# Release notes

For a complete list of all changes, see [#full-release-notes](#full-release-notes "mention").

## New and enhanced features <a href="#new-and-enhanced-features" id="new-and-enhanced-features"></a>

View the release notes for new and enhanced features for SonarQube Community Build.

<details>

<summary>Latest release - 26.4.0.121862</summary>

### Analysis performance

#### Better handling of large JaCoCo reports

SonarQube now better supports large aggregate JaCoCo coverage reports, improving stability and scalability for large monorepos and multi‑module builds with consolidated coverage.

### Languages

#### IaC

The infrastructure‑as‑code analyzer was updated to reduce false positives for existing rules, add support for multi‑document Helm charts, and improve Bicep parsing.

#### Java

Support for Java 25 is extended with additional rules in the Java analyzer:

* S8446 – Only one main method should be present
* S8465 – ScopedValue instances should be assigned to a stable reference
* S8469 – Use IO.readln(String prompt) instead of IO.print + IO.readln()
* S8447 – Initialize subclass fields before super() when superclass constructor may call overridable methods
* S8450 – Use IO.readln() instead of BufferedReader boilerplate for console input
* S3051 – Main methods should be used only as program entry point

#### PHP

PHP analysis has been improved based on user feedback to reduce noise from “PITA” rules and improve precision.

#### Text

The text analyzer was updated to bring a new rule to detect Glassworm‑style attacks and additional hardening improvements.

* S8703 – Unicode Variation Selectors should not hide executable content

### Deployment

#### Elasticsearch metrics&#x20;

New Elasticsearch metrics have been introduced to detect disk‑space related issues earlier and provide better observability.

</details>

<details>

<summary>Previous releases</summary>

### Version 26.3.0.120487

#### New navigation and workspace experience

A modernized navigation and workspace experience is now available in SonarQube Community Build.

The key changes are:

* **Vertical Navigation:** We’ve moved the horizontal top menu to a vertical sidebar. This makes navigating between different spaces faster and more intuitive.
* **Updated information architecture:** Navigation items are now grouped to be easier to find contextually (e.g., Analysis, Reporting, Policies, Project).
* **New context switcher:** A new area in the left navigation bar allows you to easily jump between projects without losing your place.

#### Improved failed SARIF import logs

More details are now logged on SARIF reports import errors.

#### Improved API performance

The performance of the `api/permissions/search_templates` Web API for large data sets has been improved.

#### Languages

**Go**

It’s now possible to disable the Go analyzer in the UI or via the sonar.go.activate property.

New Go analysis engine delivering up to a 30x speedup in processing.

**Java**

The following rules have been added to support Java 25:

* S8432 : "ScopedValue.where" results should not be ignored
* S8433: should not raise issue for classes without superclass declared
* S8444 - Validation and data preparation logic before super() should not bloat constructor
* S8445: Group import declarations by specificity

**Python**

New rules for FastAPI and Flask framework.

* S8370: Query parameters should not be used in Flask POST requests
* S8371: HTTP headers should be accessed safely to avoid KeyError exceptions
* S8374: Flask class-based view decorators should be applied using the "decorators" attribute
* S8375: Flask "preprocess\_request()" return values should be handled
* S8389: FastAPI file upload endpoints should use "Form()" with Pydantic validators instead of "Body()" or "Depends()"
* S8392: FastAPI applications should not bind to all network interfaces
* S8396: Optional Pydantic fields should have explicit default values
* S8397: FastAPI applications should be passed as import strings when using reload, debug, or workers
* S8400: Endpoints returning 204 status should have an empty response body
* S8401: Child routers should be included before parent router registration
* S8405: TestClient requests should use "content" parameter for bytes or text
* S8409: FastAPI routes should not specify redundant "response\_model" parameters
* S8410: FastAPI dependencies should use "Annotated" type hints
* S8411: FastAPI path parameters should be included in route function signatures
* S8412: Generic route decorators should not be used
* S8413: Router prefixes should be defined during "APIRouter" initialization
* S8414: CORSMiddleware should be added last in the middleware chain
* S8415: HTTPException responses should be documented in endpoint metadata

**Ruby**

The following rules have been added (in Beta):

