Release notes
These release notes describe the relevant changes implemented for each SonarQube Community Build version. For a complete list of all changes, see the Full release notes at the bottom of the page.
New and enhanced features
View the release notes for new and enhanced features for SonarQube Community Build.
Latest release - 25.6.0.109173
SonarQube detects secret leaks within hidden files
SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.
Default Quality Gate
As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. See Changing the default quality gate for more details.
Previous releases
Version 25.5.0.107428
New language: Rust
Rust analysis is now supported.
It offers:
- 85 rules
- Code Coverage import (LCOV and Cobertura formats)
- Cognitive Complexity metric
- Cyclomatic Complexity metric
- Import of Clippy output as external rules (JSON format)
See Rust analyzer for more information.
Java analysis improved
In addition to the mobile security improvement, the Java analyzer has been improved as follows:
- Java 23 analysis is now supported.
- The following rules targeting Java 22 code have been added:
- S7467 - Unused exception parameter should use the unnamed variable pattern
- S7466 - Use `var` instead of a type with unnamed variable _
- S7475 - The type of an unused component should be removed from pattern matching
Kubernetes analysis improved
The Kubernetes analysis has been improved:
- It’s now possible to disable the analysis of Helm files.
- The
sonar.kubernetes.file.suffixes
property is now handled correctly.
.NET analysis improved
The following rules have been improved:
- S2222 - Locks should be released on all paths: The locking via lock object primitives is now supported.
- S4158 - Empty collections should not be accessed or iterated: LinkedList is now supported.
Version 25.4.0.105899
Analyzers
Kotlin analysis
Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.
Version 25.3.0.104237
Rules
Java rules
The following Spring Java rules have been added:
- S7177: Use appropriate @DirtiesContext modes
- S7178: Injecting data into static fields is not supported by Spring
- S7179: @Cacheable and @CachePut should not be combined
- S7180: "@Cache*" annotations should only be applied on concrete classes
- S7183: @InitBinder methods should have void return type
- S7184: "@Scheduled" annotation should only be applied to no-arg methods
- S7185: @eventlistener methods should have one parameter at most
- S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
- S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract
The following Spring Java rules have been improved:
- S6856: "@PathVariable" annotation should be present if a path variable is used
This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding@PathVariable
, or vice-versa. - S6809: Methods with Spring proxy should not be called via "this"
This rule will now also check for methods annotated with Spring's@Cacheable
annotation.
Deployment
IPv6 support
SonarQube Community Build (the ZIP or Docker installation) now supports IPv6 addresses. An additional configuration is required. For setup information, see Enabling IPv6 in ZIP installation or Docker installation.
Language updates
Go 1.23 now supported
SonarQube Community Build now supports the analysis of Go 1.23 code.
PHP analysis
The elsifkeyword is now taken into account in the Cyclomatic Complexity calculation.
Version 25.2.0.102705
Java 21 is now supported
SonarQube Community Build can now run in a Java 21 environment.
Version 25.1.0.102122
Faster analysis bootstrap
To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.
Improvement to BitBucket server onboarding
To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.
Language updates
PHP analysis now supports asymmetric property visibility (PHP 8.4).
Version 24.12.0.100206
Server administration
Introducing Multi-Quality Rule Mode
You can now toggle your SonarQube Community Build instance between the Standard Experience and Multi-Quality Rule Mode (MQR).
See Instance mode overview for more information. In both modes, it's possible to customize the severity of issues and rules.
New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.
Analyzers, scanners, languages
Python
Python 3.13 is now supported.
Java
Analysis of Java 22 Projects is now supported.
JSpecify annotations are now supported with one new rule.
24 main code rules enabled for test code.
.NET / C#
Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse Linq queries on collections known to not be empty.
Kotlin
Analysis of Kotlin 2.0 is now supported.
Upgrade notes
This section contains notes about breaking changes and important updates to be aware of before upgrading.
Latest release - 25.6.0.109173
None in this release.
Previous releases
Version 25.5.0.107428
None in this release.
Version 25.4.0.105899
None in this release.
Version 25.3.0.104237
None in this release.
Version 25.2.0.102705
None in this release
Version 25.1.0.102122
Update in PostgreSQL support
PostgreSQL version 11 is no longer supported. Supported versions are now from 13 to 17.
SAML configuration update required
When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:
- If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
- If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.
In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:
- In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
- In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
- In Service provider certificate, enter the certificate.
Server base URL setup now mandatory for SAML authentication
Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See Configuring the SonarQube Server base URL.
Version 24.12.0.100206
None in this release.
Deprecations and removals
This section contains information on the deprecation and removal of SonarQube Community Build features and API endpoints. See also the deprecation policy.
Latest release - 25.6.0.109173
Mercurial SCM is not supported
The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.
Sonar Plugin API
The following deprecated classes have been removed: MutableModuleSettings
and MutableProjectSettings
.
Previous releases
Version 25.5.0.107428
None in this release.
Version 25.4.0.105899
Removed ProfileExporter and ProfileImporter extension points
Removed two extension points in the plugin-api ProfileExporter and ProfileImporter. The following APIs have been deprecated:
GET /api/qualityprofiles/export
API endpoint. You can now useGET /api/qualityprofiles/backup
instead.GET /api/qualityprofiles/exporters
GET /api/qualityprofiles/importers
See Web API for more information.
Version 25.3.0.104237
None in this release.
Version 25.2.0.102705
Removed sonar.password property
The sonar.password
scanner property that was deprecated in SonarQube Server 9.8 has now been removed.
Removed password hash
The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.
Version 25.1.0.102122
Deprecation of property encryption on the scanner side
Property encryption on the scanner side is now deprecated.
Removed complexity metrics
The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed:
file_complexity
complexity_in_classes
class_complexity
complexity_in_functions
function_complexity
function_complexity_distribution
file_complexity_distribution
Version 24.12.0.100206
None in this release.
Full release notes
Latest release version 25.6.0.109173 full release notes in Jira.
Previous releases
Was this page helpful?