Sonar Community Roundup, July 26 - August 2

Hello Sonar Community!

It’s been another big week here in the Community, with lots of help and guidance from you, our members, to improve our products and your experience with them.

Yesterday was Swiss National Day, which meant a day off for me (and the entire Geneva office). The day before, we announced that we are launching the new SonarCloud Team and SonarCloud Enterprise plans!

We’re grateful every time you give us feedback, so like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.

SonarQube:

• Sometimes the SonarScanner links in the documentation disappear… and hopefully this time we fixed it for good. Thanks for the heads up @maalekianmahan.

• curl is back in the SonarScanner CLI docker image after feedback from @stept!

• The docs for POST api/projects/update_key stated that instance administrators could use the API to update project keys, when in fact they still need to have admin rights on the project. These docs will be fixed. Thanks @GoofyJames!

• Another docs issue – the correct permissions for Gitlab tokens used during authentication were not properly documented. Thanks @kieranc!

• @dalinicus and @Eelco faced an issue with a new version of SonarQube’s Extension for Azure DevOps. A new version of the Scanner for .NET was packaged without support for some analysis parameters used to pass custom trust stores to the scanner. We reverted the change. Thanks for the reports!

SonarCloud:

• After launching our new SonarCloud plans and moving some features around, old paid plans lost access to the Project Management interface. That’s fixed now. Thanks @RobCo for the quick feedback.

• If you asked me how many people use our Azure DevOps Widget, I would have said “not many”. Not so! Shows what I know. It broke after some authentication-related changes. It’s fixed now. Thanks for the reports @eric41, @Mohammed_Al_Akhras, and @MartinPendlebury!

SonarLint:

• SonarLint for IntelliJ is struggling to use C++ compiler from the docker container when running an analysis via the Docker toolchain, as reported by @blas. SLI-1522

• SonarLint for IntelliJ is also throwing a node does not have a parent error when interacting with Security Hotspots. Thanks for the reports @Cothn and @Pavel_D! SLI-1520

• One final SLI issue for the week – a rare TreeUI should be accessed only from EDT issue reported by @tbkonar. SLI-1521

Rule & Language Improvements:

• java:S6813 is only supposed to be applied when Spring is used, but it’s raising FPs on other frameworks like Quarkus. Thanks @duarte.fusco! SONARJAVA-5091

• javascript:S4158 isn’t recognizing logical OR operators, leading to false-positives. Thanks @DamienCassou! JS-258

• python:S4970 shouldn’t raise when usedforsecurity=False. Thanks @patrickrauscher! SONARPY-2038

• java:S6863 is raising false-positives when ResponseEntity#internalServerError() is used as HTTP Response in a catch. Thanks @AviEL! SONARJAVA-5092

• Our PHP analyzer cannot get information about types imported from dependencies, leading to false-positives in rules like php:S100. Thanks for the feedback @Himanshu_Koshti. SONARPHP-1507

• php:s1764 is being raised on exponent operators, which isn’t right. Thanks @Ikau! SONARPHP-1508

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

@Colin, @ganncamp, and @leith.darawsheh