Hello Community!
This week, new taint security rules for C and C++ have entered a beta phase! These rules enable the detection of new types of vulnerabilities, based on CWEs. SonarQube Cloud users who are using the Sonar way quality profile can already benefit from them.
So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube Cloud
PR decorations were missing for @rufer7’s GitHub-integrated project despite analysis completing successfully. Backend investigation found the SonarQube Cloud GitHub App hadn’t been granted access to the specific repository, and adding it fixed the issue. Thanks for the patient debugging, @rufer7, and for spotting the confusing App name!
@smassouras, @mmz, @marcelbeeker, and @unipin-delvinlimanto let us know that SonarQube Cloud analysis tasks were failing. It turned out to be a incident, which was resolved on June 8. All analyses are now running normally, and it was thanks to you that we were able to catch this!
A June 5 incident on SonarQube Cloud caused analyses to fail with Illegal char <*> at index 0 when file exclusion patterns starting with ** were used. @Adrie, @hvabbema, and @bd2024 flagged it quickly, and we rolled back the change. Thanks for the rapid reports!
SonarQube Server / Community Build
@Josue_A_de_Lima followed up on the recurring SonarQube Community Build source-build failures, confirming the build was still broken. We addressed the remaining missing dependencies and the build is now working. Many thanks for the bump!
@magyarimiki let us know that v26.6 still didn’t include the fix for the quality-profile dropdown rendering behind the modal on Community Build. The fix was merged after the v26.6 build cutoff and will ship with v26.7, planned for July 6. Thanks for checking!
Scanners
SonarScanner CLI 8.0.1.6346 ships with outdated Rust clippy lint names that have since been renamed or removed in clippy 0.1.93, causing the Clippy sensor to fail. @Supernabla reported this and a fix is in flight. Nice catch!
Rules & Languages
Web:S7930 raises a false positive on PHTML templates where the same id is used in mutually exclusive if/else branches. Since only one branch renders at runtime, no duplicate ID can exist. @yogesh-encora spotted this. SONARHTML-390 was created as a result.
@yogesh-encora also reported that Web:S6827 fires on anchors using PHP short echo syntax <?= $var ?> but not on the semantically equivalent <?php echo $var; ?>. SONARHTML-390 will also fix this.
@lrozenblyum reported that java:S7467 suggests replacing a used catch variable with the unnamed pattern _, even when the variable is actively used in the catch body, specifically when Lombok @Getter is present and JDK 25 is used. Here goes SONARJAVA-6455!
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!