Hello Community!
This week, we very proudly announced that SonarQube CLI is generally available! SonarQube CLI 1.0 brings some new features that improve the user experience, and it also brings the confidence that this product is ready to end its beta phase and be considered GA. If you want your AI agent to tap into agent-oriented SonarQube features, SonarQube CLI is for you!
So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube Cloud
@pconnor pointed out that the SCA V2 API had no documented endpoint to update risk status for licenses and vulnerabilities, making it painful to keep long-lived branches in sync with main without manual sign-offs. The endpoints already existed as internal API, and thanks to this nudge, we’ve now published them in the public API docs.
Rules & Languages
typescript:S5693 kept firing on @Mauro-Domingues’s code even though the content-length limits were defined correctly in the parent object rather than inside the storage property the rule was examining. You’re right, it’s a false positive, and a fix will roll out with upcoming releases. @Mauro-Domingues’s first contribution to the Community is already making an impact, we love to see it.
@kckmzx noticed that the env approach suggested by azurepipelines:S8263 doesn’t work for PowerShellOnTargetMachines@3, because the environment variables don’t cross to the remote machine. For remote tasks like this, an allowlist of permitted values is the right workaround. Looking closer, we also spotted that the template file in question used hard-coded values all along, making the issue a false positive. A fix for that is in the works too, thanks for digging into this!
eslint-plugin-sonarjs hadn’t seen a new release in several months, and @lukpsaxo let us know. Thanks for the nudge! Version 4.1.0 has since been released, and we’re looking into automating future releases so this doesn’t slip again.
javascript:S7766 flags a ternary expression comparing Date objects as replaceable with Math.max. @obones spotted that following the suggestion would introduce type errors, since Math.max doesn’t accept Date arguments. You’re right, this is a false positive, and a fix is in the works.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!