At this point it seems like AI has become an assumed part of the workflow for pretty much everyone in the tech sector. But with things moving 1,000 miles an hour, it can be hard to find a good groove with all the new tools. And using them well would be a challenge for anyone! That’s why Sonar is working to provide tools to help you use AI cleanly and efficiently.
Our latest update on that front is this week’s announcement of new functionality in the SonarQube CLI Open Beta (original announcement here) and we’re hoping for your feedback. The CLI (not to be confused with SonarQube Scanner CLI) offers agentic analysis from the working tree (this is the pre-commit analysis people have been asking for for years 
), issue remediation 
and even help getting your project configured for analysis.
Check it out. Let us know what you think.
And now, like every week, we’d like to take a moment to recognize you, the users, who do give us feedback and help improve the ecosystem for everyone by sparking valuable discussions and providing your observations to drive continuous improvement in our products.
SonarQube for IDE
-
@renatodantas wants SonarQube for VS Code’s
sonarlint.pathToNodeExecutableto accept multiple paths (or VS Code variables like${userHome}), since NVM-managed Node lives at different paths on macOS and Ubuntu and the synced setting breaks the extension on whichever OS isn’t currently active. We’ve added it to the backlog: SLVSCODE-1722. -
The SonarQube for Eclipse 12.2.1.84686 release notes linked to an internal Jira ticket that isn’t publicly accessible, as @lrozenblyum spotted. Good catch! We’ve updated the link to point to the public Jira release notes.
Scanners
- @Gustavo_Morales tracked down the exact trigger for a
MissingValueExceptioncrash in the SonarScanner for Gradle’ssonarResolvertask on AGP 9.2.0 (lazy provider interaction with Firebase Crashlytics when mapping uploads are disabled), and shared a clean CLI workaround. Thanks for the detective work! We’ll fix the missing dependencies inSonarResolverTaskand the compiled-classes computation: SCANGRADLE-409 and SCANGRADLE-410.
Rules & Languages
-
java:S881lists CERT C/C++ resources in its description even though it’s a Java rule, and @VolkerG questioned whether they belong there. You’re right that the rationale is confusing in a Java context, where evaluation order is strictly defined; we’ll rework the description: SONARJAVA-6301. -
A huge thank-you to @Emilyaxe, who deserves a special call-out this week for an outstanding run of clear, reproducer-driven Java analyzer reports (with more in-flight!) Each one landed with a self-contained test case, which made triage and ticketing easy on our side:
-
java:S3958flags ignored streams consumed through a lambda but misses the equivalent method-reference form. We’ll bring the two in line: SONARJAVA-6370. -
java:S2201flags ignoredStream#anyMatchresults on boxed streams but misses the equivalent calls onIntStream,LongStream, andDoubleStream. We’ll extend coverage to primitive streams: SONARJAVA-6366. -
java:S1144correctly handles@MethodSource("name")but incorrectly flags the semantically identical array form@MethodSource({"name"})as unused. We’ll teach the rule to recognize both forms: SONARJAVA-6367. -
java:S1640behaves inconsistently betweennulland(COLOR) nullmap keys. On investigation it’s the opposite of what it looked like: becauseEnumMapdoesn’t allow null keys, the rule shouldn’t suggest migrating maps that use null as a key at all, SONARJAVA-6369. -
java:S6905catchesSELECT *built with+=but misses the equivalent inline concatenation ("SELECT " + "*"). We’ll close the gap: SONARJAVA-6372.
-
-
@leemeii pointed out that
java:S6104catchescomputeIfAbsent(k, k -> null)but misses the block-lambda equivalents likek -> { return null; }. You’re right; we’ll extend detection to the block form: SONARJAVA-6373.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann