Hi all,
The daffodils are in full bloom where I live and I spotted a bunny 
on my morning walk just today. It’s not time to put the sweaters away yet, but it seems that Spring is on the way. I write that with mixed feelings since I should probably get out and do some work in the yard 
but my chair is very comfy. 
Meanwhile, today’s roundup proves that you don’t have to be outside to be productive. 
So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube Cloud:
- @Rodrigo_Fernandez, @boftobbe, @keesschollaart, @Filip-stolt, and @manuel-valino hit a login loop (1),(2) wrongly caused by an expired Azure DevOps token. @boftobbe posted a workaround
and it has since been fixed. Thanks, all!
SonarQube Server / SonarQube Community Build:
-
With the release of 2026.1 LTA, we forgot to update the table showing the API version. Thanks @guwirth! We’re going to update the release procedure to make sure that gets done in the future.
-
@Remi_Yusuf had questions about the Maintainability ratings of new versus overall code. That made us realize the docs aren’t as clear as they could be, so we’re going to update them.
-
SonarQube only processes
code_scanning_alertevents from its GitHub app. All the other events get a404response. @murat pointed out that that makes it look like something is broken even when it’s not. Sorry about that! We’re going to change the response codes for those other events to200. -
@amoriki was kind enough to point out a typo they noticed in the docs. We’ve fixed it.
-
We’re also going to update the docs with a note about build agents after @milbrandt’s report of a lengthy analysis duration boiled down to poor performance on the zip step depending on the build agent hardware and network storage. Great find!
-
@FNK and @Thomas.Beck noticed that the security categories don’t load properly in the Issues page Security Category facet after upgrading to 26.1. We’re on it!
Scanners:
- SonarScanner for Maven picks up a default
sonar.projectNamevalue from your project. @Ana_B learned the hard way that the SonarScanner for NPM does too. Sorry for the confusion. We’re going to update the docs to reflect that, and check the other scanners as well.
Rules & Languages Improvements:
-
Quickfixes are awesome… When they actually fix the issue.
@gquerret pointed out that the one for java:S1612doesn’t, though. We’re on it! -
@Philipp_Paland and @sleberknight think the initial implementation of
java:S8445is too noisy. We agree. SONARJAVA-6146
-
@ivandalbosco’s clear report and reproducer of problems in
web:UnclosedTagCheckled to not one but two fixes to improvetwigsupport. PR#591, PR#589
-
csharpsquid:S3626is supposed to raise an issue on redundant jump statements, but @Corniel pointed out that the C# 9is notsyntax throws it off, resulting in false positives. In fact, there are several rules impacted by the syntax, and we’re gonna fix all of them!
-
csharpsquid:S2930raises a false positive when aprivatefield is disposed with an explicitIDisposablecast. Thanks @HamsterExAstris! We’re on it! -
Particular thanks go to @patrik.jetzer for his patience and persistence in reporting a false positive in
java:S2077, which falsely raises a Security Hotspot in cases where parameters to SQL statement construction are effectively constant (although not declared as such.) SONARJAVA-6158 -
Another persistence award goes to @Dykam who came back to a dormant thread with a new analysis of how
defineEmitsuses call signatures that finally made us see the light about a false positive raised bytypescript:S6598. Thanks! JS-1381
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann