Hi all,
I don’t know about you, but where I am, it’s really summer. Hopefully you’re keeping cool and staying healthy. Don’t forget to hydrate!
In the meantime, as always, we want to take a moment to recognize everyone who sparked interesting discussions and gave us valuable feedback to drive continuous improvement.
SonarQube for IDE:
- @tiller gave us a twofer. First, he reported UI freezes after upgrading Eclipse. We got that fixed by moving computation to a background thread. But then there was a new freeze when triggering analysis from the context menu. We’ll fix that one with SLE-1214. Thanks for sticking with us!
SonarQube Cloud:
-
@lrozenblyum reported an ‘access denied’ popup when they used the browser back button to return to a project’s list of branches. Thanks! We’ll get it fixed (it might already be fixed).
-
@marjoh and @jhalejandro had trouble validating a SonarQube Cloud token in Azure DevOps. Sorry about that. SONARAZDO-475
-
The new MCP server wouldn’t build initially with Java 24. Thanks @rufer7. It’s fixed.
-
@ahofland and @EdwinBuynamics encountered a NullPointerException during analysis which caused pipeline failures. We ultimately found that the issue came from rekeying a rule (related to this announcement). Now we know for next time and can prevent it from happening again! Thanks for the reports.
Rule & Language Improvements:
-
Even when
array_map
was configured as a sanitizer, @inuitakeshi found that an injection issue was still raised on its use. Thanks for the report. We’re on it. -
@Lukas_R pointed out that even when he explicitly specified the
PATH
for the command,typescript:S4036
still told him to ‘Make sure the “PATH” used to find this command included only what you intend’. Doh! We’re going to make the rule a lot clearer. -
Our ESLint plugin depends on
lodash.merge
without explicitly declaring it. Thanks @Brendan_Mulholland. ESLINTJS-74 -
Meanwhile, a recent update of that plugin dropped the
no-invalid-await
rule without mentioning that in the changelog. Sorry for the confusion @ronky_mobi. We’ve updated the changelog to recommend@typescript-eslint/await-thenable
instead. -
cpp:S994
expects you to specifyconst
both before and after afloat_t
pointer, even when you use array syntax to specify it. Thanks @Oodini. We’ll fix it with CPP-6605 -
@HBoskugelS reported that rule
csharpsquid:S3885
incorrectly flags Assembly.LoadFrom usage inside AssemblyResolve event handlers, where it’s actually the recommended approach according to Microsoft documentation. We’ve added a ticket to fix this. -
@parkulon discovered that rule
c:S1862
incorrectly flags repeated conditions as dead code when variables are modified through function parameters between comparisons. The team confirmed this false positive and created CPP-6611 to track the fix! -
A few weeks ago we tried to deploy a new version of security analysis for Javascript/Typescript that was, in some cases, a lot slower. Thanks to @ms1111 we were able to find one specific performance degradation when promise chains are used. Thanks for sharing a reproducer! A fix has already been deployed.
Scanners:
-
Back in January, @umpaduncdude noticed that the name of the SonarScanner CLI for Linux zip has a different name than the folder it expands into. It took us a while,
but we’re finally on the case. SCANCLI-185
-
We’re grateful to @MarcinJ for his discovery of an ugly little bug that kept the analysis cache from being successfully hit when there were upper case letters in the path to the
sonar.projectBaseDir
.It’ll be fixed in the next release!
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann