Hi all,
We have amazing news this week: we’ve acquired Gitar. 
Gitar is AI PR review and fix, and will even fix your CI if it breaks! I’ve spent some time this year looking at different AI PR review agents, and Gitar was one of the most impressive in terms of quality and UX. In an internal report, I characterized them as “the Apple of AI review.”
If that weren’t enough, we also published a report on research we did showing that having an AI work on “clean” code actually saves tokens. If you’re here reading this, you’re probably already on board with having quality code, but I think being able to put real numbers behind it (finally!) is really exciting.
And now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube Cloud
- There are some cases when the UI lets you try to bind a project, but you don’t have permissions. Sorry about that, @daniel.schiffl! We’ll start surfacing a clearer error message when you don’t have access to bind a project.
SonarQube Server / Community Build
-
@Ulqur and @Usinelogicielle let us know about a regression where the quality profile dropdown sat behind the modal, making it impossible to change a project’s profile. Thanks for the cross-browser detail, @Usinelogicielle! A fix has been merged and will roll out with upcoming releases.
-
Sandboxing doesn’t kick in for rules manually added to a profile before the first analysis post-upgrade. @mvillanueva thought that looked broken, which was an entirely fair conculsion based on our docs. So we’re fixing the docs.
Scanners
-
@Manuel.P pointed out that the
SonarCloudAnalyze@4Azure DevOps task declares ajavademand even thoughSonarCloudPrepare@4already provisions a JRE. You’re right, it’s a legacy leftover from before auto-provisioning, and we’ll remove it in an upcoming release. -
sonarqube-scan-actionv8.0.0 had no way to configure a proxy for GPG keyserver access, breaking the action behind corporate proxies. Thanks @scott-sympli! We shipped proxy support for GPG keyserver access a couple days ago in 8.1.0.
Rules & Languages
-
csharpsquid:S2629and log4net: thanks to @dt-fastec for raising this over a year ago and to @feda for recently bumping it. After a deeper look at log4net’s internals we found the rule’s complaint is actually valid (log4net eagerly interpolates$"..."strings at the call site even when the level is disabled), though the rule’s suggested fix needs updating to use indexed placeholders ({0}) since log4net doesn’t support Microsoft-style named ones. -
@leemeii noted that
java:S2200missescompareTo()results wrapped in a cast like(int) a.compareTo(b), leaving the specific-value comparison bug undetected. Thanks to @jilles-sg for the thoughtful counterpoint on whether the cast itself is the real smell (it’s covered byjava:S1905), but a false negative is still a false negative since suppressing one rule shouldn’t hide the other: SONARJAVA-6380. -
java:S2147raises a false positive when twocatchblocks dispatch to different overloads of the same method, since merging them into a multi-catch would change overload resolution. Thanks @Emilyaxe for the clear reproducer: SONARJAVA-6376. -
@hb20007 pointed out that the description for
typescript:S7785only covers a narrow pattern even though the rule fires more broadly. You’re right, we agreed the description needs updating: JS-1763. -
cpp:S1121raises a false positive on assignments explicitly enclosed in parentheses, despite the rule description claiming such assignments are ignored. @bers spotted two issues actually: the description doesn’t match the implementation (the rule targets sub-expression assignments in general, not just conditionals), and the parenthesized-assignment exemption itself was buggy. Both fixes will roll out with upcoming releases. -
@bers also reported a false positive on
cpp:S6018when a templated variable is alreadyinline. Looking at the rule again, we’ve decided to deprecate it entirely since it has multiple issues beyond this one, and we’ll remove it as soon as our deprecation policy allows. In the meantime, you can remove it from your quality profile.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann