The new SonarQube Server 2025 Release 4.1 release empowers developers with major advancements in code quality, security, and efficiency across multiple languages, for both your projects and the open source code you use.
*Due to an issue identified in the initial 2025 Release 4, please use 2025 Release 4.1; consequently, "What's new" is only available for this corrected version.
Expanded core security
Static Application Security Testing (SAST) for Go
We’re introducing full Static Application Security Testing (SAST) with taint analysis for Go projects. This gives Go developers integrated SAST capabilities to automatically identify critical security vulnerabilities within Go code. This reduces manual searching for security flaws and delivers secure Go applications from the outset. SonarQube presents findings of injection vulnerabilities and other security weaknesses directly within the development workflow enabling Go developers to quickly resolve issues before they reach production.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Taint analysis for VB.NET
VB.NET developers now get integrated taint analysis, adding to the existing SAST capabilities. This helps you proactively detect complex data flow vulnerabilities, ensuring a consistent security posture across all your .NET applications. By leveraging the same successful SAST infrastructure as C#, you can now find and fix data flow vulnerabilities, like injection attacks, directly within your development workflow with minimal extra effort.
Available in Developer Edition | Enterprise Edition | Data Center Edition
More robust JS/TS taint analysis
We've replaced our JavaScript and TypeScript taint analysis engine with a next-generation version, offering improved detection, better performance, and a stronger foundation for future enhancements. As the new sole engine for JS/TS, it improves the accuracy and coverage of security rules. For developers, this means more precise and actionable security findings with direct guidance, helping you catch sophisticated issues with greater efficiency and reducing the risk of critical flaws in your web applications.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Best-in-class secrets detection
With the ability to detect over 400 secrets patterns using over 340 rules and coverage of 248 cloud services, SonarQube detects more secrets than any other secrets detection tool. This release enhances secret detection in Kotlin, with no configuration required. Combined with an entropy check and post-processing actions to minimize noise and false alerts, this streamlines security compliance, and helps maintain codebase integrity by accurately identifying and protecting sensitive data, saving significant developer time.
Expanding directly upon the improved detection, SonarQube now detects secrets in YAML and JSON files. This is crucial because sensitive information is increasingly stored in these configuration files (e.g., for application settings, CI/CD pipelines, and infrastructure-as-code), which are often overlooked by other secret detection tools primarily focused on source code. By scanning these files for non-null hardcoded strings, SonarQube helps developers reduce the risk of security breaches and compliance violations, ultimately making secret detection more comprehensive across diverse file types.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Achieve compliance with SonarQube
Increased MISRA C++:2023 rules, plus detection in the IDE
SonarQube now has expanded support for MISRA C++:2023 with new rules to help you achieve and maintain compliance. You can get early access to these rules directly in popular IDEs like VSCode, Visual Studio, and CLion (when connected to a SonarQube Server). This empowers C++ developers to detect and resolve MISRA-related issues much earlier, with immediate feedback as you code. This direct integration streamlines compliance efforts, reduces rework, and ensures your C++ codebases adhere to industry safety standards from the beginning.
Available in | Enterprise Edition | Data Center Edition
More comprehensive security and regulatory reports
SonarQube Server delivers enhanced reporting capabilities with this release. The project-level security reports now allow for customizable PDF exports that can include or exclude information based on specific security standards like PCI, OWASP, CWE, STIG, and CASA, along with displaying extra details about security vulnerabilities and accepted security issues. This empowers enterprise security teams, compliance/audit teams, and IT administrators with a configurable, shareable report that improves visibility into security and regulatory data, reduces manual reporting, and enhances alignment with compliance and auditing standards.
Concurrently, improvements to the downloadable Regulatory Reports for SonarQube Server enhance the existing format and content, resulting in more actionable, user-friendly, and comprehensive reports, streamlining the process of obtaining code health insights for auditing and compliance reviews through enhanced PDF summaries, clearer navigation with hyperlinks, and all-inclusive findings in downloadable CSVs.
Available in Enterprise Edition | Data Center Edition
Elevate your code
More maintainable and performant Python and Java
For Python new rules for coroutines and comprehensions are designed to help Python developers write high-quality, asynchronous code using popular libraries like asyncio and aiohttp, by identifying common pitfalls such as forgotten await keywords, blocking code within coroutines, and issues with state and error handling. This enables efficient, non-blocking asynchronous programming, leading to improved application performance and cleaner, more readable code.
For Java developers tackling performance-sensitive applications, SonarQube now offers new rules to identify and resolve performance bottlenecks. This initiative pinpoints potential issues, provides clear explanations, and even offers automated quick-fixes. It's designed to help you optimize your Java code for better performance and efficiency, ultimately preventing costly rework, avoiding production problems, and enhancing both user experience and application scalability.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Faster C/C++ analysis
We've significantly enhanced C and C++ analysis speed with a new function-based Symbolic Execution (SE) caching mechanism. This improvement is designed to drastically reduce reanalysis times, especially for minor changes in widely included header files or large compilation units, and aims for a 33% reduction in average analysis time for C/C++ pull requests. For developers, this means a much faster feedback loop, allowing you to iterate more efficiently, even in large and complex codebases, as minor changes will no longer trigger lengthy re-analyses, thereby boosting developer productivity.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Full support for Java 23, Java 24, and Dart 3.8
This release includes first-class support for Dart 3.8, ensuring full syntax compatibility and proper application of existing and new rules, thereby enabling developers building Flutter applications while leveraging automated analysis.
