Hi all,
Times sure are changing—literally! Daylight saving time ends in Europe this Sunday. Don’t forget to set your clocks back!
As always, we’d like to highlight your valuable discussions and feedback, which help us continually improve.
SonarQube for IDE:
-
Double-clicking issues in SonarQube for VS Code on Windows does not navigate to the code as expected—only the rule description opens, as @gquerret noted. This works properly on Mac. SLVSCODE-1412 was created to address the Windows-specific issue. Thanks for your ongoing feedback!
-
@gquerret (sounds familiar?) also observed that issues disappear while typing in VS Code when syntax errors are introduced. After initially detecting 54 issues in a Java file, introducing a syntax error caused all to vanish instead of persisting alongside the parse error. SLCORE-1770 was filed to ensure issues remain visible with temporary syntax problems. Thanks for the detailed logs!
SonarQube Cloud:
- When a portfolio switches from main to named branches that aren’t main, portfolio breakdown metrics disappear. @ftlvz spotted this issue, and a ticket was filed to track the fix. Thanks for the clear reproduction steps!
Scanners:
-
Since version 7, the SonarScanner for Gradle has a conflict with the Jandex plugin. @BrianRUG’s reproducer showed the
sonarResolvertask failing with configuration errors when both are used. SCANGRADLE-293 is tracking this investigation. Thanks! -
@peacememories noticed the sonar-scanner-cli Docker image had accumulated CVEs. A new version with an updated base image fixing all CVEs was released last week. Thanks for the feedback!
Rules & Languages Improvements:
-
@m-gallesio discovered that
typescript:S7729incorrectly triggers for class methods namedfilter,map,find, orfindLastwith two parameters. The rule doesn’t differentiate between array methods and unrelated class methods. JS-913 was created to correct this. Thanks! -
In another find, @m-gallesio (lots of multiple shoutouts this week!) caught
typescript:S7755incorrectly suggesting using.at()for collections like NodeList that don’t support it. The rule should apply only to actual arrays. JS-905! -
The C/C++ build wrapper doesn’t recognize the GCC RISC-V compiler, as @n_ppel discovered. The probe passes unsupported parameters like
-quiet, causing compilation units to be skipped. An internal ticket was created to investigate compiler probe compatibility with RISC-V toolchains. -
@jump-jet ran into an issue where
cpp:S5950incorrectly triggers when usingstd::unique_ptrto take ownership of heap objects from third-party APIs. The rule suggestsstd::make_unique, which isn’t always possible. An existing ticket now has increased priority. Thanks! -
Large Go repositories are hitting memory limits when parsing coverage files. @jfontan’s repository with 3600+ files generating a 3GB+ coverage file caused
OutOfMemoryErroreven with 24GB of heap. The plugin loads all coverage data into memory before processing, rather than streaming it. SONARGO-706 was created to improve coverage import for large reports. Thanks for the detailed analysis! -
@PPRiphagen encountered a crash during C++ analysis.Code that had analyzed successfully in the past began to crash. Thanks to the reproducer, it was easy for us to create an internal ticket which is targeted for the next release. Thanks for sharing the reproducer file!
Thanks again to everyone—mentioned or not—for strengthening our community and improving Sonar products.
Know someone who should get a shout-out? Nominate them below, or let us know who to mention next week!