First an administrative note: I mentioned a couple weeks ago that Community email subject lines would be simplifying soon. That feature became available yesterday and I turned it on immediately. So your inbox may look a little different now: hopefully easier on the eyes, but just as valuable!
It’s been a big week in the Community for feedback this week, with lots great input on all fronts. So now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube for IDE
-
@rebb and @Districh reported that SonarQube for Visual Studio stopped analyzing files in projects spanning multiple drives, a regression in version 9.7. After extensive debugging and multiple test builds, a fix using absolute paths is being finalized as an opt-in setting. Thanks to both of you for the patience and thorough testing through many iterations!
-
A regression in the latest SonarQube for IDE releases caused C# analysis to stop detecting issues after files were reopened. @Leopold_Lerch spotted it first, and @saariniemi, @MTurnhoutGt, and @BartNucor helped confirm the scope across VS Code, Rider, and Visual Studio. We declared an incident and shipped fixes across all IDE flavors. Thanks to everyone who reported in!
-
@MrMikeJJ and @FilRip flagged that SonarQube for Visual Studio became unusable when a certificate revocation check failed, triggering an infinite retry loop that froze the UI. Both helped validate intermediate builds, and the proper fix shipped in version 10.2.3. Thanks for the fast turnaround on testing!
SonarQube Server / Community Build
-
@Jonah_IntegraDev noticed that bulk-changing issue assignees stopped working in 26.4.0, with the assignee dropdown appearing empty despite successful API responses. SONAR-27732.
-
@Scott pointed out that building SonarQube from source is broken. Again. This time due to unpublished
scanner-enginedependencies after a recent repo extraction. SCANENGINE-374.
Scanners
-
SonarScanner for Gradle 7.3 fails with AGP 9 when resolving task-backed generated sources like KSP outputs, as @matamegger discovered during an Android project migration. SCANGRADLE-409.
-
@julioyg provided a detailed analysis showing that SonarScanner for Gradle 7.3.0 computes incorrect
sonar.java.binariespaths for Android projects due to a hardcoded path in the newAndroidConfigclass. SCANGRADLE-410.
Rules & Languages
-
azuredevops:S8263was flagged as a potential false positive by @HenrikSommer-eng. It turned out to be a true positive, sinceargumentscan pass extra arguments to msbuild that affect execution, but the rule documentation didn’t make that clear. We’ve updated the rule description. -
@Wiebke reported a false positive from
java:S2755where the recommendedsetFeaturecall was already present on the next line. You’re right; the rule needs to recognize more signatures. JAVASE-47. -
Named
.envfiles likelocal.envandremote.envweren’t being picked up by secrets detection, as @HansvdLaanNedap discovered, because we were only looking at “dotfiles.” We’ll start automatically scanning*.envfiles too, rolling out with upcoming releases. -
java:S1942currently only flags fully qualified class names when the class is already imported, but @MortenHindsholm pointed out it should also flag cases where an import would be cleaner. We agreed there’s room for improvement when no naming collision exists. Thanks @jilles-sg for the insightful edge case analysis! SONARJAVA-6359 -
@Emilyaxe reported that
java:S1144raises a false positive when a private method is referenced via@MethodSourceusing a fully-qualified class name. SONARJAVA-6346. -
@Emilyaxe also flagged that
java:S1128reports static imports from the same class as “unused.” The behavior is correct (same-class statics don’t need importing), but the message does need updating. It should say “redundant” rather than “unused”: SONARJAVA-6288. -
go:S1313should exempt addresses in the3fff::/20documentation subnet (RFC 9637), as @jqueuniet pointed out. We already exempt the older2001:DB8::/32subnet, and we’ll add this one too. -
java:S5194raises a false positive on switch expressions where every branchthrows, as @vtintillier reported, making the suggested fix impossible to apply. SONARJAVA-6362. -
@asm0dey spotted that the quick fix for
java:S6880silently changes null semantics:instanceofis null-safe, but the generatedswitchexpression without acase nullarm throws aNullPointerException. Nice catch! SONARJAVA-6341. -
@asm0dey also reported that the quick fix for
java:S6877produces uncompilable code on constant cases. SONARJAVA-6361.
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Ann