What’s new

Enterprise plan users can now directly generate and download Project Security report PDFs for their projects:

• Generate a detailed PDF security report for any project, capturing its overall security status.
• Customize the report by selecting the specific security standards you want to include, such as Sonar, OWASP Top 10 2021, CWE, and more.
• Surface actionable insights including:
  • An overview page that highlights 'Accepted' security issues and 'To Review' security hotspots.
  • A detailed breakdown of security issues by severity for each standard.
  • A summary of issues to address and hotspots to review, categorized by standard.

Learn more in this Community post and SonarQube Cloud documentation.

Secret detection capabilities have been enhanced. The updated analysis engine now scans dotfiles and files within dot paths for leaked secrets.

These files and paths, such as .env, .credentials, .npmrc, and .github/workflows, are frequently used to store sensitive information like API keys, passwords, and other credentials. The improved analysis can, for example, detect credentials in .env files, and GitHub tokens in .gitconfig files. This helps developers keep their code secure and prevent the exposure of sensitive information.

It is recommended to run a fresh analysis on projects to benefit from this enhanced level of protection.

Additional details can be found in the Community post.

Sonar Dataflow Bug Detection (DBD) engine 2.0 has been released, providing more precise bug detection. This update notably improves bug detection for Java and Python code, both human and AI-generated, resulting in more relevant findings.

Initial results, documented in a blog post, show a significant increase in true positives and a decrease in false positives.

Additional details can be found in the Community post.

We have released an expanded ruleset for PySpark code. This update includes 5 new rules, bringing the total to 13, and is designed to help identify common issues, and encourage best practices. 

Additional details can be found in the Community post.

SonarQube Cloud has launched support for the Rust programming language.

This initial release emphasizes helping you write maintainable code.

Features include:

• 85 Clippy rules you can use in your Quality Profile
• Code coverage ingestion (LCOV and Cobertura format)
• Cognitive Complexity and Cyclomatic Complexity metrics

Rust analysis currently requires CI-based analysis, with cargo and Clippy needed on the analysis machine.

Additional details are available in the Community post.

SonarQube Cloud Team and Enterprise plan users can now experience enhanced flexibility and power in automated code remediation. We've expanded our AI CodeFix capabilities by introducing support for additional Large Language Models (LLMs), allowing you to select either Claude 3.5 Sonnet or Claude 3.7 Sonnet for generating code suggestions. This choice gives you greater control to tailor the AI assistance to your specific project needs and preferences.

Alongside the introduction of selectable LLMs, we have also increased the number of rules covered by AI CodeFix. This means SonarQube Cloud can now provide automated fix suggestions for an even wider array of code quality and code security issues, streamlining your workflow and helping you resolve problems more efficiently.

These enhancements are now available to all users on our Team and Enterprise plans.

 Additional details are available here and in this Community post.