Sonar Community Roundup; Jan 10 - 23, 2026

Hi all,

We had our annual company off-site last week. We’re all energized and ready for the year now. Watch this space for cool stuff to come!

And now, like every week (or two), we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.

SonarQube MCP Server

• @mohkuma5 is looking for additional ways to narrow down a search_sonar_issues_in_projects call. We’re on it! MCP-241

SonarQube for IDE:

• @Lrozenblyum pointed out that our link in SonarQube for Eclipse to information on reusing the binding configuration is 404. Thanks! We’ll get it fixed.

SonarQube Cloud:

• When the PAT you’ve set in your SonarQube Cloud project expires (for whatever reason), full analysis will still work - it relies on the PAT set at organization level - but PR analysis fails with Could not find the pull request with key xxx. Unfortunately, the logs aren’t terribly helpful in this situation. That’s been the case for a while, but it was @kricer (1) and @remyguillaume (2) who finally prompted us to put it in the list to fix. Thanks, y’all!

• An update to the Go analyzer meant that it suddenly stopped importing coverage for some users. The reports from @Gilthoniel, @radykal-com, and @Nathaniel_Ritholtz were instrumental in a quick rollback. And @ninja-shreyash’s investigations were very helpful as well. The real fix is already in progress.

• @piotr-ziegler let us know back in December that automatic analysis was failing for his project. It was probably because of colons in file paths, and it’s fixed now. Sorry for the delay.

SonarQube Server / SonarQube Community Build:

• @Wiebke’s using the Standard Experience in 2025.6.1, so he found it a bit odd that MQR-mode severities were displayed on his issues. We agree! SONAR-26915
  

• With 26.1, @hostalp’s tmp directory slowly got larger and larger, until he ran out of disk space. It turns out that we were deleting the files in code, but they weren’t being erased from the file system until the JVM was stopped. It was a great find, and SONAR-26918 will be fixed in the next releases.

Rules & Languages Improvements:

• @MisterPi made the excellent point that the “compliant” solution for one rule shouldn’t violate other rules. We’ll get java:S122 fixed. SONARJAVA-5955
  

• @milbrandt found a false positive on csharpsquid:S3063 with StringBuilder use. We’re on it.

• csharpsquid:S1172 doesn’t understand that parameters used in inline methods are actually used. Thanks @Corniel. We’ll get it fixed.

• @Valentijn hit an erroneous version error when he tried to upgrade the SonarAnalyzer.CSharp NuGet package. That’s because our current mechanism is to allow-list compatible versions, rather than ban-listing known incompatible versions. And obviously the list hasn’t been updated recently enough. We’ll flip the mechanism for the next update.

• @neodobby reported false positives in S3735 on union types containing Promise or undefined. Thanks! JS-1135
  

• It was already in our backlog, but @Trisibo’s false positive report is another vote for prioritizing the fix of csharpsquid:S1854. Thanks!

• Not using parentheses (()) on a SHA1.Create call is common practice, but it meant that csharpsquid:S4790 didn’t raise a Security Hotspot when it should have for @Footed. We’re on it.

• @LarsSt says plsql:VariableInPackageSpecificationCheck makes sense for package-level variables or collections, but thinks cursor signatures should be treated like packaged functions/procedures and not be reported. We’re tracking the issue.

• With the recent round-up rewrite of the Swift analyzer, @LewisOxbury noticed a large jump in false positives from swift:S2962 and swift:S4144. It should be fixed next week.

• @GregorRutaAIBob and @jilles-sg pointed out that C#10 means an easier fix for csharpsquid:S3093 issues. We’re going to update the rule description for the new syntax.

• @JackWhelpton reported that java:S6856 doesn’t understand Spring’s @BindParam annotation, and is raising false positives on template variables bound that way. SONARJAVA-5975
  

• When @jreimone switched from Jest to Vitest they started seeing analysis log warnings about railing to load node:os. After investigation, we found that in the end there’s no impact on the analysis, but we’re going to fix the underlying problem to ensure a much cleaner, noise-free experience.

Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.

If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!

 
Ann