Sonar Community Roundup, February 8 - February 14 ❤

Happy Valentine’s Day, Sonar Community!

We love the feedback we receive every week! This week is no exception, so as always, we want to take a moment to acknowledge everyone who sparked interesting discussions and provided valuable feedback to help us improve

SonarQube Server / SonarQube Community Build:

• @priyabelhekar and @FredericSouchon let us know that the community-supported sonar-auth-oidc plugin isn’t working on the newest version of SonarQube, meaning it’s time to break the compatibility in the plugin version matrix. Thanks!

• When an issue’s start and end lines/columns are identical, SonarQube incorrectly displays it as a file-level issue. Thanks for the report and very helpful reproducer @jwfx! SONAR-24333

• While investigating @april.g’s question, we discovered an entire category of Webhooks that weren’t documented. We’ll get the docs updated—thank you!

• While assisting @Bipin23, we noticed the PDF reports documentation wasn’t clear about which editions support this feature. That’s now fixed–thanks!

• Kudos to @oumayma for being the first to bring to our attention that SAML authentication now requires sonar.core.serverBaseURL to be configured. This is a good practice anyway, and we will update the documentation.

SonarQube Cloud:

• SonarQube is licensed by Lines of Code, which means that the largest branch of each project determines your license usage. Thanks to @asd_asdasd, we discovered a bug in which if a project has only one branch and that branch stops containing any lines of code, those lines of code are not “returned” to the Lines of Code available. We will address this issue!

SonarQube for IDE:

• In IntelliJ, SonarQube for IDE is raising a lot of false-positives on partial razor classes. That’s no good! We want to kill the noise. Thanks for the report @Vince.scholt! SLI-1862

• We’d like to give a big shoutout to to @Michael_Sendow for working with us to debug Connected Mode in SonarQube for Visual Studio when there is a corporate proxy configured. Michael responded to all our questions, tried all the custom builds that we provided, and talked with multiple SonarSourcers. The result? SLVS-1840 which will be useful for many users! Thanks again.

Rules & Languages:

• @Oodini ran into a case where fixing an issue on one rule (cpp:S886) resulted in another rule (cpp:S1227) raising issues. The result? After some internal discussion we’re going to “refactor by subtraction” and deprecate cpp:S1227 (and its C# equivalent). Thanks! CPP-6131

• When probing the compiler during C/C++ analysis, some compilers like GCC and QNX don’t accept the option -stdlib libc++ unless there’s a double dash and an equal sign (​​--stdlib=libc++). This leads to a failed compiler probe and failed analysis. Thanks @iusman995 for the report and thanks especially to @klaus.holst.jacobsen for his investigation. We’ll fix that up with CPP-6133.

• csharpsquid:S2183 ensures that bit shifting is sensible (no shifts by zero, for example) but doesn’t trigger on enums, as reported by @Trisibo. Thanks for the report; we’ll fix this false negative!

• Shoutout to @richardshephard1 for finding another attribute that should be recognized by typescript:S6747. mask-type has been added to JS-23!

• csharpsquid:S2333 and SonarQube’s C# analysis overall don’t currently support pre-processor directives. Thanks for the report, @Corniel. We expect to tackle this as part of a broader effort to support pre-processor directives.

• @Corniel will show up on the list a few times today. He also suggested that we update the rule description for javascript:S6553 to make crystal-clear some Javascript-specific regex behavior that should not be duplicated in other languages. JS-559

• @Corniel, continuing to explore the world of RegEx, brought to our attention that typescript:S6324 ought to consider [^\x00-\x7F] as an exception. We agree. ESLINTJS-71

• And finally, @Corniel suggested a new rule to prefer slice() over substring(). We need to weigh whether it would be too noisy, but we agree it’s a good practice! JS-560

• java:s1171 is raising false-positives on anonymous classes. Thanks for the report @dandoy! SONARJAVA-5340

• Thanks @praveenv for contributing two rule ideas for ASP.NET analysis!

• After a report from @betorvs, we think it makes sense to add the /contrib/ folder to the default exclusions for Javascript/Typescript analysis. JS-558

• @tab encountered two very similar pieces of code that should have been raising the same security issues. It turns out that a slightly different import resulted in a false-negative. This is an important find and a fix is already in progress!

• Thanks @coodercl for posting about a false-negative for java:S2259 when, if there is a method call in a member of an object, the rule is not checking if that method is returning a null. SONARJAVA-5337

Scanners:

• The Docker image sonarsource/sonar-scanner-cli:11.2.0.1836_7.0.1 introduced a bug that caused analysis to fail when token-based authentication was used against older (but still active) versions of SonarQube. Thanks for the reports, @lifeofguenter, @0xThanatos, and @adrai! This was fixed by SCANJLIB-262, and 11.2.1.1844_7.0.2 has already been pushed with the fix.

Once more, we extend a big thank you to everyone mentioned here (and those we may have missed) for strengthening our community and improving Sonar products

Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

Colin