In addition to security, read below for more on new support for Azure Functions, incremental Java PR analysis, new JS/TS React rules (and rule improvements), and significant Ops improvements.
Can your code truly be secure if the environment it runs in isn't? Six new Security Hotspot rules for Kubernetes mean you don't have to wonder. They'll flag configurations that need double-checking and help you understand what the dangers could be.
Java developers now have help coding for AWS as well. Seven new rules cover Lambda development, AWS Client best practices, use of the AWS SDK, and access key security.
Speaking of Cloud development, we've added six new Code Smell rules to help C# developers avoid common pitfalls in Azure Function development. They cover resource management, error handling, and entity interface design. We've also updated 16 rules to support C#’s tuple deconstructor syntax
And now what you've all been waiting for… Faster PR analysis! With this version, we're introducing incremental analysis for Java PRs. The underlying mechanism is a new server-side analysis cache. It allows us to limit PR analysis to only the changed files, while still performing a thorough analysis. The numbers aren't really in yet, but on one test project, the Java portion of analysis dropped from 160 seconds to 20. Now that we've proved out the mechanisms, you can look for this in additional languages in future releases.
You'll notice an updated Issues UI in this version. SonarQube 9.5 introduced a UI designed to help developers focus on the current issue and 9.6 further streamlines the presentation by moving all issue actions to the top of the issue interface.
In commercial editions, the changes go even further, with additional content in six taint analysis rules to help you better understand the issues, and patch instructions specifically tailored to the framework in use for some rules.
Very few have the luxury of working in new projects with best-practice use of modern frameworks. And even if you're one of the lucky few, you may still have a few home-grown input validators out there, making sure user data is clean and safe. That's why we've updated Taint Analysis to automatically recognize custom validators in order to reduce false positives and give you a better overall experience.
At the same time, we've also improved detection by extending coverage to the 100 most-used Java libraries. This better understanding of the underlying libraries, means more taint analysis true positives in your Java projects.
Seven new React-specific Bug rules help you find infinite loops, dead code, state problems and more. In addition, 14 other rules have been updated for better accuracy in React, and JSX/TSX code.
The Payment Card Industry Data Security Standard is a list of 12 high-level requirements (with a total of 240 low-level requirements) that apply to all organizations that handle credit card data. SonarQube 9.6 adds reporting for versions 3.2 and 4.0 of the standard. Both versions are available in the UI, and the Security Report PDF includes version 4.0.
As a followup to the addition of token types in SonarQube 9.5, this version further secures tokens by adding the ability to set token expiration. Token lifespan can be set by the user during token generation, or globally, by an admin who chooses maximum lifespan for new tokens.
Additionally, organizations using SAML authentication may want to update their configurations with request signing and assertion encryption, both newly supported in SonarQube 9.6.
And finally, with this version we've replaced the Java Service Wrapper with WinSW on Windows and `nohup` for MacOS and Linux.
A lot of programming language updates have been released in the last few months, and SonarQube 9.6 catches up on parsing them. Analysis now understands these language versions:
In addition, SonarQube 9.6 correctly parses Go 1.18, and the Go rules have been updated to understand the Go 1.18 syntax additions, including generics.