* S8418: Unused method and block parameters should be removed or prefixed with an underscore
* S8419: Function parameters should not be immediately reassigned
* S8421: Underscore-prefixed variables should not be used
* S8422: Trailing underscores in multiple assignment should be removed
* S8423: Parameter default values should not reference themselves
* S8424: Constants should not be reassigned
* S8425: Constants should be explicitly scoped to avoid ambiguous resolution

  * S8426: Variables should not be assigned only to be implicitly returned

  The following rules were removed because they raised too many false-positives:

  * S1854: Unused assignments should be removed
  * S7819: Variables and methods should be accessible in their usage context

**New GitLab PAT format added for secret detection**

The rule **S6690: GitLab tokens should not be disclosed** has been improved to add the new GitLab PAT format.

### Version 26.2.0.119303

#### Languages

**.NET 10 and C# 14 support**

Empowers .NET teams to adopt the Long Term Support (LTS) release of .NET 10 and C# 14 immediately, ensuring their analysis remains accurate, performant, and free of false positives associated with new language constructs.

Related rules:

* S1121: Assignments should not be made from within sub-expressions
* S1144: Unused private types or members should be removed
* S2225: "ToString()" method should not return null
* S2292: Trivial properties should be auto-implemented
* S2325: Methods and properties that don't access instance data should be static
* S2583: Conditionally executed code should be reachable
* S2589: Boolean expressions should not be gratuitous
* S2692: "IndexOf" checks should not be for positive numbers
* S2953: Methods named "Dispose" should implement "IDisposable.Dispose"
* S2970: Assertions should be complete
* S3063: "StringBuilder" data should be used
* S3264: Events should be invoked
* S3398: "private" methods called only by inner classes should be moved to those classes
* S3459: Unassigned members should be removed
* S3877: Exceptions should not be thrown from unexpected methods
* S3928: Parameter names used into ArgumentException constructors should match an existing one
* S4545: "DebuggerDisplayAttribute" strings should reference existing members
* S7039: Content Security Policies should be restrictive

**PHP**

Reduces false positives on several rules and cleans up build and dependency infrastructure. Related rules:

* S1155: "empty()" should be used to test for emptiness
* S1172: Unused function parameters should be removed
* S2699: Tests should include assertions
* S1068: Unused "private" fields should be removed

**Scala**

Includes fixes to false positives and negatives for the following rules:

* S1192: String literals should not be duplicated
* S126: "if ... else if" constructs should end with "else" clauses

**VB6**

Fixes parse errors and line count. Related rules:

* S138: Subs and functions should not have too many lines
* S1151: "Case" clauses should not have too many lines

### Version 26.1.0.118079

#### Quality gate fudge factor improved

The quality gate fudge factor refers to a mechanism where conditions on duplication and coverage are ignored. This is used to avoid overly strict enforcement when dealing with small changes, as minor issues might disproportionately impact the overall quality gate status.

In the previous version, these conditions were ignored until the number of new lines was at least 20. With this new version:

* The conditions on duplication are ignored until the number of new lines is at least 20 (*no change*).
* The conditions on coverage are ignored until the number of new lines *to cover* is at least 20.

#### Direct navigation from project to bound repo

The bound to repo icon displayed in the header of a SonarQube Community Build project is now clickable and opens the respective repository in the DevOps platform.

### Version 25.12.0.117093

#### Login page improvement

The SonarQube Community Build login page has been changed to improve your user experience.

#### CSS rules for accessibility

The following CSS accessibility rules have been added:

* S7923: Orientation of the page is not restricted using CSS transform property
* S7924: Text has minimum contrast
* S7925: Spacing and height in style attributes is not \`!important\`

#### Quick fixes for JavaScript / TypeScript

Additional 58 rules for JavaScript / TypeScript can now provide quick fixes in SonarQube for IDE.

