Hey all!
Is February coming to a close already? That’s hard to believe
As always, we are grateful for the feedback we’ve gotten this week, and for every time you give us feedback. So like every week, we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.
SonarQube Server and SonarQube Community Build:
-
Shoutout to @govenny for reporting an issue with scrolling within in the global search bar on SonarQube Server. Check out my gif to see how wonky it really is! Thanks to this report, we have created ECHOES-634.
-
There is a problem viewing Security Reports on SonarQuber Server v2025.1 LTA when using an Oracle database. Thanks @CMM and @arbnp – this will be backported! SONAR-24436
-
Starting in SonarQube v10.6, there’s a default password policy on local accounts. Our docs made it sound like this is configurable, which isn’t the case. We’ll update this. Thanks @mihyun!
-
AI CodeFix is a cool feature that not all organizations are ready to adopt. While it’s already possible to turn this off at an instance level using
sonar.ai.codefix.hidden=truein your conf/sonar.properties file, we ought to make this configurable via environment variable as well. Great catch @tomkuipers. SONAR-24449 -
@daniel pointed out that our documentation on SonarQube Active Versions doesn’t use the new versioning scheme. We’re fixing that. Thanks!
SonarQube Cloud:
-
@stefan-vc was having trouble migrating his CI-based analysis to Automatic Analysis. While the root cause was some misconfigured issue exclusions, it revealed a big issue with our Analysis Status service. We’ve fixed that up – thanks for the report!
-
@ojormamatta and @casper.lotter both reported that despite having Execute Analysis permissions on their organization, they were not treated as such when trying to view empty projects (and follow the analysis tutorial). Thanks for this report! This should get fixed next week.
SonarQube for IDE:
- Some Eclipse users are receiving a
ConcurrentModificationException, like @franhb, @manfrede, @Yigal_Spinner and @thedailycommute. Thanks to these reports we’ve identified the root cause and will fix it soon with SLCORE-1191!
Rule & Languages Improvements:
-
Detecting commented-out code can be challenging because analyzing human intent often results in false positives. However, we can enhance the heuristic for rules like
cpp:S125by introducing an exception for comments that start withMARK:, as is common among Xcode users to structure their code. Thanks for the suggestion @Sidelobe! CPP-6174 -
@Jens_Hauser proposed some new rules to help developers use
java.time.Instant! We’ll look into them with SONARJAVA-5359 and SONARJAVA-5360. -
Merci @SebG for reporting a PL/SQL parsing issue on
is jsonsyntax. It’s in the backlog. -
@Oodini would like to see very fine-grain naming convention rules for C/C++. We’ve thought about this as well and will keep recording traction in CPP-3749.
-
Thanks to @fishnet37222, @voidpointer, and @Balfa for pushing for an exception to
csharpsquid:S3626when a return statement precedes a local function. Now we’re in agreement! Ticket created. -
Thanks @hao2 for pointing out a mistake in our documentation for Java test coverage. We will correct it.
-
Back in the fall (sorry!), @whiterabbit99 reported an issue analyzing some Javascript code. This was a third-party library that should be excluded from analysis anyway, but it revealed a bug in our analyzer and Typescript itself! We’ve raised an issue (microsoft/Typescript #61314) and will track the fix at JS-585.
-
java:S2259is a usual suspect for false-positives, and we’ve received a new report from @Alain_Picard. Keep ‘em coming. SONARJAVA-5361 -
When there’s not enough memory available to run analysis of Javascript/TypeScript code, a rather unhelpful
java.lang.IllegalStateException: The bridge server is unresponsivemessage is omitted. We’re going to make this message more explicit. Thanks for posting your issue @joseph.gagnon! JS-588 -
java:S1206states thatequals()andhashCode()should be overridden in pairs. It is not true. Yes, if you modifyequals() you should overridehashcode(), but if you overridehashcode()you don’t necessarily need to overrideequals()`. Thanks for helping us see this @Jeff_Hain! SONARJAVA-5373
Scanners:
- Thanks @droos_rdw for pointing out that the SonarQube Extensions for Azure DevOps don’t support a Node 20 executor. Shouldn’t be tough to do once we get around to it! In the meantime, there’s a workaround documented in SONARAZDO-452
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.