Blog post

Why SonarQube 9.9 LTS is a must-have for PHP Developers

Colin Mueller photo

Colin Mueller

Community Manager


  • SonarQube
  • Clean Code

Clean Code is not a “nice-to-have” in the software development world; it's a must-have. That's where SonarQube comes in. It's made to help you and your team write pristine code fit for development and production.

Now, meet SonarQube 9.9 LTS! With powerful PHP analysis and over 275 rules specifically designed for PHP developers, this version is a game-changer. Let's dive into the standout features and enhancements that make it an unmissable upgrade over previous versions, including the end-of-life SonarQube 8.9 LTS.

Updates to the Analysis Engine

Supercharged Analysis Speed 

SonarQube 9.9 LTS speeds up analysis significantly for users of commercial editions of SonarQube through the introduction of incremental analysis for pull requests. This feature focuses on analyzing only the changes introduced in a pull request instead of the entire codebase. You can learn more about this in the SonarQube 9.9 LTS announcement.

All of these speed boosts will ensure that you spend less time waiting and more time merging.

Support for PHP 8.1 and 8.2

A new SonarQube LTS includes support for new language versions, which means we’ve updated parsing to understand new syntax and to update rules for how they apply to the new language elements.

Keeping up with the evolving PHP ecosystem, SonarQube 9.9 LTS now extends its support to PHP 8.1 and 8.2. This means support for:

Import Psalm and PHPStan reports

When using multiple tools to report issues on code, it can lead to a disjointed workflow if all the results aren’t in one place. Being able to import these reports issues into SonarQube means no more flipping between tools, no more scattered focus—just an integrated, clear view of your code's health to tackle issues directly.

Psalm and PHPStan, widely-recognized analyzers in the PHP community, can now be integrated more seamlessly with SonarQube 9.9 LTS. It offers the ability to import issue reports directly into SonarQube as external issues

Fewer False-Positives

Sonar puts in a significant amount of effort to make sure only true issues are raised, and our developers are always reviewing issues raised by rules to make sure they are accurate and relevant. They also receive reports from our community and through commercial support channels.

SonarQube 9.9 LTS fixes community-reported false-positives like making sure that S1313 (Using hardcoded IP addresses is security-sensitive) isn’t raised on reserved IP addresses and S3699 (The output of functions that don't return anything should not be used) isn’t raised on arrow functions, and more!

New Rules

Level-up your WordPress Plugin Development 

Wordpress remains a wildly popular CMS in 2023 – by some estimates powering 40% of the websites on the internet today! Wordpress is written in PHP, so its ecosystem of plugins is developed with PHP as well. In the past, ensuring the maintainability and security of these plugins has been challenging due to scattered documentation.

With the introduction of 9 new rules specifically targeted at Wordpress plugin developers, SonarQube 9.9 LTS helps ensure the development of maintainable and more secure WordPress plugins.

Find all the rules here.

On top of these new rules, we’ve adapted our advanced security analysis (available in commercial editions of SonarQube) to be aware of Wordpress sources, sinks, and sanitizers. Now you can be sure that only trusted data is being passed through your code – avoiding attacks like SQL and Path injection and URL redirection!

Write clean and error-free regular expressions

Regular expressions (regex) are sequences of symbols and characters expressing a string or pattern to be searched for within a longer piece of text. Regex is an incredible tool to express conditions that would otherwise require many lines of code to catch the same pattern.

While using regex is quite typical for developer, that does not make it easy to master. Writing regexes is error-prone and time-consuming, and they're difficult to document well. Once they are written, identifying errors in them can be extremely difficult. Not only are they difficult to write, but due to their size and complexity, they are often difficult to read and understand.

Take this example:

$re = '/[a-z\:\/\/\.]+(youtube|youtu)\.(com|be)\/(watch\?v=|embed\/|.+\?v=)?([^"&?\s]{11})?/m';

This regular expression is meant to match URLs like and

The third capturing group in this regular expression is (watch\?v=|embed/|.+\?v=)? to account for variations in the URL format. You might not have noticed that the third alternative in this capturing group, .+\?v=, is redundant, as it's already covered in the first alternative watch\?v= and will never apply to /embed/ URLs.

So this regular expression can be simplified by removing the redundant alternative group, giving us a slightly more readable:

$re = '/[a-z\:\/\/\.]+(youtube|youtu)\.(com|be)\/(watch\?v=|embed\/|)?([^"&?\s]{11})?/m';

That would have been hard for a developer to spot on their own. It's not hard at all for SonarQube.

In SonarQube 9.9 LTS our developers introduced 25 new rules to help PHP developers, write efficient, error-free, safe, and simpler regular expressions! You can find all the PHP rules related to regular expressions at

Just an upgrade away from it all

Crafted with developers in mind, SonarQube aims to assist developers in writing Clean Code. The enhancements in SonarQube 9.9 LTS reflect our ongoing commitment to providing you with a developer-first tool that tackles this goal head-on.

If you haven’t tried SonarQube 9.9 LTS yet, I hope you now have even more reasons to prepare this upgrade with your team. This is a free version upgrade for all, and you can get the LTS in just a few clicks at SonarQube Downloads. You won't just be upgrading your SonarQube instance – you'll be upgrading your entire coding experience.

Need more help getting started? Check the following resources:

Remember, these improvements aren't just limited to SonarQube. If you're using SonarCloud, you'll find all these enhancements there too.

Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles. 

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.