Hi all!
You might be wondering where’s Ann and why it’s me posting this week’s roundup instead? I’ll introduce myself: my name is Andres, I’ve been working at Sonar for around one year now. Ann is transitioning to other duties, and handing Community over to @stevan.vanderwerf and me. Which means you will see us two around here more often 
In other exciting news, we are starting an alpha testing phase for our SonarQube Hunter Agent! In case you haven’t heard, this is our AI-powered security analysis tool, able to find deep vulnerabilities that regular static analysis misses. If this sounds like something you would be interested in, please check out the post and consider joining the alpha program.
And now, like every week, we’d like to take a moment to recognize you, the users, who help improve the ecosystem for everyone by sparking valuable discussions and providing feedback to drive continuous improvement in our products.
SonarQube for IDE
- @lrozenblyum noticed that the SonarQube for Eclipse 12.3.0 release notes on GitHub linked to an internal Jira page inaccessible to the public. We’ve updated the link and are fixing the release automation so upcoming versions generate the correct link automatically.
SonarQube Cloud
-
@amoriki previously reported a problem with the “More Actions” button in Intended Architecture. After we fixed it, they followed up to tell us about the detailed Japanese article they wrote about the Architecture Analysis feature, sharing that knowledge with the wider community!
-
SonarQube Cloud organization tokens stopped accepting Basic Auth, causing pipeline failures in Bitbucket, GitHub Actions, and Azure DevOps. @VKVSH, @IGx89 (1), @Jaren_Lamprecht, @cpasquini (2), and @Dineth_Jayanga (3) let us know. We declared an incident, which has since been resolved. Sorry for the inconvenience and thanks to everyone who reported it!
-
/api/qualityprofiles/searchstarted returning 500 errors for some SonarQube Cloud projects, blocking pipeline runs. @rubsksn, @TBakkum, and @andergborges let us know. After a recent migration, some organizations were left without a default quality profile for the AI language because their previous default pointed to an obsolete built-in profile. We’ve deployed a fix to restore the missing defaults. Thanks to everyone who reported it! -
Thanks to @fcollins_vacv, @AaronC81, @rnorth, and @Ecstatic-Giraffe, who let us know that SonarQube Cloud was returning 403 errors when fetching JRE metadata, blocking pipeline runs across Bitbucket, GitHub Actions, and Azure DevOps. We confirmed it was a SonarQube Cloud issue and our engineering team rolled back the affected component, resolving the incident.
SonarQube Server / Community Build
- @gian1200 requested a configurable
apiVersionforPodMonitorin the SonarQube Helm chart, which would enable Azure Managed Prometheus users to use the chart’s built-in monitoring without having to drop it and manage their own. Thanks, we’re on it!
Scanners
-
SonarScanner for .NET generates a high volume of INFO-level output with no built-in way to suppress it, as @JuanZamudioGBM pointed out. We appreciate this feedback and we’ve converted one particularly noisy line to debug level.
-
@Thomas_Keller reported that upgrading to SonarScanner for Gradle 7.3.0 causes analyses to fail with an
AnalysisExceptionrequiringsonar.java.binaries, even on projects that were working fine before. This was a bug inadvertently introduced while adding AGP 9 support, and we’re fixing it this ticket: SCANGRADLE-410.
Rules & Languages
-
githubactions:S8544was incorrectly flaggingpip install playwright==1.59.0 --only-binary :all:as missing a version pin. You’re right, @Nicolas_Baumann; the parser was treating:all:as a package name rather than a selector keyword. A fix will roll out with upcoming releases. -
@Pavel_Kotrc_EXT suggested that
csharp:S1244should not flag floating-point comparisons with zero, since zero is exactly representable per IEEE 754 and commonly used as a default-value check. This is correct, and we’ve agreed to exclude comparisons against zero from the rule. -
typescript:S4782raised a false positive on{ specificAttribute?: undefined }, where the?is not redundant: making the property required-but-typed-as-undefinedis semantically different from an optional property. @unblocker provided a careful explanation of the type-theoretic distinction along with a clean reproducer. Thanks for the thorough write-up! Progress can be tracked in JS-1775. -
@bicolorman reported analyses hanging indefinitely at the
JsSecuritySensorV2step and shared the source file that triggered it, helping us trace a tricky bug in the JavaScript security analysis engine. A fix was merged and will roll out with upcoming releases. -
@JanecekPetr noticed a false positive in
java:S2583where a variable assigned in atryblock and checked in a nestedcatchwas incorrectly flagged as alwaysnull, because the nested try-catch structure wasn’t modeled correctly. JAVASE-226 -
Coverage data was going missing for some TypeScript files in a monorepo with multiple files sharing the same name in different directories. @Donald_Renner reported the issue and helped confirm that using absolute paths in the coverage report resolves the ambiguity. A proper fix is in flight: JS-537.
-
@VShkaberda pointed out that
text:S8565fires onpyproject.tomlfiles used only for tool configuration (such as linters), with no dependency management involved, so there is no lock file to commit. A fix is already on the way. -
java:S1481incorrectly reported a local variable as unused when its only update site was a compound assignment (+=) embedded in awhilecondition, even though the compound form implicitly reads the variable on every iteration. @Chordrain filed a clear report and self-contained reproducer. SONARJAVA-6424 -
@Chordrain also spotted that
java:S1068fails to flag unused private static fields declared inside a Javarecord, even though it correctly handles regular classes. SONARJAVA-6425
Thanks again to everyone mentioned here - and to anyone we may have missed - for your ongoing contributions in making this community stronger and helping us improve Sonar products.
If you’d like to give a shout-out to someone, whether a community member or a SonarSourcer who helped you, please do so below. And if there’s someone you think we should acknowledge next week, let us know!
Andres