Hi all,
I mentioned this last week, but it bears repeating: mvn sonar:sonar will stop working soon. If you’ve got Maven projects, especially ones that have been around a while, you should check your pipelines. This applies to everyone on every version: SonarQube Community Build and SonarQube Server and SonarQube Cloud. Speaking of SonarQube Cloud, it now offers architecture for projects that use automatic analysis, and 100% coverage of all 179 MISRA C++:2023 guidelines. 
And in case you were wondering, my peonys are coming along nicely too. 
And now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube for IDE
-
@mje reported that SonarQube for IDE crashes with a “Value too long for column” error when syncing taint vulnerabilities with unusually large data flows. @mje went above and beyond by querying the server API to identify the culprit issues, and we’re now investigating both the crash handling and whether such large taint flows should be raised in the first place.
-
A threading error in JetBrains Rider that @Max_Iliashenko reported has been fixed. Update to the latest version to pick it up. SLI-2520
SonarQube Cloud
-
@lrozenblyum found that filtering issues by rule breaks on imported rule keys that contain commas, which the frontend treats as separators. SONARRUBY-116
-
The “Configure monorepo” page was crashing to a blank screen for @rodyvansambeek, @torb, and @lukasz2 when adding services to an existing monorepo. Thanks for the reports (and the patience!) The fix has been deployed.
SonarQube Server / Community Build
- @ChristophS78 reported that custom rule severities set in a Quality Profile are ignored during Bitbucket Server PR decoration. Sorry for the slow response on this one. We’ve identified the issue and a fix is on the way.
Scanners
- @ArminPrieschl pinpointed why
sonarqube-scan-actionv7.0.0 re-downloads scanner binaries on every run, tracing it to a version-string format that breaks GitHub’s tool cache. Thanks for the detective work! SQSCANGHA-135
Rules & Languages
-
php:S117raises false positives on PHP 8 constructor property promotion, where promoted parameters are class properties, not regular parameters. Thanks @mably for the thorough report! We’ll update the rule to skip promoted properties. -
@szabolcs reported that the Python Cobertura coverage sensor resolves
<source>paths relative to the working directory instead ofsonar.projectBaseDir, causing coverage data to be silently dropped. We’re on it. -
csharpsquid:S6965flags a false positive on certain REST API action methods, as @Sros reported. We’ve added it to the backlog. -
A nested class named
Nullablecauses an AD0001 analyzer error withcsharpsquid:S1144/csharpsquid:S4487because the analyzer mistakenly expects a type argument, as @Corniel reported. We’re fixing it.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann