Try For Free

SonarQube 8.9 LTS

SonarQube 8.9 LTS: Better than ever

Developers take control of Code Security with static application security testing (SAST) for more languages, with more rules, better detection, and improved workflows in addition to many additional upgrades in the latest SonarQube LTS.

Download Now

Note: SonarQube 9.9 LTS is the latest LTS version. If you require the 8.9 LTS version, it can be downloaded here.

Enhanced Code Security in SonarQube 8.9 LTS

Unparalleled SAST precision - now including JavaScript & more

Security Vulnerability detection has vastly expanded with new languages, new rules, and an improved detection engine to bring unparalleled precision and performance in security analysis of Java, C#, PHP, Python, JavaScript, TypeScript, C and C++. In addition to a vastly expanded breadth and depth of analysis, we've also expanded developer access to these findings. Issues are raised in-IDE, with SonarLint, in SonarQube itself, and in PR decoration in commercial editions.

Among the improvements:
  • SAST analysis added for Python, JavaScript, TypeScript, C and C++
  • Full OWASP Top 10 coverage for Java and C# with significant coverage for the other languages
  • Buffer overflow detection in POSIX functions for C and C++

Commercial editions add taint analysis rules to find: injection flaws, broken access control, XSS, and insecure deserialization, with the ability to sync those taint analysis issues into SonarLint in connected mode.

Security Hotspot review arms developers to write safer code

Security Hotspots help developers write safer code by bringing attention to security-sensitive pieces of code and arming developers with the tools to diagnose the potential impact. We've expanded the range of Security Hotspot languages to include TypeScript, C and C++. And now you have a specialized interface for triaging Security Hotspots, and a single click to open them in your IDE via SonarLint.

Reporting and configuration increase clarity & precision

Security reporting includes both CWE Top 25 2019 and CWE Top 25 2020, with a PDF download of the top reports. And if you use home-grown frameworks, taint analysis configuration gives you a UI to set your home-grown sources, sinks, and sanitizers for better overall precision and, in the end, higher Code Security.

Learn more -->

In-cloud? On-prem? Your platform is covered!

Whether your code lives in-cloud or on-prem, SaaS or self-managed, code repository platform integrations help you write better code, faster. From initial project import to failing the pipeline for a failed Quality Gate, we've got just about everyone covered.

Streamlined project setup

Streamlined project setup gives you an easy interface to import your projects whatever your code repository platform: GitHub, GitLab, Azure DevOps, and Bitbucket; both on-prem and in-cloud. Yes, all eight! 

Once your projects are imported, tutorials will walk you through setting up analysis in GitHub Actions, Jenkins, GitLab CI, or Azure DevOps Pipelines; with language-specific tutorials for .NET, C, C++ and Objective-C projects. 

And now, regardless of which CI you use, you can fail the pipeline for a failing analysis.

PR analysis on steroids

Code Repository Platform integration doesn't stop at onboarding. We support pull request decoration for GitHub, Bitbucket, Azure DevOps and GitLab; both on-prem and in-cloud. Yes, all eight! And Enterprise Edition adds PR decoration in monorepos.

And it's not just decoration; Developer Edition also brings automagic branch and PR configuration for most workflows: Jenkins, GitHub Actions, Gitlab CI, Azure Pipelines and Bitbucket Pipelines.

Background image of bits of code connecting to each other

ready to download SonarQube 8.9 LTS?

Get Started Now

Operating SonarQube is easier than ever 

We've made running SonarQube easier and more secure than ever. SonarQube has been security-hardened to U.S. Department of Defense standards (i.e. STIG-hardened), with a Docker image per edition on Docker Hub and in the DoD's Iron Bank. That plus a Helm chart for Kubernetes support make SonarQube easier than ever to deploy.

Routine maintenance is easier too, with support for hot database backups. And upgrading is easier than ever with progressive availability during upgrades; now SonarQube is available for analysis and limited browsing even before reindexing is complete.

Time for Python devs to onboard with SonarQube 

This LTS adds in-depth analysis to catch the tricky Bugs and Vulnerabilities developers expect, with the sane defaults, high performance and minimal configuration that's standard to SonarQube. We’ve got Python support for up to version 3.9 of the language, in order to properly track issues through all language structures, frameworks, and types. And for teams just transitioning from other tools, there is easy import of Pylint and Flake8 reports, plus the ability to write custom rules.

And on top of all this is support in commercial editions for taint analysis rules to detect taint analysis Vulnerabilities such as injection flaws.

C++ brings the rules & performance developers want

With comprehensive coverage of the C++ Core Guidelines and a broad set of C++17-specific rules, we've made following modern best practices easy. And if your shop uses multiple standard versions, managing your Quality Profile gets easy too: enable the rules for all the versions you use and we'll activate them based on the standard version the project compiles to. In addition, we've made several improvements to analysis performance and added support for a broad range of additional compilers.

That's in addition to a significant expansion of security-focused rules, including the detection of buffer overflows in POSIX functions. And finally, Community Edition users can use C++ analysis for free with the newly-introduced SonarLint for CLion, as well as in SonarLint for VisualStudio.

Clean as You Code, best practices move to the front 

As part of our ongoing mission to help every developer write better code every day, we've given some love to elements often overlooked by the industry. First, you'll find a re-written project homepage. The new interface puts the quality and security of New Code front and center to help you better focus on Cleaning as You Code. Second, we've added rules in Java, PHP and C# to help you write tests correctly. And finally, we've made Applications available to all commercial versions, so that more teams can monitor the quality of projects that ship together in one aggregated, synthetic project.

The most secure LTS yet! 

We don't just care about the security of your code, we also care about the security of your overall SonarQube environment. That's why we've:

  • Applied additional hardening to the build of SonarQube itself and to our internal build pipeline
  • Limited library loading in SonarQube to only those libraries provided by SonarSource
  • Limited plugins' access to core functionality to only what's available through APIs
  • Added additional controls to the plugin Marketplace

You will also find simple but effective new safeguards such as forcing SonarQube administrators to change the default admin credentials.

The abiding value of an LTS

Last but not least, this is the new Long-Term Support version! That means support and patches for blocker bugs and vulnerabilities for at least the next 18 months - until the next LTS is released. If you're looking for the stability of a hardened, fully-supported version, the LTS is what you're after.

So what are you waiting for?

Image shows results of a pull request
Background image of bits of code connecting to each other

get started SonarQube 8.9 LTS