#### Python 3.14 rules

The following rules have been added to support Python 3.14:

* S7932: Return, break, or continue statements should not exit finally blocks
* S7940: Unnecessary parentheses should not surround single exception types
* S7941: Compression modules should be imported from the compression namespace
* S7942: Template strings should be processed before use
* S7943: Template and str should not be concatenated directly
* S7944: Template strings should not be used for simple string formatting
* S7945: Template string processing should use structural pattern matching

### Version 25.11.0.114957

#### In-product communication of product news

Sonar will now provide in-product notifications to users regarding important product updates. These messages will be tailored to specific audiences. Users will receive alerts for new messages and will have access to a complete message history.

#### PHP 8.5 support

PHP version 8.5 is now supported.

#### Python 3.14 support

Python version 3.14 is now supported.

#### High-volume file move detection

SonarQube now stops the analysis when a high-volume file move is detected and raises a warning to let users revert to their initial project configuration in case of an unintended file move.

### DevOps platform integration

#### GitHub Enterprise Cloud with Data Residency now supported

SonarQube’s integration with GitHub Enterprise Cloud with Data Residency is now supported.

#### Navigation from SonarQube to GitHub

You can now navigate from your SonarQube project to the bound GitHub repository by selecting the project bound icon.

### Version 25.10.0.114319

#### Go 1.25 support

Go version 1.25 is now supported.

#### JavaScript analysis improved

68 rules from the `eslint-plugin-unicorn` have been added to the JavaScript analysis.

#### Parallel execution of Python rules

Parallel execution of Python rules is now supported. See [#parallel-code-scan](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/languages/python#parallel-code-scan "mention") for more information.

#### JRE auto-provisioning can be disabled at the instance level

JRE auto-provisioning for the scanners on CI/CD host is enabled by default. It was possible to disable it through an analysis parameter. You can now disable it at the SonarQube instance level. See [managing-jre-auto-provisioning](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/scanners/scanner-environment/managing-jre-auto-provisioning "mention") for more information.

### Version 25.9.0.112764

#### AWS lambda rules for Python

The following rules related to AWS lambdas and common practices have been added to the Python analysis:

* S6249: Authorizing HTTP communications with S3 buckets is security-sensitive
* S7613: AWS Lambda handlers should return only JSON serializable values
* S7609: AWS CloudWatch metrics namespace should not begin with \`AWS/\`
* S6246: Lambdas should not invoke other lambdas synchronously
* S7608: S3 operations should verify bucket ownership using ExpectedBucketOwner parameter
* S7618: Network calls in AWS Lambda functions shouldn't be made without explicit timeout parameters
* S7617: Reserved environment variable names should not be overridden in Lambda functions
* S6243: Reusable resources should be initialized at construction time of Lambda functions
* S6262: AWS region should not be set with a hardcoded String
* S7622: boto3 operations that support pagination should be performed using paginators or manual pagination handling
* S7621: AWS waiters should be used instead of custom polling loops
* S7620: AWS Lambda handlers should clean up temporary files in /tmp directory
* S7625: Long-term AWS access keys should not be used directly in code
* S7614: AWS Lambda handlers must not be an async function
* S7619: "botocore.exceptions.ClientError" must be explicitly catch and handled

#### AngularJS rules for TypeScript

The following rules related to AngularJS have been added to the TypeScript analysis:

* S7655: Angular classes should implement lifecycle interfaces for their lifecycle methods
* S7641: Angular lifecycle methods should be used in the correct context
* S7656: Angular Pipes should implement PipeTransform interface
* S7650: Components and directives should not use the "inputs" metadata property
* S7648: Components, Directives, and Pipes should use standalone architecture
* S7647: Empty Angular lifecycle methods should be removed
* S7649: Input bindings should not be aliased
* S7653: Output bindings should not be aliased
* S7652: Output bindings should not be named "on" or prefixed with "on"
* S7651: Output bindings should not be named as standard DOM events
* S7654: The "outputs" metadata property should not be used in Angular components and directives

#### PHP analysis improved

PHP keyword parsing has been optimized by replacing the regex-based logic.

#### Secret detection improved

Performance improved.

#### Rust analysis improved

The Clippy analysis can now be run offline by setting `sonar.rust.clippy.offline` to `true`**.** This prevents Clippy from trying to fetch dependencies. Dependencies must still be available locally for the analysis to work correctly. This setting is intended for air-gapped environments.

