Hello Community!
We’re wrapping up another week, the last one for me before a week of holidays! But worry not, the Community will be left in very capable hands while I’m out and about. Other than that, this week has seen Sonar at the AI Engineer World’s Fair in San Francisco, where we presented our Sonar Vortex (our agentic tools stack) and SonarQube Remediation Agent solutions. You can read the press release here!
So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube for IDE
@Artur_K asked whether SonarQube for IDE could connect from SAP Business Application Studio through the SAP Cloud Connector to an on-premises SonarQube Server, and after some trial and error, came back with a full working recipe, from the BTP destination configuration to the Language Server proxy settings. Thanks for documenting your solution so thoroughly, that’ll save the next person a lot of head-scratching!
SonarQube Cloud
Viewing issues on a file makes it hard to tell which file you’re actually looking at, since the path is truncated in the left panel and only reappears if you scroll all the way to the top, as @Mike_H pointed out. This isn’t the first time this has come up, and we’re folding it into our existing feedback ticket for consideration.
Scanners
A regression in SonarScanner for Gradle 7.2.3 threw a NullPointerException whenever sonar.projectDescription was set, as @j2fxprgee noticed. SCANGRADLE-373 was created as a result, and the fix shipped in the very next scanner release. Thanks for confirming it worked!
Rules & Languages
@Adam_Birem provided a beautifully thorough report showing that PR analysis on SonarQube Cloud loses much of its cache hit rate whenever the CI checkout path differs from the one used for the full analysis. @gtoison confirmed hitting the same wall. It turns out the Dataflow Bug Detection Rules for Java plugin keys its per-file cache entries by absolute file path rather than a relocatable one, so any path change invalidates the cache. Thanks for your patience through a long investigation, we’re on it!
php:S1185 flagged overriding methods that only add an attribute (like #[\Deprecated]) before delegating to the parent implementation, as @homersimpsons reported. Thanks for the detailed reproducer, it made pinning down the fix quick, and it’s already fixed for the upcoming release!
typescript:S7772 suggested the node: protocol for Buffer imports even in client-side code, where the browser-compatible buffer shim is actually the right choice. You’re right that this was a false positive, @codingChewie! JS-1949 was created to track the fix.
CFamily taint analysis crashed with LLVM ERROR: Invalid size request on a scalable vector on every run for a C++20 project built with GCC 15, as @BillHoover reported. Thanks for sharing a reproducer, it helped us improve the analyzer! We’ll let you know as soon as the fix ships to SonarQube Cloud.
javascript:S5906 suggested Jest’s toHaveLength for Jasmine assertions when a project has both Jasmine and a Jest-like dependency installed, as @ej612 pointed out. You’re right that this shouldn’t happen, thanks for the detailed report! JS-1950 was created to fix the mixed-dependency handling.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!