We are also providing support for Java 23 and Java 24 with new rules, specifically designed to help Java developers correctly utilize the latest language features, and ensure existing rules function as expected. In addition, error-free parsing for Java 24 is being implemented, allowing the Java analyzer to successfully parse Java 24 source files and correctly handle its new features, ensuring accurate code quality insights.
These updates keep your code analysis on the cutting edge.
Available in Developer Edition | Enterprise Edition | Data Center Edition
More rules move to the advanced Java bug detection engine
SonarQube’s bug detection is being significantly enhanced as we replace the legacy Java analysis capabilities with our new advanced Dataflow Bug Detection (DBD) engine. In this release we specifically targeted null-dereference and division-by-zero issues. The existing Java analyzer rules are being replaced by the more sophisticated DBD rules. These replacements provide Java developers with the power of DBD's cross-procedural rules engine, enabling the detection of more complex issues that unfold across multiple function calls and are typically harder to find through simple code reviews. A key benefit is better secondary locations and reproducers, which streamlines fixing these intricate bugs.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Expanded capability of NOSONAR in Python
Python developers now have more granular control over code quality checks. We’ve expanded the NOSONAR capability to be able to not only skip the analysis of a whole single line, but also prevent specific rules from being used to analyze a line of code. This improves workflow by reducing noise and ensuring that only relevant issues are highlighted, leading to more focused and effective code reviews. New rules have also been introduced to help developers track the correct usage of these suppression comments.
Available in Developer Edition | Enterprise Edition | Data Center Edition
Advanced Security
Continuous vulnerability detection without reanalysis
Software Composition Analysis (SCA) included in SonarQube Advanced Security automatically detects new vulnerabilities in project dependencies without requiring a full codebase re-analysis. This feature continuously updates dependency risks on permanent branches whenever new vulnerabilities are discovered or existing ones change (e.g., CVSS score), leading to a recalculation of severities and Quality Gate status. As a result, SCA users, including project and portfolio administrators, will automatically receive the latest dependency risk information without any manual intervention or scheduled analyses. This ensures continuous and up-to-date visibility into their security posture, saving valuable time and enabling proactive responses to evolving threats within their third-party components.
Available with Advanced Security in Enterprise Edition | Data Center Edition
Customizable risk severity for SCA
SonarQube's Software Composition Analysis (SCA) allows users to customize the severity of identified dependency risks, providing developers and security staff with the flexibility to adjust how a dependency risk impacts software quality. This enables them to prioritize issues based on specific application deployment, usage of vulnerable libraries, and project context, such as whether it's a legacy or new development. The direct benefit is that developers and security teams can focus their remediation efforts on the most critical dependency risks relevant to their specific environment, leading to more efficient and impactful security improvements by aligning vulnerability priorities with their real-world application context.
Available with Advanced Security in Enterprise Edition | Data Center Edition
Machine-readable SCA reports
SonarQube includes a machine-readable report of dependency risks for projects, applications, and portfolios via an API, available in both JSON and CSV formats. This comprehensive report includes crucial details such as project and dependency chain information, risk titles, CVE/CWE IDs, risk types, severities, discovery dates, statuses, and remediation information. This capability allows security teams and engineering leaders to seamlessly integrate SCA data into their existing business intelligence tools, spreadsheets, and other integrations, thereby enabling automated and customized reporting on dependency risk status over time, facilitating the tracking of security investment success, and streamlining the communication of critical information to both customers and stakeholders.
Available with Advanced Security in Enterprise Edition | Data Center Edition
PHP dependency support for SCA
We’re extending SonarQube’s Software Composition Analysis (SCA) support to PHP projects that leverage Packagist/Composer for dependency management. This enhancement allows PHP developers to automatically identify public vulnerabilities, manage licenses, and generate entries in a Software Bill of Materials (SBOM) for their PHP dependencies. As a language heavily reliant on open-source packages, this new comprehensive SCA support provides PHP developers with greater confidence in the security posture of their projects, leading to more secure and compliant PHP applications.
Available with Advanced Security in Enterprise Edition | Data Center Edition
SCA dependency risks in the IDE
Software Composition Analysis (SCA) results will be visible to developers directly in their IDE for Visual Studio, IntelliJ, and VSCode when the specific SonarQube for IDE releases are made available during August. SonarQube for IDE identifies and helps developers address dependency risks (vulnerabilities and license violations) directly within the development environment, reducing context switching and accelerating the remediation process. This integration streamlines the workflow by allowing developers to manage dependencies and resolve issues without leaving their IDE, ultimately saving time and enhancing overall code security and productivity.
Available with Advanced Security in Enterprise Edition | Data Center Edition
Details of 2025.4.1 release can be found in the SonarQube Server release notes.
Ready to experience the power of SonarQube Server? Get it today and find out.