### Version 25.8.0.111929

#### Improved issue suppression for Python

Individual rules can be suppressed in Python using the rule key with # NOSONAR (eg #NOSONAR(S5655)). Additionally, the rules below can be enabled to track usage of # NOSONAR and # noqa:

* S1291: Track uses of "NOSONAR" comments
* S1309: Track uses of noqa comments

You can detect correct usage of # NOSONAR & # noqa with rule:

* S7632: Issue suppression comment should have the correct format

#### New rules for Java 24

Ensures that the Java analyzer successfully parses Java 24 source files without errors and correctly handles new Java 24 features. Adds Java 24-specific rules and updates existing rules to ensure they properly use new language constructs in Java 24.

Relevant rules:

* S6906: Virtual threads should not run tasks that include synchronized code
* S2093: Try-with-resources should be used
* S7478: "transformClass" method should be used instead of "build" when transforming a class
* S7477: Class name should be omitted when unchanged by class transform
* S7479: "ClassBuilder.withMethodBody" should be preferred to "ClassBuilder.withMethod"
* S7482: Don't provide an initializer for a stateless stream gatherer
* S7629: When a defaultFinisher is passed to a Gatherer factory, use the overload that does not take a finisher
* S7481: Gatherer.ofSequential() should be used to build sequential gathers

#### Kontlin 2.2 support

SonarQube analysis now supports Kotlin 2.2.

### Version 25.7.0.110598

#### Improved Go analysis precision

The precision of the GO analysis has been improved thanks to a cross-file type resolution.

#### Java analyzer better identifies performance issues

The following rules have been added to better identify performance issues.

* S4030 - Collection and array contents should be used
* S3063 - "StringBuilder" data should be used
* S3024 - Arguments to "append" should not be concatenated
* S3033 - ".length" should be used to test for the emptiness of StringBuffers

The following rule has been improved:

* S7158 - "String.isEmpty()" should be used to test for emptiness\
  The rule has been extended to work with all CharSequence.

#### Support for Java 24

SonarQube can now analyze a Java 24 project.

#### Other Java improvements

The following rules have been added for Java 23:

* S7474 - Markdown, HTML and Javadoc tags should be consistent
* S7476 - Comments should start with the appropriate number of slashes

The following rules have been improved:

* False positive correction: S125, S1123, S1854, S2384
* False negative correction: S1943

#### Improved Python analysis on comprehensions and coroutines

The following new rules have been added on comprehensions and coroutines:

* S7483: Asynchronous functions should not accept timeout parameters
* S7484: Events should be used instead of sleep in asynchronous loops
* S7491: Checkpoints should be used instead of sleep(0)
* S7494: Unnecessary generator - rewrite as a comprehension
* S7486: Long sleep durations should use sleep\_forever() instead of arbitrary intervals
* S7488: Use non-blocking sleep functions in asynchronous code
* S7499: Async functions should not contain synchronous http operations
* S7492: Unnecessary list comprehension in \<any/all>() prevents short-circuiting - rewrite as a generator
* S7500: Unnecessary \<dict/list/set> comprehension - rewrite using \<dict/list/set>()
* S7496: Unnecessary \<list/tuple> passed to tuple() - rewrite as literal or remove call
* S7503: Async functions should use async features
* S7498: Unnecessary empty \<dict/list/tuple> call - rewrite as a literal
* S7501: Async functions should not contain input() calls
* S7497: Cancellation exceptions should be re-raised after cleanup
* S7504: Unnecessary \`list()\` cast on iterable
* S7505: Unnecessary map usage - rewrite using a generator expression/\<list/set/dict> comprehension
* S7506: Dictionary comprehensions shouldn't use a static key
* S7507: Incorrect \`default\_factory\` keyword argument for \`defaultdict\`
* S7493: Async functions should not contain synchronous file operations
* S7490: Cancellation scopes should contain checkpoints
* S7510: Unnecessary \<reversed> call around sorted()
* S7489: Async functions should not contain synchronous OS calls
* S7502: Asyncio tasks should be saved to prevent premature garbage collection
* S7487: Async functions should not contain synchronous subprocess calls
* S7508: Unnecessary \<list/reversed/set/sorted/tuple> call within \<list/set/sorted/tuple>()
* S7511: Unnecessary subscript reversal of iterable within \<reversed/set/sorted>()
* S7512: Inefficient dictionary iteration method
* S7516: Unnecessary sort inside set
* S7517: Use dict.items() to iterate over a dictionary
* S7513: TaskGroup/Nursery should not be used for a single start call
* S7519: Unnecessary dict comprehension - rewrite using dict.fromkeys()
* S7515: async with should be used for asynchronous resource management
* S7514: Control flow statements should not be used inside TaskGroup or Nursery blocks

