Sonar Community Roundup, Feburary 15 - February 21

Hey all!

There is never a dull day at Sonar. This week, we announced that Sonar acquired AutoCodeRover, an autonomous AI agent platform for software development. The future is now! We’re excited to welcome the AutoCodeRover team from Singapore into the Sonar family.

But before we get too carried away, let’s get back to what makes this community great: your feedback. Every week, we take a moment to highlight the discussions, reports, and contributions that help us continuously improve. Let’s dive in!

SonarQube Server and SonarQube Community Build:

• In SonarQube 2025.1 LTA we updated how SMTP settings are stored (while also allowing more modern methods of authentication). While doing that, we accidentally stopped supporting the encryption of these properties. Thanks for notifying us @Sam_Anthonisz! We’ll fix and backport this. SONAR-24350

• There seems to be a very rare NullPointerException when processing analysis reports on the latest version of SonarQube Server. Thanks @michha! SONAR-24433

SonarQube Cloud:

• Rule URLs on Azure DevOps PR comments are wrong! Thanks @Sidelobe, we’ll fix that ASAP.

• @aperuru was the first to let us know about an issue affecting permissions in SonarQube Cloud (specifically the ability to remove members from an organization, and sync membership with GitHub). This led to us declaring an incident and ultimately fixing the issue. Thanks a lot for the report:

SonarQube for IDE:

• Some users are getting a Read access is allowed error when committing changes in IntellIJ. Thanks for the report @sebastianhaeni! SLI-1878

• @jb92 reported an issue where the analyzers that power SonarQube for Visual Studio aren’t loading correctly. There is a workaround and we will look for a real fix with SLVS-1874!

• SonarLint for Visual Studio fails to analyze Javascript when javascript:S1451 is enabled. Shoutout to @wrich for making the report that led to this discovery. SLVS-1875

• @trucdg asked a great question about binding multiple projects in a single repo. This is supported in SonarQube for VSCode, but documented nowhere! We’ll fix that.

Rule & Languages Improvements:

• It’s a late thank you, but thanks @ranjithc26 for reporting some issues parsing array literals in Swift. SONARSWIFT-601

• @Skotty reported that cpp:S886 is raising a false positive – specifically when indexing an array with a variable that has a template argument type. This also affects cpp:127. Thanks a lot for taking the time to build a minimal reproducer! CPP-6149

• java:S1479 wrongly raises an issue on switches when enum types are unknown. Thanks for the report @DarshanLocus! SONARJAVA-5341

• When analyzing C/C++/Objective-C code, the build-wrapper fails on macOS 11.7, as discovered by @hung.bui.opswat. Thanks for the report! We’ll fix and backport this with CPP-6165.

• cpp:S3584 is not reporting a memory leak when calling release() on dereferenced unique pointers. Great catch @aperture. It also inspired a new rule! CPP-6168 and CPP-6169

• cpp:S6022 should not raise issues when casting char * inside a function that takes char*. Thanks @torgeir.skogen! CPP-6166

• We should introduce the ability to disable Helm analysis, and also improve logging to help users like @Paul-FC understand what’s going on during analysis. Thanks! SONARIAC-1949 and SONARIAC-1950

• Thanks @hergendy for reporting a false-positive on csharpsquid:S1121!

• It was brought to our attention by @yevhenhnes, @vitali.work2, and @BustedChain that our newest Design and Architecture rules can spit out some errors during analysis. Thanks for letting us know! A fix is in progress.

Scanners:

• We thanked @jwfx for reporting an issue with the display of issues last week, and that same thread resulted in another fix identified for SonarQube’s .NET analyzer. Two-for-one!

• The SonarQube GitHub Action isn’t playing well with BusyBox, specifically the implementation of wget. Shoutout to @vinayrangaswamy! We’ll look at that with SQSCANGHA-84.

• The SonarQube GitHub Action is also facing some issues with macos-latest runners Thanks @TadashiY. SQSCANGHA-83

• @Wiebke ran into some issues using sonar.maven.scanAll, where every file outside src/main/java and /src/main/test (classified as source and test code respectively) is classified as source code. It makes sense that we document this behavior, so we’re going to! Thanks!

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.