Hi all,
Greetings from sunny Barcelona, where we’re proud to be sponsoring OWASP Global AppSec EU 2025! With Ann taking a well-deserved break this week, we appreciate your patience as we juggle a few extra balls.
I am the tall one.
This week (great timing) we launched SonarQube Advanced Security alongside SonarQube Server 2025.3 bringing Software Composition Analysis (SCA) capabilities to SonarQube!
As long as I’ve worked for Sonar, I’ve had to say “We don’t do SCA” when users ask… and it will be nice to finally stop saying that (it got old, trust me). I used the features for the first time last week, and the team did a great job bringing SCA into the SonarQube world I already know!
Back to business as usual – as always, we want to take a moment to recognize everyone who sparked interesting discussions and gave us valuable feedback to drive continuous improvement.
SonarQube Server & Sonarqube Community Build:
- @amol_mane identified a bug in the Measures tab bubble graph visualization. Great catch! SONAR-25181
Rule & Language Improvements:
-
@los93sol reported a false positive for Blazor’s Identity Components on
roslyn.sonaranalyzer.security.cs:S5146. We will update our config and also the compliant examples. Thanks for reporting! -
@jmothes started a discussion about
java:S5164and ThreadLocal members. As a result we are going to update the rule description and change the rule severity. SONARJAVA-5586 -
@ATTATRA shared that
kotlin:S6516is raising false-positives when the Java functional Interface instance is referenced. There’s now a ticket in the backlog to fix that. -
@jycr asked about using sonar-iac kubernetes assertions for their own projects. We think it makes sense to publish these dependencies! SONARIAC-2058
-
@petrk raised some interesting points about meta-annotations, specifically that when a meta-annotation is declared that uses
@SuppressWarnings, it’s not respected by SonarQube. Let’s fix that. SONARJAVA-5597
Scanners:
- The README for sonarsource/sonarcloud-scan bitbucket pipe should be updated to change
SONAR_SCANNER_OPTStoSONAR_SCANNER_JAVA_OPTS. It would have saved @mkluczynski some time! It has been updated. Thanks!
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!