#### Python option added to analysis build tool

A **Python** tab is now available in SonarQube’s project analysis build tool.

#### Improved .NET analysis

The following rules have been improved:

* False positive correction: S2068, S3626
* False negative correction: S1168, S3878, S1871, S2068

#### Helm chart now with hostpath storage

It’s now possible to save data with hostpath in SonarQube Helm charts.

### Version 25.6.0.109173 <a href="#version2560109173" id="version2560109173"></a>

#### SonarQube detects secret leaks within hidden files

SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.

#### Default Quality Gate

As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. See [changing-default-quality-gate](https://docs.sonarsource.com/sonarqube-community-build/quality-standards-administration/managing-quality-gates/changing-default-quality-gate "mention") for more details.

### Version 25.5.0.107428 <a href="#version-2550107428" id="version-2550107428"></a>

#### New language: Rust

Rust analysis is now supported.

It offers:

* 85 rules
* Code Coverage import (LCOV and Cobertura formats)
* Cognitive Complexity metric
* Cyclomatic Complexity metric
* Import of Clippy output as external rules (JSON format)

See [rust](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/languages/rust "mention") for more information.

#### Java analysis improved

In addition to the mobile security improvement, the Java analyzer has been improved as follows:

* Java 23 analysis is now supported.
* The following rules targeting Java 22 code have been added:
  * S7467 - Unused exception parameter should use the unnamed variable pattern
  * S7466 - Use \`var\` instead of a type with unnamed variable \_
  * S7475 - The type of an unused component should be removed from pattern matching

#### Kubernetes analysis improved

The Kubernetes analysis has been improved:

* It’s now possible to disable the analysis of Helm files.
* The `sonar.kubernetes.file.suffixes` property is now handled correctly.

#### .NET analysis improved

The following rules have been improved:

* S2222 - Locks should be released on all paths: The locking via lock object primitives is now supported.
* S4158 - Empty collections should not be accessed or iterated: LinkedList is now supported.

### Version 25.4.0.105899 <a href="#version2540105899" id="version2540105899"></a>

#### Kotlin analysis

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.

### Version 25.3.0.104237 <a href="#version2530104237" id="version2530104237"></a>

#### Java rules

The following Spring Java rules have been added:

* S7177: Use appropriate @DirtiesContext modes
* S7178: Injecting data into static fields is not supported by Spring
* S7179: @Cacheable and @CachePut should not be combined
* S7180: "@Cache\*" annotations should only be applied on concrete classes
* S7183: @InitBinder methods should have void return type
* S7184: "@Scheduled" annotation should only be applied to no-arg methods
* S7185: @eventlistener methods should have one parameter at most
* S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
* S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

The following Spring Java rules have been improved:

* S6856: "@PathVariable" annotation should be present if a path variable is used\
  This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding `@PathVariable`, or vice-versa.
* S6809: Methods with Spring proxy should not be called via "this"\
  This rule will now also check for methods annotated with Spring’s `@Cacheable` annotation.

#### Go 1.23 now supported

SonarQube Community Build now supports the analysis of Go 1.23 code.

#### PHP analysis

The `elseif` keyword is now taken into account during the Cyclomatic Complexity calculation. See the [#complexity](https://docs.sonarsource.com/sonarqube-community-build/user-guide/code-metrics/metrics-definition#complexity "mention") article on the [metrics-definition](https://docs.sonarsource.com/sonarqube-community-build/user-guide/code-metrics/metrics-definition "mention") page.

