Blog post

Another 9 reasons to upgrade to SonarQube 9.9 LTS

Colin Mueller photo

Colin Mueller

Community Manager


  • SonarQube

SonarQube 9.9 LTS was released in February, and we hope you’ve already seen our announcement and are working on your upgrade!

In March, we published 9 more reasons to upgrade to SonarQube 9.9 LTS that weren’t featured in our big release announcement – and we aren’t done yet! There’s still more to know about the micro-features and improvements that are in our Best LTS Ever. 

Without further ado, here are another 9 reasons you should prioritize upgrading to SonarQube 9.9 LTS.

1. Import SARIF reports generated by other tools

In 2019, the Static Analysis Results Interchange Format (SARIF) was defined as a standard format for the output of static analysis tools. Since then, this format has seen a lot of adoption among security tools. 

Responding to feedback from our Community, in SonarQube 9.9 LTS it’s now possible to import issues from SARIF reports alongside your SonarQube analysis! Now developers don’t need to leave SonarQube to be aware of findings from these reports.

2. Detect New Code in Git Submodules

Git allows you to use submodules when referencing another git repository.

Love them or hate them, they exist – and until recently, they broke SonarQube’s detection of New Code. This caused unnecessary noise to appear for developers when analyzing their pull requests. While SonarQube could detect that files some files had changed, SonarQube couldn't determine which specific lines had changed.

In SonarQube 9.9 LTS, we’ve addressed this. Welcome to the family, git submodules (bless your heart).

3. No more “zombie” Quality Profiles from removed plugins

When installing third-party plugins, they sometimes provide built-in Quality Profiles (like how Sonar's analyzers provide the built-in “Sonar Way” Quality Profiles). 

In the past, if you removed such a third-party plugin, you were stuck with a Quality Profile you couldn’t delete unless you made dangerous database changes. This was understandably frustrating for users who didn't want clutter and confusion when viewing Quality Profiles.

After first being reported all the way back in SonarQube v6.7 LTS (with the introduction of built-in Quality Profiles), these “zombie” profiles can finally be deleted in SonarQube 9.9 LTS.

4. “Acknowledge” Security Hotspots

Security Hotspots highlight a security-sensitive piece of code that a developer needs to review.

In SonarQube 8.9 LTS, it only was possible to mark a Hotspot as “Safe” or “Fixed” – and we heard feedback from our users that there was a gap when a developer reviews the security hotspot and a resolution to the highlighted risk is pending. 

SonarQube 9.9 LTS adds the Acknowledged state to Security Hotspots to tell your team (and your auditors…) that you’ve seen an issue and the fix is pending.

5. Select Reference Branch at scan-time

SonarQube 8.9 LTS introduced the Reference Branch New Code Period, where a user can configure their New Code Period to be based on a comparison to an existing branch.

Some users want to set this at the scanner level instead of using the UI/API, and SonarQube 9.9 LTS allows this with the sonar.newCode.referenceBranch analysis parameter.

This is particularly useful if you have a specific build for branches targeting a specific release branch, or you have some logic in your pipeline that determines which branch your code will be merged into (based on the branch name, for example).

6. Support of compilation databases for C/C++ analysis

C/C++ analysis requires a lot of precise configuration information to produce an accurate analysis. That’s why, historically, a build wrapped with our “build wrapper” has been necessary to collect all the information about the environment and the commands being sent to the compiler.

This is reliable but comes with trade-offs, like needing to use a tool similar to ccache to perform an incremental build. Sometimes, that’s not an option.

In SonarQube 9.9 LTS, it’s possible to pass a compilation database to the scanner instead of wrapping a full build, offering increased flexibility.

Read more about this in the blog post: Compilation database: An alternative way to configure your C or C++ analysis

7. New (and improved) analysis tutorials

SonarQube offers in-app tutorials for integrating analysis into your new and existing build pipelines. In SonarQube 9.9 LTS there are now new tutorials to cover even more combinations of DevOps Platforms and CI tools, and many updates to existing tutorials.

This includes new and improved tutorials for…

  • Bitbucket Pipelines
  • GitHub + Azure DevOps
  • Jenkins + Bitbucket
  • C/C++ analysis across all supported DevOps platforms
  • Projects not bound to a specific DevOps platform

This makes it easier than ever to configure analysis without reading through mountains of documentation or having to be a SonarQube expert.

8. Reinforcing the security of SonarQube

There was a significant effort in SonarQube 9.9 LTS to address some security issues based on our own penetration testing, and adding some “nice-to-haves” that users have been requesting to make complying with internal audits easier.

These improvements include:

  • Adding the Content-Security-Policy HTTP Header
  • Adding the Strict-Transport-Security (HSTS) Header when HTTPS is used
  • Adding SameSite and HttpOnly flags to cookies
  • Not following redirects when integrating with DevOps Platforms
  • Preventing plugins from modifying SonarQube’s home directory
  • Supporting SAML request signing and assertion encryption

SonarQube 9.9 LTS is, without a doubt, the most secure SonarQube LTS we've released.

9. Project Move moved to Community Edition

The Enterprise and Data Center Editions of SonarQube allow users to export and import projects so that they can be moved from one instance to another – we call this Project Move and it is particularly useful when organizations are consolidating many SonarQube instances. 

Previously, this required that the source and target SonarQube instances were running the same version and edition. The edition requirement complicated consolidating many Community/Developer Editions into an Enterprise Edition (or higher) because any Community/Developer Edition instances would need to first be upgraded to Enterprise Edition with a temporary license key. 

We’ve made moving projects between SonarQube instances easier in SonarQube 9.9 LTS by allowing project export from any edition (the version requirement remains)!

Project Import remains a feature of Enterprise and Data Center Edition.

Just an upgrade away from it all

If you haven’t tried SonarQube 9.9 LTS yet, I hope you now have even more reasons to prepare that upgrade with your team. This is a free version upgrade for all, and you can get the LTS in just a few clicks @ SonarQube Downloads

Need more help getting started? Check the following resources: