Sonar is excited to announce SonarQube Server 2025.4 release.
Key capabilities of 2025.4
- Expanded core security: SAST for Go, taint analysis for VB.NET, more robust JS/TS taint analysis, best-in-class secrets detection including in YAML, JSON, and Kotlin
- Achieve compliance: more MISRA C++2023 rules now available in your IDE, more comprehensive security and regulatory reports
- Elevate your code: more maintainable and performant Python/Java, faster C/C++ analysis, complex Java bug detection, full support Java 23/24, & Dart 3.8
- Advanced Security: enhanced SCA with continuous vulnerability detection without reanalysis, customizable risk severity, machine-readable reports, PHP dependency support, and dependency risks caught in the IDE
Our new 2025.4 release empowers developers with significant advancements to enhance code quality, security, and efficiency across multiple languages. Python developers gain better help for writing more idiomatic and performant code. For Java users, we've introduced code performance rules, full parsing, and complete support for Java 23 and 24 to keep you up-to-date with the latest Java advancements while ensuring your Java code is performant. Additionally we’ve added powerful cross-procedural bug detection for Java which can uncover complex problems often missed by traditional static analysis. C and C++ analysis is significantly faster, drastically reducing analysis times. We’ve added first-class support for Dart 3.8. We’ve continued to expand early access MISRA C++:2023 with new rules, which are now available directly in your IDE to help you achieve compliance earlier in the SDLC as developers code.
Our Static Application Security Testing (SAST) capabilities are extended with full SAST and taint analysis for Go and new taint analysis support for VB.NET, ensuring broader language coverage for security. We’ve added even more secrets detection rules including detecting secrets in YAML, JSON, and Kotlin to deliver best-in-class coverage. The existing JavaScript/TypeScript taint analysis engine has been replaced by a more robust analysis engine for more accurate security findings. We’ve enhanced existing security reports, to simplify compliance documentation and auditing. Lastly, in SonarQube Advanced Security, we now support PHP (Packagist) dependencies, automatically detect new vulnerabilities without requiring reanalysis to keep your projects continually secure, provide customizable risk severity so you can prioritize issues based on your context, offer machine-readable SCA reports for easier integration with security workflows, and dependency risks caught in the IDE.
The 2025.4 What's New page and our SonarQube Server release notes provide more details about the release.
Are you still using an older version of SonarQube Server?
If you’re on a version older than the 2025.1 LTA release, upgrade to the SonarQube Server LTA before upgrading to the latest version. Check out this helpful checklist for a smoother upgrade. Watch the on-demand LTA upgrade webinar, which explains a step-by-step approach and highlights common pitfalls encountered during the upgrade.