#### IPv6 support

SonarQube Community Build (the ZIP or Docker installation) now supports IPv6 addresses. An additional configuration is required. For setup information, see [#enabling-ipv6](https://docs.sonarsource.com/sonarqube-community-build/server-installation/from-zip-file/advanced-setup#enabling-ipv6 "mention") in Zip installation and [#enabling-ipv6](https://docs.sonarsource.com/sonarqube-community-build/server-installation/from-docker-image/advanced-setup#enabling-ipv6 "mention") in Docker installation.

### Version 25.2.0.102705 <a href="#version2520102705" id="version2520102705"></a>

#### Java 21 is now supported

SonarQube Community Build can now run in a Java 21 environment.

### Version 25.1.0.102122 <a href="#version2510102122" id="version2510102122"></a>

#### Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

#### Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

#### Language updates

PHP analysis now supports asymmetric property visibility (PHP 8.4).

### Version 24.12.0.100206 <a href="#version24120100206" id="version24120100206"></a>

#### Introducing Multi-Quality Rule Mode

You can now toggle your SonarQube Community Build instance between the [standard-experience](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/analysis-functions/instance-mode/standard-experience "mention") and [mqr-mode](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/analysis-functions/instance-mode/mqr-mode "mention").

See instance mode [instance-mode-overview](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/analysis-functions/instance-mode/instance-mode-overview "mention") for more information. In both modes, it’s possible to customize the severity of issues and rules.

New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

#### Python

Python 3.13 is now supported.

#### Java

Analysis of Java 22 Projects is now supported.

JSpecify annotations are now supported with one new rule.

24 main code rules enabled for test code.

#### .NET / C\#

Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse Linq queries on collections known to not be empty.

#### Kotlin

Analysis of Kotlin 2.0 is now supported.

</details>

## Update notes <a href="#upgrade-notes" id="upgrade-notes"></a>

This section contains notes about breaking changes and important updates to be aware of before updating to a new version.

<details>

<summary>Latest release - 26.4.0.121862</summary>

None in this release.

</details>

<details>

<summary>Previous releases</summary>

### Version 26.3.0.120487

None in this release.

### Version 26.2.0.119303

#### Java 25 support

SonarQube Community Build can now run on Java 25.

#### PostgreSQL18 support

Support for PostgreSQL versions is now from 14 to 18, enabling deployments using the most recent PostgreSQL release. Support for version 13 has been removed.

#### Kubernetes 1.35 support

Support for Kubernetes versions is now from 1.32 to 1.35. Support for 1.30 and 1.31 has been removed.

#### Removed support for 2016 MSSQL Server 13.0

Supported MSSQL server is now 2022 (MSSQL Server 16.0); 2019 (MSSQL Server 15.0); 2017 (MSSQL Server 14.0). Support for 2016 MSSQL Server 13.0 support has been removed. See Installing database for more information.

#### Use of Elasticsearch 8.x

SonarQube Community Build now includes Elasticsearch 8.x, which requires write access to the /tmp directory. This is a requirement from Elasticsearch itself and cannot be disabled. For more information and a solution, see Elasticsearch 8.x filesystem requirements.

### Version 26.1.0.118079

#### JDK now required

The SonarQube Community Build runtime now requires Java Development Kit (JDK). Note that the previous requirement of a Java Runtime Environment (JRE) is no longer sufficient; a full JDK is required. See [#software-requirements](https://docs.sonarsource.com/sonarqube-community-build/server-installation/server-host-requirements#software-requirements "mention") for details.

#### Downgraded Microsoft SQL JDBC Auth from 13.2.1 to 12.10.2

Due to changes in the Microsoft SQL JDBC driver, it was downgraded from version 13.2.1 to 12.10.2. See [#using-integrated-security](https://docs.sonarsource.com/sonarqube-community-build/server-installation/installing-the-database#using-integrated-security "mention") for details.

### Version 25.12.0.117093

None in this release.

### Version 25.11.0.114957

To use integrated security in Microsoft SQL database, upgrade to Microsoft SQL JDBC Auth 13.2.1 package. See [#using-integrated-security](https://docs.sonarsource.com/sonarqube-community-build/server-installation/installing-the-database#using-integrated-security "mention") for details.

### Version 25.10.0.114319

None in this release.

### Version 25.9.0.112764

None in this release.

