Sonar Community Roundup, March 23 - March 29

Hello Sonar Community!

It’s been a big week here in the Community, with lots of help and guidance from you, our members, to improve our products and your experience with them. We’re grateful when you take the time to do that, so like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.

SonarQube

• @pwitvoet let us know about a particularly irritating UI glitch in the Security Hotspots UI that kept re-selecting the first Security Hotspot in the list - even when it wasn’t the one he was trying to mark ‘Safe’. SONAR-21900 is already fixed for 10.5.
• Speaking of UI glitches, @Mikaciu shared that links in the Overall tab of the homepage for non-main branches don’t keep their non-main-ness. SONAR-21600
• @Valentijn’s build agents are using Java 21, which isn’t supported by the SonarQubeAnalyze@5 task. We’ve created an internal ticket to allow the option.
• It’s a corner case to have a duplication between the built-in tags on a rule and the ones added manually. @Nicolas_Alcaraz encountered it nonetheless, and found that it blocked the DB migrations during his upgrade. SONAR-21920
• @aravindnss pointed out that SonarQube APIs are case-sensitive. Sometimes. Oops. SONAR-21933

SonarCloud

• Early this week @ajtribick pointed out that the GitHub action we’ve provided for C and C++ analysis produced a Node.js 16 deprecation warning, and reminded us that a community PR to fix it had been open for well over a month. This became even more significant with our mid-week announcements (1) (2) that SonarCloud’s Node.js 16 support will end next week. Thanks for the nudge; it finally got us moving!
• A few weeks ago, @sme shared the extraordinary efforts he goes to to make sure that PR analysis succeeds even when the underlying project hasn’t been created in SonarCloud yet. He didn’t ping us to complain about that; he just wanted help perfecting his workarounds. But it shouldn’t be that hard, so we’ve created an internal ticket to improve the situation.

SonarLint

Once again this week, we want to thank SonarLint for IntelliJ users for their ongoing patience as we continue to sort out the issues with the 10.4 release.

• @ChukwumaA let us know about the Container is already disposed exception he encountered. SLI-1331 is already resolved.
• SonarLint doesn’t support 3rd-party analyzers, even in connected mode, much to @gquerret’s disappointment. And since that’s the case, it shouldn’t download them anyway and then throw a NullPointerException. SLLS-230 will fix the NPE, and SLCORE-756 will make sure unsupported language plugins aren’t downloaded to start with.
• Trying to connect to a very large SonarQube instance, say one with >10k projects? SonarLint may not find your project, as reported by @KarlaDell. SLLS-234
• @cmei84 encountered SonarLint for Eclipse problems with a code signing certificate that requires the use of a USB token. SLCORE-669

Rule and language improvements

• @landisdesign noted that React requires title-cased state variables for components, but S6754 doesn’t seem to be aware of that. SonarJs#4639
• Usually explicitly testing for == true is unneeded, but sometimes in C# it’s actually clearer and more efficient, as @m-gallesio pointed out. sonar-dotnet#8995
• @cssprs noted that using Java 21 pattern matching to switch over a sealed class requires that you declare a local variable for each case, even if the value is unused. It’s already fixed with SONARJAVA-4907 and will be released soon.
• If you pass a Gcov directory into analysis, but it doesn’t have any .gcov files in it, analysis… doesn’t say much, and moves on. As @Ivan_Ribakov found, that’s not very helpful. CPP-5169
• @dbrink joined the community to let us know that if a C# partial method is defined within generated code that is emitted to the “obj” folder, S1172 raises a false positive. Welcome and thanks! sonar-dotnet#8988
• S1151 can raise a false positive on Java cases with ->, as @sithmein let us know. SONARJAVA-4919
• @dougw was kind enough to provide a PR for the false positive he found in html:S6793. It will be fixed in the next release.
• @H.Lo let us know that the Thymeleaf th:text attribute isn’t recognized as content for S6827, which complains about empty anchors when it’s used. SonarJS#4614
• @theBlackDragon pointed out that S6857 raises a false positive when SpEL is used with a Map. SONARJAVA-4917
• A Helm chart that doesn’t end with a newline breaks analysis, particularly in conjunction with multiline strings, @Carsten_HB reported. It’s already fixed for the next release.
• JavaScript require lines shouldn’t be included in duplication detection. @David_Deasy raised this topic in 2022 and had to bring it back up again this week, because our initial fix was only partial. SonarJS#4620 should fix it right this time.
• @Jos_Abrahams is no stranger to this list, and he’s back again this week, having found that in certain circumstances FileUnusedCheck raises an unused file issue in the copybook where the file is declared, rather than in the program that includes the copybook without using the file. SONARCOBOL-1702

Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.

Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.

 
Ann, @Colin, and @leith.darawsheh