Hi all,
Happy Halloween! 
Like every week, we’d like to take a beat to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback that drives continuous improvement.
SonarQube Server & Community Build
- GitHub automated group provisioning intermittently loses group memberships during user login, as @andrew-garland has been tracking. Users in nested GitHub teams (child/parent/grandparent relationships) sometimes get removed from parent groups on login, requiring manual sync. We think we finally know what the issue is. Thanks for persistently pressing on this issue!
SonarQube Cloud:
- Deleting projects bound to a Scoped Organization Token causes the token detail page to break, as @andi4000 discovered. Instead of displaying remaining projects, it shows “0 projects” with a
Project with ID xxx not founderror. This bug is currently being fixed (if it’s not fixed already). Thanks for reporting!
Scanners:
- Running
./gradlew clean build sonarfails with the SonarScanner for Gradle when using thecleantask alongside sonar, as @uriv58 and @AD3NDST_deere reported. ThesonarResolvertask throwsNo such file or directoryerrors. SCANGRADLE-295 will be tackled in the next release!
Rules & Languages Improvements:
-
javascript:S7728andtypescript:S7728incorrectly suggest replacing.forEach()with for…of on non-iterable objects, as @Tezra discovered. Objects with customforEachmethods aren’t iterable but still trigger the rule. JS-917 was created to check if objects are actually iterable. Thanks! -
@Tezra also raised concerns about
javascript:S7785andtypescript:S7785recommending top-level await, which isn’t baseline-compatible across browsers (Safari and WebView don’t support it yet). We plan to eventually enable/disable rules based on ECMAScript versions (JS-483) and will consider the browsers field frompackage.json. In the meantime, disabling the rule in your quality profile is recommended for projects targeting broad browser compatibility. -
java:S2095 doesn’t detect unclosed
ClientHttpResponseinstances from Spring, as @Dam found. The rule failed to flag thisCloseableresource when not properly closed. JAVASE-146 was created. Thanks for the report! -
java:S2115misses a false negative when empty database passwords are wrapped inObjects.requireNonNull(), as @RJerrica reported. WhileDriverManager.getConnection(..., "", pwd)triggers the rule, wrapping the empty string doesn’t. SONARJAVA-5821 was created. Thanks! -
@dgh noticed slow analysis after we deployed new Ruby rules using a new engine. Thanks to the report, we’ve already been able to fix the slowdown (at least, for now, on PRs).
Thank you again to everyone mentioned—and to those we may have missed—for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!