Try For Free

SonarQube 9.8

SonarQube 9.8: PRs more accurate & faster for Kotlin

The latest from SonarQube brings lots of new rules across JavaScript, Kotlin, C++, and Python. Plus we've added SARIF report importing, Okta/SCIM integration, better project onboarding, and better server operability.

A video highlighting the key features of SonarQube 9.8

Improved PR analysis speed & accuracy

Kotlin developers get an early Christmas present this year in the form of faster PR analysis via the server-side cache. The use of this cache was introduced in previous versions for Java, JavaScript and TypeScript. Now Kotlin developers can also benefit from analyzing only the changed files in a PR.

Enterprise edition users also get faster server-side processing of PR analysis reports for all languages. Parallel processing of analysis reports has been updated so that branches will no longer block PR analysis reports from the same project, and PRs no longer block each other.

And PR analysis accuracy improves for all commercial editions with detection of file move in PRs. So renaming a file no longer re-raises all its old issues as "new" in the PR.

Developer Edition | Enterprise Edition | Data Center Edition

JavaScript rules to master the AWS CDK

For those using JavaScript in the cloud, we've added 16 new rules to help you use the AWS CDK securely. There are nine new rules on the topic of encryption at rest and in transit; three rules around public access, network, and firewalls; and four rules covering permission and access control.

Block cipher rules for Java & Kotlin

Two rules have been added to improve Java and Kotlin analysis detection of common cryptography problems related to block cipher mode. These new rules bring fuller coverage of ASVS v4 requirements. Additionally, 17 Java rules related to bugs and code correctness have been ported to Kotlin.

Require C++20 concepts? We've got you covered

Concepts are a highly-anticipated C++20 feature that makes using templates easier and less error prone. But that doesn't mean using concepts correctly is obvious. That's why we've added six new rules to help you use them well. There are two to help you update existing code to use concepts, two that detect code smells related to the use of concepts / requires with templates , and two that detect problems when writing your own concepts. These come in addition to rules added earlier in the 9-series for proper use of `std::enable_if`, and concept naming conventions.

Additionally, we've improved reporting in path-sensitive rules to provide more understandable issue paths.

Developer Edition | Enterprise Edition | Data Center Edition

SARIF import & better taint analysis presentation

As a collaborator on the Static Analysis Results Interchange Format (SARIF), Sonar supported the formulation of this OASIS-approved standard, and now SonarQube supports its use for importing external vulnerability issues.

In commercial editions Python, PHP, JavaScript and TypeScript developers will see highly-enriched descriptions for taint analysis rules. As part of our ongoing initiative this year to offer deeply educational security content, we've rewritten the taint analysis rule descriptions for these languages to provide developers deep context and framework-sensitive patch advice. These updated rule descriptions mirror the work previously done in this area for Java and C#.

And finally, taint analysis rule implementations have been improved for all languages to provide clearer reporting on the paths through the code that lead to the issues we raise.

Better onboarding: Set 'main' branch for project, organization

`develop`, `main`, `master`, `bob`. Depending on the name of your main development branch, you may have struggled in the past with seeing your main branch in the SonarQube UI. While the main branch name was read automatically for projects imported from DevOps Platforms, for projects that weren't imported, `master` was applied by default. Going forward, you'll be able to specify the name of the main branch for individually-onboarded new projects, and set a global default that will apply to automatically created projects as well.

And on the topic of onboarding, Enterprise Edition customers with multiple DevOps Platform instances (e.g. GitHub Enterprise + will now have access to project onboarding wizards.

Ops advances: User management & running the server

Administrators can now set a custom message on the login page. The message is intended to let you provide your users authentication guidance, such as "Use your LDAP credentials."

For users who shouldn't be able to log in anymore, we now have SCIM integration for Okta. The SAML / Okta support adds new users to SonarQube and when a user leaves, it ensures removal of the user in the IdP is synchronized to SonarQube, where the user record is deactivated and its tokens invalidated.

And in all editions, for the server itself, we've added the ability to run with Java 17, which is the current Java LTS.

Enterprise Edition | Data Center Edition

Language Updates



  • Improved parsing


  • Improved recognition of generated code
  • Analysis no longer fails when `node_modules` is extended in a tsconfig file to include missing modules


  • C#11 parsing & rule updates

download the latest SonarQube version!

download nowRequest a Demo