
@James_Wakefield reported that typescript:S2699 raises false positives on uses of chained
expectmatchers. Thanks! It’s already fixed in code! SonarJS#6065
-
java:S2638is incorrectly applying@Nullableto return types when generics are involved. Thanks @osmundf! SONARJAVA-5918
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann
(she/her)