Hello Sonar Community!
Like every week we want to spend some time saying thanks to everyone who prompted interesting discussions and gave us feedback on Sonar products that will help us continuously improve.
SonarQube:
-
Thanks @torsten.stach for letting us know that in SonarQube v10.4, the value of
sonar.web.contextisn’t being taken into account when generating the Portfolio Report PDF. SONAR-21772 -
@Carsten_HB is one of many users over the years who’ve reported issues flickering between open and closed statuses. It’s been something of a wild goose chase for us - never getting close enough to actually identify the problem. Finally, though, we’ve tracked it down. (Roast goose for dinner!)
SonarCloud:
- Being called out for your mistakes is one thing. Being called out for someone else’s is something else entirely. And we’ve been doing that for a while, as @Luiz_Soares pointed out because under some circumstances the SonarScanner for .NET adds deprecated properties to the analysis context. Apologies to everyone who’s gotten the (unwarranted) deprecation warnings. We’ll fix it with sonar-scanner-msbuild#1888.
SonarLint:
With the release of
- SonarLint for Eclipse 10.0
- SonarLint for IntelliJ 10.4
- SonarLint for VSCode 4.4
we have almost completely refactored each plugin. We spent the last several weeks manually testing everything and fixing bugs, but we knew there was a possibility users would face a few problems. We see the bug reports you’re turning in, and we’re grateful for them. We should have updates on them soon.
Language & Rule Improvements:
-
Our trusty COBOL expert @Jos_Abrahams let us know about a false-positive on
cobol:S1966when moving an alpha field to a numeric field with conversion. Thanks Jos! SONARCOBOL-1698 -
Jos also discovered that issues found by
cobol:S1764are only being reported in the copy member, not the source file. SONARCOBOL-1699 -
Thanks @kdebisschop for identifying a false-positive with
php:S2201, mistakenly raising an issue saying thatstrtok()has no side effects. SONARPHP-1490 -
As reported by @toshihiro_hayashi, our C and C++ analysis only supports files with UTF-8 encoding. We’ve created CPP-5066 to track interest on supporting other file encodings.
-
Lines of Javascript code that just declare exported members should not be considered executable lines (that can be covered by tests). Thanks for the nudge @denis_gillespie! SonarSource/SonarJS #4592
-
Kudos to @alec for his continued push to make
java:S6856the best it can be – SONARJAVA-4901. -
@JJoensuu’s questioning of
csharp:S4070led to the idea for a new rule around proper definitions ofAllvalues inenums. -
There’s an overlap between
csharp:S112and Microsoft’sCA2201, as @Corniel pointed out. We’re thinking through how to handle the duplication. -
In C++ analysis, we don’t inline standard library implementations. That can lead to false negatives, as @abiessmann noted. Inlining library implementations has performance tradeoffs, but we’ll start inlining lightweight libraries, with CPP-5072.
-
After a nudge from @bers, we’re now considering supporting Python’s
typing.reveal_type. SONARPY-1695 -
csharp:S4502detects when you explicitly disable anti-CSRF protection, but not when it’s unsafe by default, as @alexvaccaro found. We’ve created an internal ticket to address it. -
After a discussion of Cognitive Complexity in Go with @jqueuniet and @danrollason, we’re going to reconsider error handling and the default threshold for the rule. SONARSLANG-643
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.
Colin, @ganncamp, and @leith.darawsheh
