Release notes

Analyzers

Kotlin analysis

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.

25.3.0.104237

Rules

Java rules

The following Spring Java rules have been added:

• S7177: Use appropriate @DirtiesContext modes
• S7178: Injecting data into static fields is not supported by Spring
• S7179: @Cacheable and @CachePut should not be combined
• S7180: "@Cache*" annotations should only be applied on concrete classes
• S7183: @InitBinder methods should have void return type
• S7184: "@Scheduled" annotation should only be applied to no-arg methods
• S7185: @eventlistener methods should have one parameter at most
• S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
• S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

The following Spring Java rules have been improved:

• S6856: "@PathVariable" annotation should be present if a path variable is used
  This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding @PathVariable, or vice-versa.
• S6809: Methods with Spring proxy should not be called via "this"
  This rule will now also check for methods annotated with Spring's @Cacheable annotation.

Deployment

IPv6 support

SonarQube Community Build (the ZIP or Docker installation) now supports IPv6 addresses. An additional configuration is required. For setup information, see Enabling IPv6 in ZIP installation or Docker installation. 

Language updates

Go 1.23 now supported

SonarQube Community Build now supports the analysis of Go 1.23 code.

PHP analysis

The elsifkeyword is now taken into account in the Cyclomatic Complexity calculation.

25.2.0.102705

Java 21 is now supported

SonarQube Community Build can now run in a Java 21 environment. 

25.1.0.102122

Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

Language updates

PHP analysis now supports asymmetric property visibility (PHP 8.4).

24.12.0.100206

Server administration

Introducing Multi-Quality Rule Mode

You can now toggle your SonarQube Community Build instance between the Standard Experience  and Multi-Quality Rule Mode (MQR). 

See Instance mode overview for more information. In both modes, it's possible to customize the severity of issues and rules.

New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

Analyzers, scanners, languages

Python

Python 3.13 is now supported.

Java

Analysis of Java 22 Projects is now supported.

JSpecify annotations are now supported with one new rule. 

24 main code rules enabled for test code. 

.NET / C#

Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse Linq queries on collections known to not be empty.

Kotlin

Analysis of Kotlin 2.0 is now supported.

None in this release

25.3.0.104237

None in this release.

25.2.0.102705

None in this release

25.1.0.102122

SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

• If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
• If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:

1. In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. In Service provider certificate, enter the certificate.

Server base URL setup now mandatory for SAML authentication

Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See Configuring the SonarQube Server base URL.

24.12.0.100206

None in this release.

None in this release

25.3.0.104237

None in this release.

25.2.0.102705

Removed sonar.password property

The sonar.password scanner property that was deprecated in SonarQube Server 9.8 has now been removed. 

Removed password hash 

The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.

25.1.0.102122

Deprecation of property encryption on the scanner side 

Property encryption on the scanner side is now deprecated. 

Removed complexity metrics 

The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed: 

• file_complexity
• complexity_in_classes
• class_complexity
• complexity_in_functions
• function_complexity
• function_complexity_distribution
• file_complexity_distribution

24.12.0.100206

None in this release.

• 25.3.0.104237
• 25.2.0.102705
• 25.1.0.102122
• 24.12.0.100206