### Version 25.8.0.111929

None in this release.

### Version 25.7.0.110598

None in this release.

### Version 25.6.0.109173 <a href="#version-2560109173" id="version-2560109173"></a>

None in this release.

### Version 25.5.0.107428 <a href="#version2550107428" id="version2550107428"></a>

None in this release.

### Version 25.4.0.105899 <a href="#version2540105899" id="version2540105899"></a>

None in this release.

### Version 25.3.0.104237 <a href="#version2530104237" id="version2530104237"></a>

None in this release.

### Version 25.2.0.102705 <a href="#version2520102705" id="version2520102705"></a>

None in this release

### Version 25.1.0.102122 <a href="#version2510102122" id="version2510102122"></a>

#### Update in PostgreSQL support

PostgreSQL versions 11 and 12 are no longer supported. Supported versions are now from 13 to 17.

#### SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

* If you use SAML with Microsoft Entra, make sure you sign the response by selecting **Sign SAML response** or **Sign SAML response and assertion** as the sign-in response. See **Step 2 > If you use encryption, enforce response signature** in [optional-security-features](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ms-entra-id/optional-security-features "mention").
* If you use SAML with PingID, make sure you sign the response by selecting **Sign Response** or **Sign Assertion & Response** as the sign-in response. See **Step 2 > To enable the encryption of SAML assertions** in [optional-security-features](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/authentication/saml/ping-identity/optional-security-features "mention").

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:

1. In SonarQube Community Build, go to **Administration > Configuration > General Settings > Authentication > SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The **Edit SAML configuration** dialog opens.
3. In **Service provider certificate**, enter the certificate.

#### Server base URL setup now mandatory for SAML authentication

Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See [server-base-url](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/server-base-url "mention").

### Version 24.12.0.100206 <a href="#version24120100206" id="version24120100206"></a>

None in this release.

</details>

## Deprecations and removals <a href="#deprecations-and-removals" id="deprecations-and-removals"></a>

This section contains information on the deprecation and removal of SonarQube Community Build features and API endpoints. See the [deprecation-policy](https://docs.sonarsource.com/sonarqube-community-build/server-update-and-maintenance/maintenance/deprecations/deprecation-policy "mention") for more information.

<details>

<summary>Latest release - 26.4.0.121862</summary>

None in this release.<br>

</details>

<details>

<summary>Previous releases</summary>

### Version 26.3.0.120487

None in this release.

### Version 26.2.0.119303

#### Databases

PostgreSQL version 13 is not supported anymore.

2016 MSSQL Server 13.0 is not supported anymore.

#### Kubernetes

Kubernetes versions 1.30 and 1.31 are not supported anymore.

### Version 26.1.0.118079

#### Java 17 not supported any more

Java version 21 is the minimum version required to run SonarQube Community Build.

### Version 25.12.0.117093

#### Deprecation of Java 17 as a scanner runtime

Java 17 is deprecated as a supported scanner runtime environment and its support ends in July 2026. There is no impact for this change if you use JRE auto-provisioning, enabled by default on scanners that support it, because it keeps Java version requirements always up to date. If you disable JRE auto-provisioning or your scanner doesn’t support it, you need to update to Java 21 or newer. See:

* [Community post](https://community.sonarsource.com/t/phasing-out-java-17-as-a-scanner-runtime/153678) for more information about the deprecation.
* [managing-jre-auto-provisioning](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/scanners/scanner-environment/managing-jre-auto-provisioning "mention").

### Version 25.11.0.114957

None in this release.

### Version 25.10.0.114319

#### Java 17 for SonarQube Community Build instance

Java 17 for running SonarQube Community Build instances is deprecated and will be dropped soon. Java 21 should be used.

### Version 25.9.0.112764

None in this release.

### Version 25.8.0.111929

None in this release.

### Version 25.7.0.110598

#### Deprecated rules

The following Java and Kotlin rules are now deprecated:

* S6291 - Using unencrypted databases in mobile applications is security-sensitive
* S6300 - Using unencrypted files in mobile applications is security-sensitive

### Version 25.6.0.109173 <a href="#version-2560109173" id="version-2560109173"></a>

#### Mercurial SCM is not supported

The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.

