Update sonar-plugin-api to v11.4.0.2922

[renovate]

Before updating the plugin-api version, make sure to check the compatibility matrix and stick to the lowest denominator.

This PR contains the following updates:

Package	Change	Age	Confidence
org.sonarsource.api.plugin:sonar-plugin-api-test-fixtures (source)	11.1.0.2693 → 11.4.0.2922
org.sonarsource.api.plugin:sonar-plugin-api (source)	11.1.0.2693 → 11.4.0.2922

---

Release Notes

SonarSource/sonar-plugin-api (org.sonarsource.api.plugin:sonar-plugin-api-test-fixtures)

v11.4.0.2922

Compare Source

PLUGINAPI-142 [BE] Modify the Plugin API to support OWASP Mobile Top 10 2024 issues

PLUGINAPI-130 Remove deprecated extension points ProfileImporter and ProfileExporter

PLUGINAPI-135 Deprecate org.sonar.api.web.UserRole

PLUGINAPI-136 Deprecate org.sonar.api.issues.DefaultTransitions

PLUGINAPI-139 Add the Plugin API version for SQS 2025.2 LTA

v11.3.0.2824

Compare Source

What's Changed

• PLUGINAPI-117 Introduce analysis data storage to API.

v11.2.0.2797

Compare Source

PLUGINAPI-122 Standard severities need to be mapped to all the five impact severities

---

Configuration

📅 Schedule: (in timezone CET)

• Branch creation
  • "before 4am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: settings.gradle.kts

Command failed: ./gradlew -Dorg.gradle.jvmargs=-Xms512m -Xmx512m --console=plain --dependency-verification lenient -q --write-verification-metadata sha256 dependencies

FAILURE: Build completed with 2 failures.

1: Task failed with an exception.
-----------
* Where:
Build file '/tmp/renovate/repos/github/SonarSource/sonar-kotlin/sonar-kotlin-plugin/build.gradle.kts' line: 9

* What went wrong:
Plugin [id: 'org.sonarsource.cloud-native.license-file-generator'] was not found in any of the following sources:

- Gradle Core Plugins (plugin is not in 'org.gradle' namespace)
- Included Builds (No included builds contain this plugin)
- Plugin Repositories (plugin dependency must include a version number for this source)

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

2: Task failed with an exception.
-----------
* Where:
Build file '/tmp/renovate/repos/github/SonarSource/sonar-kotlin/sonar-kotlin-plugin/build.gradle.kts' line: 9

* What went wrong:
Plugin [id: 'org.sonarsource.cloud-native.license-file-generator'] was not found in any of the following sources:

- Gradle Core Plugins (plugin is not in 'org.gradle' namespace)
- Included Builds (No included builds contain this plugin)
- Plugin Repositories (plugin dependency must include a version number for this source)

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

BUILD FAILED in 1m 42s

[sonar-review-alpha]

Summary

Updates sonar-plugin-api from 11.1.0.2693 to 11.4.0.2922, spanning three minor versions. This is a straightforward dependency bump affecting only settings.gradle.kts. The upgrade includes removal of deprecated extension points, several API deprecations, and new OWASP Mobile Top 10 2024 support.

What reviewers should know

Key compatibility concerns to verify:

1. Breaking removal: The ProfileImporter and ProfileExporter extension points have been removed in v11.4.0 (PLUGINAPI-130). Check if sonar-kotlin currently uses these — if so, they need to be refactored or the upgrade cannot proceed.

2. Deprecated APIs: org.sonar.api.web.UserRole and org.sonar.api.issues.DefaultTransitions are now deprecated. Verify sonar-kotlin doesn't rely on these before they're removed in a future version.

3. Span of changes: This upgrades across v11.2 and v11.3, bringing in analysis data storage API support (v11.3) and impact severity mappings (v11.2). Check if any of these new features should be integrated or if they affect the plugin's analysis behavior.

4. SonarQube/SonarSource compatibility: As the author noted, confirm this version aligns with the target platform version (v11.4.0 is for SQS 2025.2 LTA per PLUGINAPI-139).

The actual code change is minimal — focus review on whether the plugin's existing codebase is compatible with these API changes.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

The codebase is clean with respect to the two breaking changes in this release: ProfileImporter/ProfileExporter (removed) and UserRole/DefaultTransitions (deprecated) are not used anywhere. The mechanical change is correct.

The open question is whether bumping to 11.4.0 is intentional, since this is a Renovate auto-PR and the PR description itself warns to verify the compatibility matrix before merging.

🗣️ Give feedback

[sonar-review-alpha]

Two concerns with this bump:

1. Minimum SQ version raised. Per PLUGINAPI-139, 11.4.0 is the API version introduced for SQS 2025.2 LTA. Bumping sonar-plugin-api to 11.4.0 means the plugin now requires a SonarQube server that ships plugin API ≥ 11.4.0. If customers on older SQ versions (e.g. SQS 25.1 / LTS) need support, this is a breaking change for them. The PR description's own note says to stick to the lowest denominator — please confirm this version is acceptable per the compatibility matrix.

2. Test impl is now mismatched. sonar-plugin-api-test-fixtures was bumped to 11.4.0.2922 (line 92–93), but sonar-plugin-api-impl is still pinned to sonarqube = 25.1.0.102122 (line 82/91). The plugin is now compiled and fixture-tested against 11.4.0, but the actual test runtime is a SQS 25.1 impl. If any new API surfaces from 11.2–11.4 are exercised in tests, they will fail silently or at runtime. Both should be updated together, or this version should not be bumped.

• Mark as noise