The growing demand for Clean Code in the software development world is more urgent than ever. SonarQube steps in to help you meet this demand, providing a solution that enables developers to craft Clean Code suitable for both development and production environments.
SonarQube 9.9 LTS includes an advanced analyzer equipped with over 350 rules tailored specifically for JavaScript and TypeScript developers. These rules ensure developers write Clean Code that is both fit for development and fit for production.
Join us as we explore why SonarQube 9.9 LTS is an indispensable tool for your development toolkit, particularly with its substantial improvements to JavaScript and TypeScript analysis which build upon the capabilities already delivered in SonarQube 8.9 LTS.
Updates to the Analysis Engine
Supercharged Analysis Speed
SonarQube relies on open-source parsers to generate the information needed to perform analysis. It wasn’t always like this, however, and for a long time, we have been trying to move away from the homegrown Java-based parser we started writing many years ago.
Two parsers meant that on each analysis, code was sometimes being parsed twice. With SonarQube 9.9 LTS there's no more waiting for Java parsers to do the job – now that just the single parser is running, this update is all about getting you the results, fast!
This performance improvement is further enhanced for commercial SonarQube users through the introduction of incremental analysis for pull requests. This feature focuses on analyzing only the changes introduced in a pull request instead of the entire codebase.
In our tests, this leads to an average 40% performance improvement for JavaScript/TypeScript PRs, with an up to 80% improvement on large projects. You can learn more about this in the SonarQube 9.9 LTS announcement.
All of these speed boosts will ensure that you spend less time waiting and more time merging.
Support for TypeScript 4.2 - 4.9
A new SonarQube LTS means support for new language versions, which means we’ve updated parsing to understand any new syntax and to update rules for how they apply to the new language elements.
Keeping up with the evolving TypeScript ecosystem, SonarQube 9.9 LTS now extends its support to TypeScript versions 4.2 - 4.9.
Looking for TypeScript 5 support? Look no further than SonarQube 10.1.
No TypeScript files left behind
SonarQube 9.9 LTS changes its approach in determining which files to analyze in a TypeScript project.
SonarQube 8.9 LTS relied on the list of files referenced in a project’s tsconfig.json file to determine which files to analyze. This worked well but wasn’t always comprehensive enough. Consider a tsconfig.json file that lists the files to analyze as:
{
"files": ["root.ts"]
}where root.ts imports another file module.ts, which is not referenced in tsconfig.json however it is part of the project build
import * as m from './module'Now, SonarQube 9.9 LTS actually builds the TypeScript program to provide the list of files to be analyzed, meaning that module.ts will be analyzed, unlike before.
Depending on the project, more files may be analyzed. SonarQube is analyzing your project more thoroughly, ensuring no code slips through the cracks.
Analyze JS/TS code embedded in AWS Lambdas
Projects are more complicated than raw .js and .ts files, and sometimes JavaScript/TypeScript code ends up embedded in other files, like those which describe AWS Lambdas. SonarQube 9.9 LTS now analyses the embedded JavaScript and TypeScript code inside AWS Lambda files.
These aren’t just basic checks either but include the advanced vulnerability detection rules available in commercial editions of SonarQube.
Now you can be sure that the business-critical code in your Lambdas code can be as clean as the rest of your JavaScript and TypeScript code.
Fewer False-Positives and False-Negatives
Sonar puts in a significant amount of effort to make sure only true issues are raised, and our developers are always reviewing issues raised by JavaScript and TypeScript rules to make sure they are accurate and relevant. They also receive reports from our community and through commercial support channels.
Not counting all of the FPs fixed incidentally by updates to the analysis engine, there were 75 specific false-positives (and false-negatives) our developers addressed in SonarQube 9.9 LTS!
New Rules
Write better unit tests
Maintaining clean test code is just as crucial as having clean product code. High-quality test code ensures that your tests are reliable, maintainable, and easy to understand. This paves the way for more effective debugging and enables faster identification of issues in the product code, thus accelerating the development process.
If you're using the Mocha or Chai frameworks to write your JavaScript/TypeScript unit tests, you’re in luck, because SonarQube 9.9 LTS adds rules specifically related to analyzing your test code.
React-Specific Rules
React is still the most popular JavaScript library for building user interfaces, particularly for single-page applications. React allows developers to create large web applications that can change data without reloading the page.
SonarQube 9.9 LTS ships with 7 new rules especially designed to catch React-specific bugs and code smells
Taking SonarQube’s support for React even further, SonarQube 9.9 LTS comes with better support for React among a number of existing rules, including a fix for one of the most hotly voted upon issues on SonarSource/SonarJS: Add exception to Cognitive Complexity for React functional components.
Power to the Regex
Regular expressions (regex) are sequences of symbols and characters expressing a string or pattern to be searched for within. Regex is an incredible tool to express conditions that would otherwise require many lines of code to catch the same pattern.
While using regex is quite typical for developers these days, that does not make it easy to handle. Writing regexes is error-prone and time-consuming, and they're difficult to document well. Once they are written, identifying errors in them can be extremely difficult.
Not only are they difficult to write, but due to their size and complexity, they are often difficult to read and understand.
Consider the following regular expression that tests whether or not a string of text is written in camel case (writtenLikeThis)
const CAMEL_CASE_REG_EXP = /^[a-z]{1}([a-zA-Z0-9]{1,})$/;This regular expression can be made simpler in two ways while functioning exactly the same: removing the meaningless quantifier {1} and replacing {1,} (match the previous token between one and unlimited times) with a simple `+` which means the exact same thing. This gives us a somewhat simpler:
const CAMEL_CASE_REG_EXP = /^[a-z]([a-zA-Z0-9]+)$/;SonarQube 9.9 LTS raises issues on regular expressions like these, making it a breeze to fix up existing regular expressions and write new regular expressions with confidence.
Let SonarQube 9.9 LTS be your guide to writing simpler, more efficient regular expressions with 19 new rules. See the full list of rules implemented here.
Enhancing AWS Infrastructure Security with rules for AWS CDK
Managing AWS infrastructure is simplified with the AWS Cloud Development Kit (AWS CDK), which combines the flexibility of a programming language with the complexity of cloud infrastructure. However, even with its robust features, security misconfigurations can occur. Such misconfigurations can pose significant risks to your infrastructure's security, leading to potential vulnerabilities.
To address this, the latest SonarQube 9.9 LTS release introduces 20+ security rules targeted at AWS CDK code in JavaScript and TypeScript. These rules aim to bring your Infrastructure as Code (IaC) security scrutiny to the same level as your source code.
Check out the full list of rules here.
Just an upgrade away from it all
SonarQube is made by developers, for developers. Our goal is to help all developers be able to write Clean Code. The enhancements in SonarQube 9.9 LTS reflect our ongoing commitment to providing you with an analytical tool that tackles this goal head-on.
If you haven’t tried SonarQube 9.9 LTS yet, I hope you now have even more reasons to prepare this upgrade with your team. Like all SonarQube releases, this is a free version upgrade, and you can get the LTS in just a few clicks at SonarQube Downloads. You won't just be upgrading your SonarQube instance – you'll be upgrading your entire coding experience.
Need more help getting started? Check the following resources:
- SonarQube LTS Upgrade Checklist
- Get help upgrading using the 9.9 LTS Upgrade category of the Sonar Community
Remember, these improvements aren't just limited to SonarQube. If you're using SonarCloud, you'll find all these enhancements there too.