Hi all,
Happy Friday to those who celebrate. 
I don’t know about y’all, but for me it’s been a week! My brain is full and I’m ready for the weekend. What’s also full is my heart - of gratitude.
So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube MCP Server
- @7ph flagged that the SQ MCP server only supports HTTP CONNECT proxies, leaving out
SOCKS5users, which is commonly used among WFH teams using SSH tunnels to reach internal SonarQube instances. NativeSOCKS5support is planned for the next release.
SonarQube Cloud
-
An “Already imported” error blocking project reimport was reported by @George_Nhari. It turned out to reflect a more general issue with stale project bindings — a fix to allow reimporting in these cases is in the works, though we don’t have an ETA yet.
-
@dmacdonald tracked down why analysis time had ballooned to nearly 3 hours after switching to Tuist — CircleCI quietly moved to blobless checkouts at the end of 2025, which breaks SCM analysis. The fix is a full clone checkout, and we’ve added a troubleshooting note to the CircleCI docs.
SonarQube Server / Community Build
- Integrating SonarQube Server with GitHub Actions got complicated for @Srini1 when using GitHub-hosted runners — which can’t reach a private SonarQube instance by default. The docs have been updated to make this requirement explicit.
Scanners
-
Thanks to @jakub-jemieljanczuk for pointing out that
eslint-plugin-sonarjswas using exact dependency versions, making transitive security updates unnecessarily painful. Already fixed in v4.0.2. -
@gian1200 flagged a vulnerability in the SonarScanner for NPM. We’ve already released the fix.
-
A regression in Scanner CLI 8.0 that breaks HTTPS proxy authentication — causing HTTP 407 errors — was tracked down by @kychen. SCANJLIB-306
SonarQube for IDE
-
Belated thanks to @jflecomte, who first reported back in January 2025 that SonarQube for IntelliJ was locking dependency JAR files on Windows after analysis. The investigation was a tricky one — they showed great patience and went the extra mile with a reproducer and verbose IDE logs. Root cause has been identified and we’re on it.
-
@Lutti1988 and @DominikTouring have been working with us to restore
TreatWarningsAsErrorssupport in SonarQube for Visual Studio. Version 9.8.0.16314 fixed pragma-based suppression cleanup and added severity mapping tied to theTreatWarningsAsErrorsproperty — testing and refinement continues. -
@dmarciano, @TheNybbler, @jmrosPGGM, and @Thieum helped reproduce and narrow down a regression in 9.8.0 that flooded connected-mode SonarQube for Visual Studio projects with a
MultipleGlobalAnalyzerKeyscompiler warning. Version 9.8.1 rolls it back; a clean fix is in progress for 9.9.0.
Rules & Languages
-
A crash in
javascript:S4030on Svelteuse:directives was flagged by @valerio27 — complete with a stack trace, minimal repro, and version table that made it straightforward to reproduce. The fix has already been released!
-
The
go:S8168rule came up this week in a report from @dserodio hitting it on a Datadog tracer. @inverno’s observation that any method namedBegin()triggers it helped nail down the scope. We’re on it. -
A 2024 report of java:S1301 firing on 2-value enum switches got a decisive push this week: @UniqueUsername reframed the issue from readability to compile-time safety — a switch on an extended enum fails to compile (catching the gap), while the suggested if-else silently compiles and misses the new value. We agree and will treat it as a false positive. [SONARJAVA-5730]
-
@aigel requested a template version of
Web:RequiredAttributeCheckto let teams define multiple rules for missing HTML attributes with different configurations and severities. A PR in sonar-html will ship in the next release. -
@knyland and @Shelly_Noll traced a JS/TS analysis timeout in Azure DevOps pipelines to a bug in
javascript:S2077causing an infinite loop. Two workarounds are available while a fix is prepared: disable the rule, or changevar min = min;tovar min;. The fix will ship in the next releases.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann