Hi all!
You may have seen a couple of changes to the styling in our Community. We want to make sure we look a bit more like the refresh of http://sonar.com! If you notice anything that doesn’t seem right (especially in our dark mode, where we took a lot of inspiration from SonarQube Cloud’s dark mode), please let us know.
As always, we are grateful for the feedback we’ve gotten this week, and for every time you give us feedback. So like every week, we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.
Scanners:
- The
SonarQubePublish
task of the Extension for Azure DevOps doesn’t work with an analysis token, only a user token. That rather defeats the purpose of an analysis token. Thanks @michha and @jbims! SONARAZDO-457
Rule & Languages Improvements:
-
cpp:S1578
raises many false positives in SonarQube for IDE and should be disabled in that context. Thanks, @Oodini. CPP-6266 -
@Oodini opened a discussion about
cpp:S5827
– as a result, we will consider adding a second quick fix for this rule that, when possible, does not useauto
. CPP-6238 -
Thank you, @Corniel, for reporting a false negative with
csharpsquid:S1905
, where casts can be further simplified using number suffixes! -
Our C# SQL injection detection will be updated to support DbSet/CosmosQueryableExtensions, following a false-negative report from @Fatih_Emre_Demirbas. Thank you!
-
Our detection of generated code in Java should support the annotation packages that have been migrated from
javax.annotation
tojakarta.annotation
. Great catch @renoth. SONARJAVA-5404 -
@Jeff_Hain really dug into the rule description for
java:S5977
and showed us how it can be improved. We agree, and thank you for taking the time to do this. SONARJAVA-5410 -
Should Typescript developers prefer the
private
keyword or prefixing a method with#
? There’s probably a right answer, but we’re not sure yet. Thanks for triggering the discussion @Corniel. If we arrive at a consensus, a rule will be implemented as part of JS-646. -
Thank you @reda-alaoui for giving us another example to add to SONARJAVA-5402!
-
@pmaieref clued us into the fact that the underlying ECJ (Eclipse Compiler for Java) that powers our Java analysis contains a bug. We’re on it. Thanks!
-
@stmllr found some Python code that crashes analysis with a
StackOverflowError
. We can reproduce it, so of course we’ll fix it! Thanks for the report. -
Mixed declarations are causing false-positives to be raised for
css:S4666
. Thanks @Reskun! JS-647 -
There’s a regression in our C/C++ analyzer preventing many issues from being reported when the analysis is run from mapped network drives on Windows. Big shoutout to @garepa and @GregSel for reporting this. CPP-6237
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own shout-outs below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.