Hello Sonar Community!
It’s been a busy two weeks. Last week, all of Sonar went to Disneyland Paris to kick off the year with our annual offsite. There were many meetings, presentations, and team-building activities, but we also got to spend an afternoon in the park!
This week has included us playing a lot of catchup and launching SonarQube Server 2025.1 LTA! Yes, we’ve changed how we name our SonarQube Server releases and also the frequency with which LTA versions are released.
For those of you who are planning an upgrade, we hope it’s smooth sailing. Please don’t hesitate to report any issues to us.
So let’s return to our regularly scheduled updates. We’re grateful for the feedback we’ve gotten this week, and for every time you give us feedback. So like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.
SonarQube Server & SonarQube Community Build:
-
SCIM keeps things in sync between SonarQube and an Identity Provider (like Okta, Microsoft Entra). However it requires two-way communication between SonarQube and the IDP. To make it easier for users who host an on-prem SonarQube Server, we’ll add a note to Okta Provisioning Agents in our SCIM docs. Thanks @sameersondur!
-
SonarQube can now run in two different modes: Standard Experience and Multi-Quality Rule (MQR) Mode. @guwirth asked how this is handled by custom plugins, and we will update our documentation to make this more clear. Thanks!
-
@Sam_Anthonisz appears to be an early adopter of GitHub Apps for Enterprises and found a bug while trying to use it to use a single GitHub application to integrate with multiple private GitHub organizations. He found a bug and reported it to GitHub. Thanks for being so diligent!
SonarQube for IDE:
-
Users should be able to put the SonarQube for Visual Studio menu in the top-level menu if they so wish. I guess we were getting in the way of letting users do that. Sorry about that @bryanfarrell-msci! SLVS-1777
-
eslint-plugin-sonarjs should not pin fixed dependency versions, but rather use ranges. Thanks for the callout @attekemppila. ESLINTJS-69
-
Large Java projects are using a lot of CPU in SonarQube for VSCode. We’ve created a ticket to investigate this after a report from @anar-ibragimoff. Thanks! SLVSCODE-1000
Rule & Languages improvements:
-
Using the Angular
[attr.aria-checked]should preventweb:S6807from being raised. Unfortunately, it’s not working that way. Thanks for the report @msc-ddiaz! SONARHTML-288 -
Razor expressions in
.cshtmlfiles should be treated as dynamic values. If the expression can convert a value to an integer, we shouldn’t raiseweb:S6793on that expression to say it must be an integer! Thanks @Mikaciu. The PR is already merged and the fix will be in the next release. SONARHTML-286 -
javaarchitecture:S7027is triggering on a sealed class and its implementation, which is not at all the desired behavior of a rule to detect circular dependencies between classes. Thanks @TunaIII! -
cpp:S1271is raising a false-positive on non-type template parameters. Thanks for the report @Michael1! CPP-6070 -
<wbr>, like<br>, is not required to have an end tag. However, instances of<wbr>are currently triggering false-positives ofWeb:UnclosedTagCheck. Thanks for telling us @KsaR99! SONARHTML-284 -
javascript:S2819is crashing on certain situations involving an OR expression. Thanks @Shuanghong_Wang!
ESLINTJS-67
Scanners:
-
sonar.maven.scanAllis working when set as a command-line parameter (-Dsonar.maven.scanAll=true) but not when set in the pom.xml of a Maven project. Thanks for the report @lbornov2paymentology! SCANMAVEN-259 -
The latest version of the SonarScanner CLI is crashing on trying to access keystores with no passwords. This seems to particularly affect the latest versions of Java (newer than Java 17). SCANJLIB-256 will fix this. Thanks @Patrick_Steiner, @jonesbusy, and @Kay_Odole!
-
The Scanner for .NET is not handling double quotes well, like when
/d:sonar.pullrequest.base="develop"is used.”develop”is getting passed literally to the rest of the scan, which causes issues when detecting new code. Thanks for the report @mkoziel2000! SCAN4NET-204
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.