What you'll get when updating from SonarQube Server 10.2 to the 2025.1 LTA

Previous page

Our latest advancements deliver unparalleled capabilities, empowering development teams to build higher quality, more secure, and highly efficient software at scale. We've significantly enhanced our platform to integrate seamlessly into your daily workflows, providing immediate feedback and proactive protection.

Revolutionary AI capabilities

We are at the forefront of AI-driven code quality and security. Our Sonar AI Code Assurance provides a robust workflow for validating AI-generated code, ensuring every new piece meets the highest quality and security standards before production. Furthermore, Sonar AI CodeFix, now widely available, suggests immediate code fixes for discovered issues, dramatically boosting developer speed and productivity by automating the resolution of common coding problems. You can even leverage your own Azure OpenAI service for AI CodeFix, giving you complete control over data privacy, security, and performance. This also allows for the flexibility to use custom quality gates specifically tailored for AI Code Assurance.

Elevated code quality and architectural integrity

We are deeply committed to fostering a culture of high quality code. Our platform now offers a simplified mult-quality taxonomy view, presenting a single "issues" condition in pull request summaries and decorations across all CI platforms. External issues can now be fully categorized with this new taxonomy, ensuring consistent understanding of code problems. We've made it easier to manage quality profiles by allowing you to exclude inherited rules without losing the benefits of inheritance.

The Sonar-way Quality Gate, has adopted a rigorous zero-issues criterion for new code, providing an even more robust framework for high standards. Developers can also mark issues as "accepted", providing visibility into accumulating technical debt while still clearly understanding its impact. For Java, we've introduced architecture rules to help identify and resolve circular dependencies, preventing architectural technical debt and unmanageable codebases. We also enable the definition of architectural constraints for projects, raising issues when code diverges to reduce rework. The platform now provides file-level test metrics for .NET projects, offering granular insights into unit test results, and advanced Dataflow Bug Detection (DBD) engine replaces legacy Java analysis capabilities for more complex issue detection and streamlined fixes. Python developers gain more granular control with expanded NOSONAR capability to skip specific rules on a line.

Unmatched code security

Our security capabilities have been significantly strengthened across the board. We've introduced secrets detection at the source, working seamlessly within your IDE and further protecting sensitive information from entering your CI/CD pipeline. Our secrets detection engine is now best-in-class, capable of identifying over 400 patterns across 248 cloud services, including those within YAML and JSON files.

For cloud-native development, we provide extensive support for securing various environments, including Dockerfiles, Kubernetes, and Helm Charts, with a doubled set of security and maintainability rules. We've expanded our Static Application Security Testing (SAST) coverage, introducing full SAST with taint analysis for Go projects, and extending existing SAST capabilities with taint analysis for VB.NET. Our JavaScript/TypeScript taint analysis engine has been replaced with a next-generation version, offering improved detection, performance, and accuracy. Kotlin also now benefits from SAST, including taint analysis.

We've broadened our compliance reporting, offering new STIG and CASA security reports, as well as updated CWE Top 25 and OWASP Top 10 Mobile reports. The platform now provides enhanced Advanced Security capabilities, including Software Composition Analysis (SCA) to detect vulnerabilities and license compliance issues in open-source code. SCA features allow you to shift dependency information left into pull requests, include dependency risk scores in quality gates, define company license compliance policies, understand risks on new and overall code, and summarize risks across applications and portfolios. SCA results and Software Bill of Materials (SBOMs) are also available via API for seamless integration and reporting. You can even customize the severity of identified dependency risks, get continuous vulnerability detection without reanalysis, and see SCA dependency risks directly in your IDE.

Extensive language coverage and performance

We continuously expand our language support to meet evolving developer needs. The platform now supports Java 21 LTS, Java 22, Java 23, and Java 24, TypeScript 5.4, and Dart 3.8. Dart/Flutter has transitioned from early access to a fully supported language with a comprehensive set of rules. We've added support for C++23, new MISRA C++ 2023 rules with in-IDE detection, and introduced initial support for Rust.

For Python developers, we offer support for Python 3.12, and have significantly expanded our coverage of AI/ML libraries, including NumPy, Pandas, TensorFlow, PyTorch, and Scikit-learn. We've also introduced support for popular Python frameworks like Django and FastAPI. For .NET, we support LTS .NET 8, C#12, and Blazor framework, along with new rules for C# logging practices. We've also brought in new languages like Ansible IaC for improving the quality and security of automation playbooks, and improved support for AcuCOBOL and JCL to improve the quality of the entire mainframe ecosystem. We've also seen significant performance improvements, including faster C/C++ analysis due to new caching mechanisms, and 50% faster Kotlin analysis with support for Kotlin 2.0 and the K2 compiler. New rules for Python coroutines and Java performance bottlenecks further enhance code quality and efficiency.

Streamlined operations and productivity

We've made significant strides in simplifying administration and boosting developer productivity. First analysis of git-based projects is considerably faster, with improvements for large volumes of commits. User and group management is enhanced with SCIM integration for automatic synchronization from Okta, Azure AD, GitHub, and GitLab.

For DevOps platforms, we've added auto-configuration for GitHub projects and teams, allowing automatic project creation and setup upon analysis trigger. The setup of monorepos is now easy and streamlined across all major DevOps platforms, including GitHub, GitLab, Azure DevOps, and Bitbucket. We've introduced a new GitHub Action for C, C++, and Objective-C to simplify analysis setup. Scan times are faster as the scanner now downloads only the necessary analyzers.

Operationally, the platform now supports horizontal autoscaling of app pods in Kubernetes for optimized resource use, and runs in FIPS-enforced environments for government and regulated organizations. Upgrades are more predictable with estimated time and progress monitoring. The user interface has been modernized with a refreshed visual identity for a unified experience. Additionally, SonarQube Server now supports deployment on OpenShift, and utilizes modern authentication for Microsoft SMTP Server. Local accounts benefit from strict password policy rules for enhanced security.