While Colin has been on vacation this week, (re)building Notre Dame in his living room, you all kept your noses to the proverbial grindstone, and gave us plenty of feedback. We’re grateful every time you do that, so like every week we want to spend some time acknowledging everyone who prompted interesting discussions and gave us feedback to help us continuously improve.
SonarQube:
- It’s been nearly a year since @antonio.ramos.MCH reported an NPE during Maven analysis.
And we’ve finally fixed it. It will be part of SonarQube 10.8. - @milbrandt spotted the SonarQube 10.7 docs linking backward into the 10.6 docs. Thanks! We’re on it!
- If you pause the SonarScanner for .NET to wait for the Quality Gate status, a failing Quality Gate means your scanner job fails with a “did not complete successfully” message. Thanks @amair. SCAN4NET-134 will fix it.
- We broke the mechanism that detects whether rules have been updated, resulting in 0 rules being indexed at startup for some people. (And forcing an Elasticsearch reindex doesn’t help.) Our thanks for reporting this go to @lukrek_syncron, @Chromobotia, @eric_kertz1, and @flute. We’ll fix it in 10.8 with SONAR-23466. Meanwhile, there’s a workaround in the ticket.
- @LividSquid’s investigations found that with Bitbucket Server connection validation, SonarQube calls a URL that no longer works in Bitbucket Server 9 under certain conditions. We created SONAR-23470 for this and got to work on it at the same time he was drafting his own PR, which “is almost 1:1” with ours, and gives us more confidence in the fix!
- With the SonarScanner for NPM, @fassen is getting a warning about the use of a deprecated environment variable. But he didn’t populate the variable; we did.
SONARJNKNS-378 - @virender.singh reported that Security Hotspot synchronization to his branches had stopped working. Based on the docs, I told him they were never supposed to be synchronized at all. But the docs were wrong, and so was I. Sorry, the gaslighting was entirely unintentional, and we’re getting the docs fixed.
SonarCloud:
- @Brendan-OSullivan noticed a copy-paste error in the docs. We’re still working through his main question, but in the meantime, thanks for the heads-up. It should already be fixed.
Scanners:
- A new release of the Azure DevOps extension caused .NET builds on Windows agents to fail Monday. SONARAZDO-414 describes the intricate reasons it didn’t fail when the bug was first introduced back in May and did finally fail this week. We’d like to thank everyone who was involved in reporting the issue, publishing workarounds, and finally in verifying the fix: @ryan.adler, @milbrandt, @Julian, @alexmo, @danmgs, @Fabio_Barbosa, @Manel_Ros_Puig, @JS-Schneider, @paulo.silva, @vaniapereira, @PeterBa, @evalann, @NathanAlcantara, @Rajesh_Toluchuru, @Billel_CHETOUANE, @Rohitswamy123, @dl2023, @crookc, @ShuffleOvernightExcl, @Devin_Quince, @dliakhovych, @andrecosta, @Justin_Gould, @raju_BKP, @swift.client, @RamaKrishna, @nemke, @Magdi_Balad, @dl2023, @ken_activu.
- After migrating to the latest, updated version of the Azure task, @RenLau and @kbelykh each reported, independently that
sonar.projectBaseDirdetection was wrong on `nix systems. Thanks, y’all! SCAN4NET-147 - In the latest Azure task, we’ve set a default keystore password of
sonar. Unfortunately,keytoolrequires a longer password, so there’s no way to reset the password to something longer becausekeytoolrejects the too-short current value. This is… not an easy one, so we don’t even have a ticket for it yet, but we appreciate the report @dalinicus
SonarLint:
- @Pigelvy has apparently found that the way to our developers’ hearts is coffee, flown in from exotic locations.
He’s advocating the ability to use a different JRE in SonarLint for IntelliJ. We’re planning work in this area soon. (Don’t tell him, but it was already on the list. 
)
Rule & Language improvements:
- Our C# analyzer ignores pre-processor directives, so
csharpsquid:S2583reports a false positive issue when they’re involved. We’ve created an internal ticket to fix it. - @rekhib brought us a great rule idea for PHP8 array functions. Unfortunately, there are too many prerequisites in front of it right now. But keep 'em coming!
- java:S6863 requires you to return a known status code from a
Controllerrequest handler function. But as @wnmzzzz pointed out it raises an issue onHttpStatus.UNAUTHORIZEDeven though it is a valid status code. SONARJAVA-5150 will fix it. - Hard-coded, absolute URIs can be a problem for maintainability, as
java:S1075points out. But as @Nico.Strecker noted, it’s not a problem when it’s a relative path that’s used as a suffix. So we’ll fix that with SONARJAVA-5149 - @ThomasGraner found that C# analysis is failing in some cases because issues can be reported on the wrong locations in
cshtmlfiles. We’ve created an internal ticket to fix it. java:S1989raises an issue on exceptions thrown within servlets - even if those exceptions are caught by an enclosingtry. Nice catch @BloodyMary! SONARJAVA-5153 will fix it.- @monkeytennis reported that
csharpsquid:S2583raises an issue when you testlist.Count, even though that’s not a gratuitous Boolean expression. We’ve implemented the fix and will release it soon. - Generally, there’s no good reason to invert a boolean check. Unless you’re writing the boolean check. @bers reported that
python:S1940raises an issue when a boolean check is negated inside an__ne__or__eq__method. And following the rule’s advice in this situation leads to infinite recursion. Doh! SONARPY-2247 plsql:DeleteOrUpdateWithoutWhereCheckdoesn’t differentiate betweenDELETEandON DELETE. Thanks @fassen. We’ve created an ticket for it internally.- After a discussion with @DamienCassou that started with redefining functions in JavaScript, we eventually created JS-377 to capture his suggestion to port
python:S5890(Values assigned to variables should match their type annotations) to JavaScript
Once more, we extend our thanks to everyone mentioned here - and those we may have missed - for their efforts in strengthening this community and enhancing our Sonar products.
Please leave your own recognitions below – whether for another community member or a SonarSourcer who assisted you this week. If there’s someone you think should be acknowledged in next week’s roundup, don’t hesitate to let us know.