#### Sonar Plugin API

The following deprecated classes have been removed: `MutableModuleSettings` and `MutableProjectSettings`.

### Version 25.5.0.107428 <a href="#version2550107428" id="version2550107428"></a>

None in this release.

### Version 25.4.0.105899 <a href="#version2540105899" id="version2540105899"></a>

#### Removed ProfileExporter and ProfileImporter extension points

Removed two extension points in the plugin-api **ProfileExporter** and **ProfileImporter**. The following APIs have been deprecated:

* `GET /api/qualityprofiles/export`API endpoint. You can now use `GET /api/qualityprofiles/backup` instead.
* `GET /api/qualityprofiles/exporters`
* `GET /api/qualityprofiles/importers`

See [Web API](https://sonarcloud.io/web_api/api/qualityprofiles?query=export\&deprecated=false) for more information.

### Version 25.3.0.104237 <a href="#version2530104237" id="version2530104237"></a>

None in this release.

### Version 25.2.0.102705 <a href="#version2520102705" id="version2520102705"></a>

#### Removed sonar.password property

The `sonar.password` scanner property that was deprecated in SonarQube Server 9.8 has now been removed.

#### Removed password hash

The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.

### Version 25.1.0.102122 <a href="#version2510102122" id="version2510102122"></a>

#### Deprecation of property encryption on the scanner side

Property encryption on the scanner side is now deprecated.

#### Removed complexity metrics

The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed:

* `file_complexity`
* `complexity_in_classes`
* `class_complexity`
* `complexity_in_functions`
* `function_complexity`
* `function_complexity_distribution`
* `file_complexity_distribution`

### Version 24.12.0.100206 <a href="#version24120100206" id="version24120100206"></a>

None in this release.

</details>

## Full release notes <a href="#full-release-notes" id="full-release-notes"></a>

Latest release version [26.4.0.121862](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D29438%20AND%20issuetype%20!%3D%20Maintenance) full release notes in Jira.

<details>

<summary>Previous releases</summary>

* [26.2.0.119303](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D26400%20AND%20issuetype%20!%3D%20Maintenance)
* [26.1.0.118079](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D24413%20AND%20issuetype%20!%3D%20Maintenance)
* [25.12.0.117093](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D23291%20AND%20issuetype%20!%3D%20Maintenance)
* [25.11.0.114957](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D22533%20AND%20issuetype%20!%3D%20Maintenance)
* [25.10.0.114319](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D21905%20AND%20issuetype%20!%3D%20Maintenance)
* [25.9.0.112764](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D21212%20AND%20issuetype%20!%3D%20Maintenance)
* [25.8.0.111929](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D19334%20AND%20issuetype%20!%3D%20Maintenance)
* [25.7.0.110598](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D18739%20AND%20issuetype%20!%3D%20Maintenance)
* [25.6.0.109173](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D18176%20AND%20issuetype%20!%3D%20Maintenance)
* [25.5.0.107428](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D18145%20AND%20issuetype%20!%3D%20Maintenance)
* [25.4.0.105899](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D16790%20AND%20issuetype%20!%3D%20Maintenance)
* [25.3.0.104237](https://sonarsource.atlassian.net/issues?jql=project%20%3D%2010139%20AND%20fixVersion%3D16527%20AND%20issuetype%20%21%3D%20Maintenance)
* [25.2.0.102705](https://sonarsource.atlassian.net/issues?jql=fixVersion%20%3D%2016130%20AND%20issuetype%20%21%3D%20Maintenance%20ORDER%20BY%20status%20DESC%2C%20created%20ASC%20)
* [25.1.0.102122](https://sonarsource.atlassian.net/issues?jql=fixVersion%20%3D%2016129%20AND%20issuetype%20%21%3D%20Maintenance%20ORDER%20BY%20status%20DESC%2C%20created%20ASC%20)
* [24.12.0.100206](https://sonarsource.atlassian.net/issues?jql=fixVersion%20%3D%2016125%20AND%20issuetype%20!%3D%20Maintenance%20ORDER%20BY%20status%20DESC%2C%20created%20ASC%20)

</details>