Sonar Community Roundup, July 20 - 26

Hello Sonar Community!

It’s been a (really) big week here in the Community, with lots of help and guidance from you, our members, to improve our products and your experience with them.

We’re grateful every time you give us feedback, so like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.

SonarQube:

• @gavina reported some concerns when the Scanner for .NET gave some warnings about inaccessible URLs. These log messages are nothing to worry about, but we might be able to kill the noise anyway. Thanks! SonarSource/sonar-scanner-msbuild #2100

• Thanks to @mmonetha for spotting a typo in our documentation. Fixes are on the way, if not deployed already!

• The SonarScanner for NPM is failing when there’s no name in the package.json. Kudos to @fransastre for reporting this. SCANNPM-41

• GET /api/v2/authorizations/groups can’t return a 404, so we shouldn’t document a 404 case in the Web API documentation. Thanks @jensmadsen. We’ll update the documentation with SONAR-22572.

• Thank you @​​jonesbusy for your feedback on the SonarQube Extension for Jenkins. We agree it’s time to give it some love and improve the UX. SONARJNKNS-377

• When GitHub Group Sync is turned on, adding a new group with same name as a pre-existing one that was renamed will fail auto-provisioning. Kudos to @murat for spotting this. SONAR-22595

• Authentication seems to be a theme this week. @Lexy_Zhitenev reported that when an unauthenticated user clicks on a PR decoration link, the redirect_to page is lost after authentication. We’ll try to fix this soon. Thanks! SONAR-22571

• SonarQube should match SonarCloud’s behavior and use the head commit of a GitHub PR branch instead of a merge commit when setting sonar.scm.revision. Thanks @pcosta! SONAR-22640

SonarCloud:

• A nice story to tell: a few weeks ago, we turned off the Automatic Analysis of “external PRs” (PRs coming from a fork of a repo) because we assumed it wasn’t working at all. It turns out this broke things for a few users (at least @dreamorosi @mark1011 and @moorec-aws). While investigating this, we finally figured out what we needed to do to properly support the analysis of external PRs and deployed the changes to production! This is very cool, especially for open-source projects that rely on external contributors.

• This great news did result in one follow-up fix being made to properly detect sonar.scm.revision. Thanks @marciorgb, @rogerfernandes, and @Florian_Mutter for the report!

Rule & Language Improvements:

• @Karl reported four issues with our PL/SQL analysis that will be taken care of with SONARPLSQL-560, SONARPLSQL-851, SONARPLSQL-852 and SONARPLSQL-850 respectively. Thanks for the reports!

• While affected by one bug (CPP-5472), @stumt helped us identify a logging improvement we can make when C/C++ compiler probes fail. CPP-5502

• csharpsquid:S3168 isn’t proposing a good compliant solution. We’ve fixed it where it needs fixing, and that fix will propagate the next time we deploy/release our analyzers. Thanks @albanur!

• vbnet:S5944 should consider that the use of AddressOf in a return statement is not an assignment. Thanks @supervos! SonarSource/sonar-dotnet #9553

• csharpsquid:S5693 should express the fileUploadSizeLimit parameter in kilobytes rather than bytes. Thanks Valentijn! SonarSource/sonar-dotnet #9538

• When using Python 3.12 Type Parameter Syntax, we shouldn’t raise a false-positive on python:S5644. Thanks for the report @patrickrauscher! SONARPY-2009

• We should improve the documentation for typescript:S1301 to clarify the behavior when there is no default case. Thanks @christopher-buss! JS-239

• csharpsquid:S2629 is raising issues when log4net is used, but this doesn’t make sense because it has a method to log exceptions directly. Thanks @CrushaKRool! SonarSource/sonar-dotnet #9547

• We should support java.lang.String.formatted as a passthrough for javasecurity:S3649 to avoid false-negatives. Thanks for the great suggestion @S0obi!

• A false-positive is being raised by cpp:S5425 as reported by @mtnpke. CPP-5507’

• Our Javascript/Typescript analyzer is built on top of ESLint, which means that those rules can also be used as a simple ESLint plugin (SonarSource/eslint-plugin-sonarjs)’. We mistagged an alpha release as latest, as reported by @mcous. This is now fixed! Thanks! The repo is also moving, by the way.

• A few months ago we changed how Cognitive Complexity is calculated on Javascript/Typescript files, and we that as a result of ignoring nested functions and default values, the value would drop on many projects. However, a number of users found the value dropped to 0, which didn’t make sense. Finally we unearthed the root cause. We’ll probably miss thanking a few folks, but shoutout to @fyuryyy, @marcosfad, @Elijah_Taylor-Kuni, and @DerKatsche for all your reports. JS-255

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

@Colin, @ganncamp, and @leith.darawsheh