What's new at a glance
Expanded core security
- Complete SAST with taint analysis for Go projects
- VB.NET taint analysis using SonarQube’s proven C# SAST engine
- Next-generation JavaScript/TypeScript taint analysis engine
- Industry-leading secrets detection with 400+ patterns across 340+ rules covering 248 cloud services
Achieve compliance with SonarQube
- Get immediate MISRA compliance feedback directly in your IDE with expanded MISRA C++:2023 coverage for safety-critical codebases
- Generate customizable PDF reports for PCI, OWASP, CWE, STIG, and CASA standards
- Download enhanced regulatory reports with improved summaries and CSV exports
Elevate your code
- C/C++ analysis up to 33% faster through function-based symbolic execution caching
- NOSONAR allows for granular rule suppression for Python issues
- Full support for Java 23/24
- Dart 3.8 compatibility for Flutter development
- SonarQube’s Advanced Dataflow Bug Detection engine detects more complex Java issues
- Performance-focused rules for Java and Python with automated quick-fixes
Advanced Security
- Continuous dependency vulnerability detection without re-scanning
- Customizable risk severity for dependency risks
- Machine-readable vulnerability reports via API (JSON/CSV)
- PHP dependency support through Packagist/Composer
Why this release matters
For Development teams: C/C++ analysis runs 33% faster due to function-based symbolic execution caching, particularly helpful for large codebases with frequent header file changes. Full support for Java 23/24 and Dart 3.8 means new language features parse correctly, while new Java and Python performance rules include automated fixes. NOSONAR can now suppress individual python rules instead of disabling entire lines, and the advanced Java bug detection engine catches complex cross-function issues, replacing noisy rules based on SonarQube's symbolic execution engine.
For Security teams: Go and VB.NET now have full SAST with taint analysis, while the rewritten JS/TS engine reduces false positives and catches more complex data flow issues. Secrets detection scans YAML/JSON config files using 400+ patterns, catching credentials in infrastructure code that source-only scanners miss. Continuous dependency scanning provides immediate notification of new vulnerabilities, with machine-readable reports and customizable risk severity based on actual usage.
For Compliance teams: Developers can access MISRA C++:2023 rules directly in their IDE (VSCode, Visual Studio, IntelliJ/CLion) for immediate feedback during development rather than during expensive remediation cycles. Enhanced security reports now support customizable PDF exports for PCI, OWASP, CWE, STIG, and CASA standards.
The 2025.4.1 What's New page and our SonarQube Server release notes provide more details about the release.
Are you still using an older version of SonarQube Server?
If you’re on a version older than the 2025.1 LTA release, upgrade to the SonarQube Server LTA before upgrading to the latest version.
Check out this helpful checklist for a smoother upgrade.
Watch the on-demand LTA upgrade webinar, which explains a step-by-step approach and highlights common pitfalls encountered during the upgrade.