Sonar Community Roundup, June 21 - June 27

Hi all,

I don’t know about you, but where I am, it’s really summer. :melting_face: Hopefully you’re keeping cool and staying healthy. Don’t forget to hydrate!

In the meantime, as always, we want to take a moment to recognize everyone who sparked interesting discussions and gave us valuable feedback to drive continuous improvement.

SonarQube for IDE:

  • @tiller gave us a twofer. First, he reported UI freezes after upgrading Eclipse. We got that fixed by moving computation to a background thread. But then there was a new freeze when triggering analysis from the context menu. We’ll fix that one with SLE-1214. Thanks for sticking with us! :sweat_smile:

SonarQube Cloud:

Rule & Language Improvements:

  • Even when array_map was configured as a sanitizer, @inuitakeshi found that an injection issue was still raised on its use. Thanks for the report. We’re on it.

  • @Lukas_R pointed out that even when he explicitly specified the PATH for the command, typescript:S4036 still told him to ‘Make sure the “PATH” used to find this command included only what you intend’. Doh! We’re going to make the rule a lot clearer.

  • Our ESLint plugin depends on lodash.merge without explicitly declaring it. Thanks @Brendan_Mulholland. ESLINTJS-74

  • Meanwhile, a recent update of that plugin dropped the no-invalid-await rule without mentioning that in the changelog. Sorry for the confusion @ronky_mobi. We’ve updated the changelog to recommend @typescript-eslint/await-thenable instead.

  • cpp:S994 expects you to specify const both before and after a float_t pointer, even when you use array syntax to specify it. Thanks @Oodini. We’ll fix it with CPP-6605

  • @HBoskugelS reported that rule csharpsquid:S3885 incorrectly flags Assembly.LoadFrom usage inside AssemblyResolve event handlers, where it’s actually the recommended approach according to Microsoft documentation. We’ve added a ticket to fix this.

  • @parkulon discovered that rule c:S1862 incorrectly flags repeated conditions as dead code when variables are modified through function parameters between comparisons. The team confirmed this false positive and created CPP-6611 to track the fix!

  • A few weeks ago we tried to deploy a new version of security analysis for Javascript/Typescript that was, in some cases, a lot slower. Thanks to @ms1111 we were able to find one specific performance degradation when promise chains are used. Thanks for sharing a reproducer! A fix has already been deployed.

Scanners:

  • Back in January, @umpaduncdude noticed that the name of the SonarScanner CLI for Linux zip has a different name than the folder it expands into. It took us a while, :sweat_smile: but we’re finally on the case. SCANCLI-185

  • We’re grateful to @MarcinJ for his discovery of an ugly little bug that kept the analysis cache from being successfully hit when there were upper case letters in the path to the sonar.projectBaseDir. :flushed_face: It’ll be fixed in the next release!

Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.

If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!

 
Ann

4 Likes