Hi all,
Spring is a time of beginnings, and personally, I’m excited by my first peony bloom of the season. Peonies take a few years to get established, and it’s the first time this particular plant has bloomed. I’m thrilled that its one lone bud was the first in my yard to open. 
On a more work-related note 
, there were several other beginnings this week:
- First, the long-awated Automatic Analysis for Azure DevOps.
- There’s also now Advanced security in Automatic Analysis (for both GitHub and Azure Devops!).
- And finally, Architecture is now available for everyone on SonarQube Cloud. (Oprah meme redacted.
)
As it happens this spring is also the time of an ending. For nearly 18 years, you’ve been able to run a Maven analysis simply by typing mvn sonar:sonar but all good things come to an end, and now is the time for that to end as well. On May 1st, we’ll be retiring that shorthand so please make sure you’ve updated all your pipelines before then.
And now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube for IDE
-
@surecloud-jleite reported an
IndexOutOfBoundsExceptionwhen SonarQube for IntelliJ rendered gutter icons. A fix is coming in the next release. SLI-2598 -
A threading error in SonarQube for IntelliJ was reported independently by @Mohammed_Abdu (1), @Theu-dev (2), @bademeister (3), and @Francisco_Vieira (4). We appreciate all your reports! The fix will ship in the next release. SLI-2595
-
File exclusions in SonarQube for IntelliJ don’t apply to manually triggered analysis, as @simasch pointed out. We initially did this on purpose, but agree that it turns out to be confusing. We’ll improve it in the next release. SLCORE-2196
-
@ll_csb let us know that the C# analyzer panel in SonarQube for Visual Studio appeared broken after updating to version 10.0.0.16576. Analysis still works under the hood, and we’re tracking the display fix. SLCORE-2281
SonarQube Cloud
-
@krzysztofdrozd tracked down that SonarQube Cloud login via GitHub fails for organizations with IP allowlists, correctly suspecting an IP-related cause. The fix is to grant the SonarQube Cloud OAuth App bypass access in your GitHub org’s allowlist settings (auth goes through Auth0’s IPs, not ours), and we’re updating the docs to make this clearer.
-
The SonarQube Cloud quality gate status stopped updating in Azure DevOps pull requests, as @aebi, @Mada_B, @sja-cslab, and @anelsen reported. Thanks for the reports! We got it fixed the next day.
SonarQube Server / Community Build
- @matias.busco.king reported that SonarQube Server’s Okta SSO integration is case-sensitive for login attributes, causing auth failures when casing doesn’t match. Sorry for the wait. SONAR-27476
Rules & Languages
-
@Corniel proposed a new rule to prefer
System.Threading.Lockoverobjectfor lock statements in C#, noting that Visual Studio added a similar check (IDE0330) but it only runs inside VS. We’ve added it to our backlog. -
@Corniel also flagged a false positive in
csharpsquid:S1200where static classes containing only extension methods get counted as overly coupled. We agree the class is just a container in this case and will update the rule to exclude it. -
csharpsquid:S6966raises a false positive onSqlDataReader.IsDBNullandGetFieldValue, as @HamsterExAstris documented with thorough references to Microsoft’s guidance. The async versions add overhead without benefit whenSequentialAccessisn’t used, so we’ll stop suggesting them in that context. -
@mikolg found a gap in
java:S1166where it misses acatchblock that throws a new exception without the original cause when wrapped in control flow. Thanks! SONARJAVA-6238 -
@madyatma and @inverno independently reported that Go test files were suddenly getting flagged by main-source-only rules. A recent change to how the Go analyzer handles test files accidentally started running all rules on tests instead of just test-scoped ones. We’re fixing this in the next release.
-
sonarjs:S6957crashes when apackage.jsonuses pnpmcatalog:version specifiers, as @Zac_Clifton reported with a clear reproducer. The fix will roll out with upcoming releases. JS-1192
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann