In SonarQube 10.3, Sonar is releasing further updates to the Clean Code Taxonomy to support our commitment to Clean Code. Focusing on the consequences of poorly written or bad code is complicated and leads to confusion. More often than not, problems with code can have multiple or overlapping consequences. Instead, Sonar turns your attention to what causes bad code and helps you prevent it. Clean Code that is consistent, intentional, adaptable, and responsible prevents code from being poorly constructed. Sonar’s Clean Code Taxonomy is a framework that brings together our most current technology to make your code the best it can be.
To clearly explain the cause of why your code may not be clean, the PR In-product Summary and PR Decoration now show a single “issues” condition per the Clean Code Taxonomy. Prior to this release, issues in the Pull Request’s In-product Summary in SonarQube and Pull Request Decoration in each Continuous Integration (CI) platform were listed under the results-driven categories of “reliability”, “security”, and “maintainability”. This change is supported in all CI platforms: GitHub, GitLab, Bitbucket, and Azure DevOps.
In the 10.3 release, external issues that you import via API can be categorized with the new Clean Code Taxonomy in the same way as issues raised by Sonar. Previously, external issues were classified only using the original categorization, and it was difficult to understand how the external issues fit within the new classification.
Quality Profiles have been updated with the new Clean Code Taxonomy characteristics. Now, as Sonar updates the new Clean Code Taxonomy, the corresponding updates to the rules released in support of those changes are automatically propagated to all issues in all projects, which can be applied to analyze historical code and not just newly written code. These changes together deliver the full benefit of the new taxonomy to you.
When you inherit a Quality Profile the undesired rules can be selectively excluded from the parent Quality Profile. Prior to this change, SonarQube required you to use all the rules from the inherited parent profile. If one or more of the inherited rules were not relevant to the way your project was set up, the only solution was to copy the parent Quality Profile and remove the rules that weren’t needed. As a result of copying the Quality Profile, you would lose the benefit of inheritance. With this new change, the benefits of inheritance can be realized. You can now safely rely on the built-in “Sonar way” Quality Profiles by inheriting them and continue to get the latest and greatest changes from Sonar as we make updates without any work by you. For companies that do not want their teams to exclude any rules when inheriting, this feature can be disabled.
The seemingly unsurmountable effort of fixing technical debt in legacy code can be costly and extremely risky. Instead of dragging resources away from developing new code, Sonar is the only solution that eliminates these challenges by turning your attention solely to new code. With our Clean as You Code methodology, all newly developed code is clean and devoid of any issues. Our approach is the most effective because it ensures no new technical debt is introduced as you develop. Furthermore, developers touch legacy code as part of their solution when developing new capabilities. Over time, this means that a growing percentage of legacy code is also cleaned and remediated as a consequence of new development, further reducing technical debt.
As a best practice, Sonar is moving to more exacting Clean as You Code criteria of allowing zero issues in the built-in Sonar way Quality Gate. By not following a strict zero issues policy as you write new code, a certain amount of technical debt is continually allowed into your code. Additionally, the Sonar way Quality Gate no longer individually shows bugs, vulnerabilities, and code smells. The new single category “issues” and the zero issues policy together represent SonarSource's recommended quality criteria for new code. These changes provide an even more robust framework that ensures newly written and modified code meets the highest possible Clean Code standards.
The new Built-in Sonar way Quality Gate and the legacy Sonar way Quality Gate, either can be set as default.
Learn more about Clean as You Code criteria and the new Sonar way Quality Gate.
When in Connected Mode with SonarLint, as you work through issue resolution in SonarQube, you can quickly jump to the code in question to fix it within your IDE. All issues in SonarQube show a button that, when clicked, will open up SonarLint in your IDE and show you the code that is causing the issue.
You can now resolve External Issues inside SonarQube in the same place as issues raised by SonarQube instead of leaving SonarQube to swivel-chair to the source of the external issue to dismiss it.
With the SonarQube 10.3 release, Sonar continues to strengthen its position on security so that your code is cleaner than ever. One of the most severe security breaches is illicit access to a company’s private data, especially the data of employees or customers. Sonar now has our most thorough secrets detection capability to prevent secrets from entering your CI/CD pipeline and leaking out to the public. We have added the new 2023 CWE Top 25 Report for you to assess risk against. SonarQube now stays in sync with the GitLab Vulnerability Report, so you don’t have to switch back to GitLab to check on any issues’ status changes. Together with several other enhanced security capabilities detailed below, you will get Sonar’s most advanced tooling for ensuring your code is clean and clear of security issues.
Sonar’s new secrets detection engine helps you keep secrets out of your code while you develop in your IDE with SonarLint. Unlike other tools that only scan your repository, we eliminate those secrets in a true shift left approach at the source, and with SonarQube we further protect secrets from in your CI/CD pipeline. Sonar detects the top 100+ common patterns that contain the most sensitive secrets/tokens. For companies that want to protect against leaks of secrets unique to your company, in the Enterprise Edition and Data Center Edition, you can create your own custom rules to detect company-specific secrets.
The Security Reports page in SonarQube now contains the 2023 data from the CWE Top 25 Report for use when assessing your risk against it. As of the 10.3 release, the Security Reports page has data from the 2023, 2022, and 2021 CWP Top 25 Reports.
In the 10.2 release, Sonar added the capability to synchronize issues back to the GitLab Vulnerability Report when SonarQube detected an issue or updated the status of an issue. With this update, status changes of issues in the GitHub Vulnerability Report are automatically replicated back to the corresponding issue in SonarQube in the subsequent analysis, eliminating any discrepancy between the two systems. This completes a two-way auto-synchronization of issue statuses between Sonar and the GitLab Vulnerability Report.
Sonar helps you create clear and consistent Dockerfiles by expanding coverage of Dockerfiles rules. Support for Dockerfiles now includes security and other attributes of Clean Code with the addition of more than 20 new rules.
The top security enhancement requests are included in the SonarQube 10.3 release.
- Alias tracking is improved during branching to prevent the loss of an alias.
- PHP code taint analysis is improved by supporting global variables.
Are you a Data Scientist or Machine Learning Practitioner? If so, Sonar has excellent news for you. We’ve taken a big step towards supporting the top Python libraries you use. Sonar already offers support for Jupyter Notebooks in VS Code, and we’re very excited to announce that we’ve released new rules to support the NumPy and Pandas Python libraries. Please watch future releases as we expand support for more DS/MLp Python libraries.
When you use GitHub Action to create and configure your GitHub project, SonarQube can handle it. Gone are the days of manually making changes between GitHub and SonarQube to ensure they are configured the same.
- Automatically create and configure a SonarQube project when an analysis is triggered from GitHub, including auto-population of:
- PR decoration
- Main branch name
- Fully automate SonarQube project setup via API
For companies with more complex project permissions, you can configure SonarQube to overwrite the default SonarQube permissions mapping and auto-sync users, permissions, and groups from GitHub. You no longer need to manually configure users, permissions, and groups in SonarQube and ensure they are correctly aligned with those in GitHub.
Sonar has added support for the Blazor front-end web framework for building interactive client-side web UI in .NET. By leveraging .NET, C#, HTML, Razor templates, and SonarQube together, you can build full-stack web apps that contain clean code. With the addition of support for Blazor in SonarQube, you can now analyze .cshtml and .razor files for building front-end apps and C# for back-end applications in .NET projects. This highly requested feature will help you keep your ASP.NET Core MVC, Razor, and Blazor applications clean.
After you upgrade to the new version and new rules are applied with a new analysis, there will likely be changes to your analysis results. To help you clearly understand the impact, the details of each change appear in the Activity Stream to explain what happened as a result of the upgrade.
Sonar is working to bring a modern experience to all our properties. In each release, we will continue to update pages with the new UI.
The following have been updated to the latest UI in the 10.3 release:
- Quality Gate page
- Rules page
- Quality Profiles page
- DevOps platform configuration modal visible during project onboarding
- First-class support of React with more than 60 rules, including:
- Prevent common bad practices (17 new rules)
- Identify deprecated APIs (5 new rules)
- Improve accessibility (20 new rules)
- Improved diagnostics of memory issues
- Support of Maven 4.0
- Refresh of all external linters analyzers to get their latest rules
- Added support for Jakarta namespace
- Added Spring Boot most common pitfalls
- Addition of new MISRA C++ 2023 rules
- Support of LTS .NET 8 and C#12
- Added support for C# code in .NET templates with Razor syntax, which can be used in ASP .NET and Blazor apps
- Support for Python 3.12 new syntax, new rules, and error-free parsing
- Addition of rules for top libraries used by Data Scientists