Release notes

New language: Rust

Rust analysis is now supported.

It offers:

• 85 rules
• Code Coverage import (LCOV and Cobertura formats)
• Cognitive Complexity metric
• Cyclomatic Complexity metric
• Import of Clippy output as external rules (JSON format)

See Rust analyzer for more information.

Mobile security improved (Java, Kotlin, XML)

The mobile security for Android has been improved by adding or improving mobile security rules.

New rules 

The following rules have been added to the Java and Kotlin analyzers:

• S7409 - Exposing Java interfaces in WebViews is security-sensitive: This rule covers M8 from the OWASP Mobile Top Ten 2024.
• S7435 - Processing persistent unique identifiers is security-sensitive: This rule covers M6 from the OWASP Mobile Top Ten 2024.

The following rules have been added to the Kotlin analyzer:

• S6474 - Using remote artifacts without authenticity and integrity checks is security-sensitive: This rule covers M2 from the OWASP Mobile Top Ten 2024.
• S7204 - Obfuscation should be enabled for release builds: This rule covers M7 and M8 from the OWASP Mobile Top Ten 2024.
• S7410: Keyboard cache should be disabled for password inputs: This rule covers M2 from the OWASP Mobile Top Ten 2024.
• S7416 -  Android production release targets should not be debuggable: This rule covers M7 from the OWASP Mobile Top Ten 2024.

The following rule has been added to the XML analyzer:

• S7207 - Components should be explicitly exported: This rule covers M8 from the OWASP Mobile Top Ten 2024.

Improved rules

The following rule has been improved for Java:

• S5344 - Passwords should not be stored in plaintext or with a fast hashing algorithm: This rule now covers M10 from the OWASP Mobile Top Ten 2024.

The following rule has been improved for Kotlin:

• S4830 - Server certificates should be verified during SSL/TLS connections: WebViews are now supported.

Java analysis improved

In addition to the mobile security improvement (see above), the Java analyzer has been improved as follows:

• Java 23 analysis is now supported.
• The following rules targeting Java 22 code have been added:
  • S7467 - Unused exception parameter should use the unnamed variable pattern
  • S7466 - Use `var` instead of a type with unnamed variable _
  • S7475 - The type of an unused component should be removed from pattern matching

Kubernetes analysis improved

The Kubernetes analysis has been improved:

• It’s now possible to disable the analysis of Helm files.
• The sonar.kubernetes.file.suffixes property is now handled correctly.   

.NET analysis improved

The following rules have been improved:

• S2222 - Locks should be released on all paths:  The locking via lock object primitives is now supported.
• S4158 - Empty collections should not be accessed or iterated: LinkedList is now supported.

25.4.0.105899

Analyzers

Kotlin analysis

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.

25.3.0.104237

Rules

Java rules

The following Spring Java rules have been added:

• S7177: Use appropriate @DirtiesContext modes
• S7178: Injecting data into static fields is not supported by Spring
• S7179: @Cacheable and @CachePut should not be combined
• S7180: "@Cache*" annotations should only be applied on concrete classes
• S7183: @InitBinder methods should have void return type
• S7184: "@Scheduled" annotation should only be applied to no-arg methods
• S7185: @eventlistener methods should have one parameter at most
• S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
• S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

The following Spring Java rules have been improved:

• S6856: "@PathVariable" annotation should be present if a path variable is used
  This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding @PathVariable, or vice-versa.
• S6809: Methods with Spring proxy should not be called via "this"
  This rule will now also check for methods annotated with Spring's @Cacheable annotation.

Deployment

IPv6 support

SonarQube Community Build (the ZIP or Docker installation) now supports IPv6 addresses. An additional configuration is required. For setup information, see Enabling IPv6 in ZIP installation or Docker installation. 

Language updates

Go 1.23 now supported

SonarQube Community Build now supports the analysis of Go 1.23 code.

PHP analysis

The elsifkeyword is now taken into account in the Cyclomatic Complexity calculation.

25.2.0.102705

Java 21 is now supported

SonarQube Community Build can now run in a Java 21 environment. 

25.1.0.102122

Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

Language updates

PHP analysis now supports asymmetric property visibility (PHP 8.4).

24.12.0.100206

Server administration

Introducing Multi-Quality Rule Mode

You can now toggle your SonarQube Community Build instance between the Standard Experience  and Multi-Quality Rule Mode (MQR). 

See Instance mode overview for more information. In both modes, it's possible to customize the severity of issues and rules.

New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

Analyzers, scanners, languages

Python

Python 3.13 is now supported.

Java

Analysis of Java 22 Projects is now supported.

JSpecify annotations are now supported with one new rule. 

24 main code rules enabled for test code. 

.NET / C#

Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse Linq queries on collections known to not be empty.

Kotlin

Analysis of Kotlin 2.0 is now supported.

None in this release

25.4.0.105899

None in this release.

25.3.0.104237

None in this release.

25.2.0.102705

None in this release

25.1.0.102122

SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

• If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
• If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:

1. In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. In Service provider certificate, enter the certificate.

Server base URL setup now mandatory for SAML authentication

Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See Configuring the SonarQube Server base URL.

24.12.0.100206

None in this release.

None in this release

25.4.0.105899

None in this release.

25.3.0.104237

None in this release.

25.2.0.102705

Removed sonar.password property

The sonar.password scanner property that was deprecated in SonarQube Server 9.8 has now been removed. 

Removed password hash 

The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.

25.1.0.102122

Deprecation of property encryption on the scanner side 

Property encryption on the scanner side is now deprecated. 

Removed complexity metrics 

The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed: 

• file_complexity
• complexity_in_classes
• class_complexity
• complexity_in_functions
• function_complexity
• function_complexity_distribution
• file_complexity_distribution

24.12.0.100206

None in this release.

• 25.4.0.105899
• 25.3.0.104237
• 25.2.0.102705
• 25.1.0.102122
• 24.12.0.100206