SonarQube

What's New

Start Free Trial

SonarQube 10.1

SonarQube 10.1: smoother centralized access management & multiple C/C++ code variant analysis

The latest from SonarQube includes automatic user & group provisioning and synchronization from GitHub; several language-specific improvements including improved coverage of Java security analysis, multiple C/C++ code variant analysis, SonarQube UX updates, as well as better guidance for new project onboarding

Smoother centralized access management with GitHub

Admins for organizations that use GitHub will be glad to hear the support for automatic user & group provisioning and synchronization. When new users or groups are added in GitHub, admins no longer have to manually add those users and groups in SonarQube. Admins can now fully delegate this management to GitHub for secure and centralized provisioning of users and group sync. 


Available in Developer Edition | Enterprise Edition | Data Center Edition


For organizations that prefer to use SAML instead, SonarQube already supports Okta/Azure AD starting with Enterprise Edition.

Multiple C/C++ code variant analysis 

Ready for a simplified code analysis experience for your C/C++ projects? Developers can now analyze multiple code variants (e.g. compilers, compiler flags, platforms etc.) of their code using the same project. No need to create separate projects/branches per variant or manage duplicates - enjoy a simpler experience with a unified view of your code with full visibility of the analysis including which code variant the issue emerges from. 


Available in Developer Edition | Enterprise Edition | Data Center Edition

Java security coverage gets a boost

Java security analysis engine detects and helps you fix even more security issues. With the many improvements to the engine we are able to achieve an outstanding > 90%+ True Positive Rate (TPR) on the selected top OWASP security benchmarks. For example, analysis conducted on the OWASP benchmark yielded a TPR of 90%, Security Shepherd benchmark yielded a TPR of ~98%, and over 88% on the WebGoat benchmark. Stay tuned for a detailed post around our approach and the measurement with these selected benchmarks.

Real-time synchronization of security hotspots in IDE 

SonarLint in your IDE provides the first level of checks to find and fix issues as you write code and before you commit it. If you are using VSCode or IntelliJ family IDEs you’ll be able to synchronize the status of security hotspots in real-time with SonarQube. Once connected mode is set up, the status of hotspots marked in SonarQube (e.g. Fixed, Safe) will be instantaneously reflected in SonarLint – displaying only those issues in the IDE that need user attention. Moreover, the status of the security hotspot can also be directly changed in the IDE after review which will also benefit from auto synchronization on the SonarQube side.  


As team leaders evangelize the use of the Sonar ecosystem in their organization, they can now get visibility into how developers on the specific SonarQube instance are adopting SonarLint. 

Clean as You Code guidance checks

Clean as You Code is the most pragmatic and efficient approach for organizations to reach a state of Clean Code. As new projects are onboarded, by default, project admins will be guided to configure the recommended ‘New Code’ period properly according to their development context to ensure that projects are set up to practice  the Clean as You Code ready from the first step. With the proper configuration of projects including Clean as You Code compliant quality gates setup, organizations can be confident they are using SonarQube in the most efficient and optimal way.

Language Updates 

Python

  • Support for Django framework with basic rules that cover bugs and code smells
  • Detection of hard-coded passwords when APIs use ‘passwords’ as parameters
  • More rules for detection of complex regular expression patterns, plus best practice rules when using type hints in Python. 
  • New rules for basic arithmetic operations (e.g. IndexError, DivByZero, field, mod operators)

Java

  • Support for Java 20
  • 3 new rules covering Singleton, Monster Class, Brain method to allow developers to write well architected and easily maintainable Java code
  • New rules that check basic arithmetic operations (e.g. IndexError, DivByZero, operators)

JavaScript/TypeScript

  • Support for TypeScript 5
  • 22 new rules for TypeScript built-ins and vanilla JavaScript
  • Improved TypeScript project detection

Kotlin

  • Redundancy rules to increase readability and reliability of Kotlin code
  • Best practice rules for writing Kotlin idiomatic code (esp for Java developers transitioning to Kotlin)
  • Support for analyzing Kotlin multi-platform (KMP) projects for cross-platform code development

C#

  • Improved Null tracking and detection of calculation overflows, particularly in C# 9-11
  • 10 new rules for more efficient collection processing

TerraForm & DockerFiles

  • Support for importing ‘tflint’ and ‘HadoLint’ analysis in SonarQube 

download the latest SonarQube version!

download nowRequest a Demo