The SonarQube 10.4 release includes some exciting changes that show the impact of Clean Code and the benefit of the Clean as You Code methodology. Scan times are faster. Sonar is introducing the first part of easy onboarding for GitLab. We added a new deprecated web API log to improve the upgrade experience. We’re making it easier to link SonarQube with SonarLint, our free IDE plugin, so you can benefit from the two working together. Many more changes include new support for Helm Charts and language updates.
To eliminate the guesswork of what issues you fixed in a pull request, the pull request decoration in your CI platform and the pull request summary in SonarQube show the issues that will be fixed upon merging. You’ll be able to see which issues you resolved before the merge, so you know immediately that you’ve fixed the problem. Similar to the Clean Code Taxonomy changes we’ve made to the pull request, the branch summary now contains a single issues category. Additionally, the overall code tab has info on your code's software quality and a count of high, medium, and low severity issues for each category to help explain the cause of the rating value in each category. We've also updated the handling of issues you don't plan to address immediately. To dismiss an issue, you now mark it as “accepted” and a count of accepted issues in new code is displayed in the pull request summary and pull request decoration to provide formation on the technical debt accumulating in your code from accepting Issues. Lastly, you can now use Clean Code Taxonomy values to set the Clean Code attribute for a new rule created from a template.
Scan times are even faster now because the scanner only downloads the analyzers required for performing the scan instead of everything. In SonarQube 10.3, we completed easy onboarding of GitHub. In 10.4, we started the same work for GitLab by adding support for provisioning and synchronizing users and groups from GitLab into SonarQube. This automates setup and maintenance when using GitLab to authenticate users in SonarQube. Additionally, we’re making upgrades smoother by giving you quick feedback when you use deprecated web APIs and web API parameters in a new deprecated web API log.
Have you linked your SonarQube to SonarLint using connected mode? If not, you’re missing out on some fantastic capabilities. One of the most exciting is that when viewing an issue in SonarQube, you can jump directly to the code in question in your IDE to fix it immediately. In this release, to simplify setup, when you click the button to view the issue in SonarLint, SonarQube will walk you through linking them together. Additionally, in 10.4, thanks to connected mode, SonarQube Enterprise Edition will download your custom secrets rules to SonarLint, and any custom secrets will be highlighted for you as you code, preventing these secrets from being inadvertently pushed to your repository. SonarQube now supports scanning Helm Charts for Helm-based Kubernetes deployments. We’ve added many more language updates, including more MISRA C++ 2023 rules, finding issues in C++ macros, accessibility rules for React.js, more SpringBoot rules, Javax and Jakarta now have the same rule coverage, more Blazor rules in .NET, and for Python we now support Graphene, the FastAPI framework, and the top 3 Python SAST Benchmarks: DVGA, DSVW, and skf-labs-python.
If you’re on a version older than 9.9, upgrade to SonarQube 9.9 LTS before upgrading to 10.4. Check out this helpful checklist for a smoother upgrade. Watch the on-demand LTS upgrade webinar highlighting a step-by-step approach and common pitfalls encountered during the upgrade.