Start Free
SonarQube Community Build | Server upgrade and maintenance | Release notes

Release notes

On this page

These release notes describe the relevant changes implemented for each SonarQube Community Build version. For a complete list of all changes, see the Full release notes at the bottom of the page.

New and enhanced features

View the release notes for new and enhanced features for SonarQube Community Build. 

Latest release - 25.6.0.109173

SonarQube detects secret leaks within hidden files

SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.

Default Quality Gate

As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. See Changing the default quality gate for more details.

Previous releases

Version 25.5.0.107428

New language: Rust

Rust analysis is now supported.

It offers:

  • 85 rules
  • Code Coverage import (LCOV and Cobertura formats)
  • Cognitive Complexity metric
  • Cyclomatic Complexity metric
  • Import of Clippy output as external rules (JSON format)

See Rust analyzer for more information.

Java analysis improved

In addition to the mobile security improvement, the Java analyzer has been improved as follows:

  • Java 23 analysis is now supported.
  • The following rules targeting Java 22 code have been added:
    • S7467 - Unused exception parameter should use the unnamed variable pattern
    • S7466 - Use `var` instead of a type with unnamed variable _
    • S7475 - The type of an unused component should be removed from pattern matching

Kubernetes analysis improved

The Kubernetes analysis has been improved:

  • It’s now possible to disable the analysis of Helm files.
  • The sonar.kubernetes.file.suffixes property is now handled correctly.   

.NET analysis improved

The following rules have been improved:

  • S2222 - Locks should be released on all paths:  The locking via lock object primitives is now supported.
  • S4158 - Empty collections should not be accessed or iterated: LinkedList is now supported.

Version 25.4.0.105899

Analyzers

Kotlin analysis

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.

Version 25.3.0.104237

Rules

Java rules

The following Spring Java rules have been added:

  • S7177: Use appropriate @DirtiesContext modes
  • S7178: Injecting data into static fields is not supported by Spring
  • S7179: @Cacheable and @CachePut should not be combined
  • S7180: "@Cache*" annotations should only be applied on concrete classes
  • S7183: @InitBinder methods should have void return type
  • S7184: "@Scheduled" annotation should only be applied to no-arg methods
  • S7185: @eventlistener methods should have one parameter at most
  • S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
  • S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

The following Spring Java rules have been improved:

  • S6856: "@PathVariable" annotation should be present if a path variable is used
    This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding @PathVariable, or vice-versa.
  • S6809: Methods with Spring proxy should not be called via "this"
    This rule will now also check for methods annotated with Spring's @Cacheable annotation.

Deployment

IPv6 support

SonarQube Community Build (the ZIP or Docker installation) now supports IPv6 addresses. An additional configuration is required. For setup information, see Enabling IPv6 in ZIP installation or Docker installation

Language updates

Go 1.23 now supported

SonarQube Community Build now supports the analysis of Go 1.23 code.

PHP analysis

The elsifkeyword is now taken into account in the Cyclomatic Complexity calculation.

Version 25.2.0.102705

Java 21 is now supported

SonarQube Community Build can now run in a Java 21 environment. 

Version 25.1.0.102122

Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

Language updates

PHP analysis now supports asymmetric property visibility (PHP 8.4).

Version 24.12.0.100206

Server administration

Introducing Multi-Quality Rule Mode

You can now toggle your SonarQube Community Build instance between the Standard Experience  and Multi-Quality Rule Mode (MQR)

See Instance mode overview for more information. In both modes, it's possible to customize the severity of issues and rules.

New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

Analyzers, scanners, languages

Python

Python 3.13 is now supported.

Java

Analysis of Java 22 Projects is now supported.

JSpecify annotations are now supported with one new rule. 

24 main code rules enabled for test code. 

.NET / C#

Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse Linq queries on collections known to not be empty.

Kotlin

Analysis of Kotlin 2.0 is now supported.

Upgrade notes

This section contains notes about breaking changes and important updates to be aware of before upgrading. 

Latest release - 25.6.0.109173

None in this release.

Previous releases

Version 25.5.0.107428

None in this release.

Version 25.4.0.105899

None in this release.

Version 25.3.0.104237

None in this release.

Version 25.2.0.102705

None in this release

Version 25.1.0.102122

Update in PostgreSQL support

PostgreSQL version 11 is no longer supported. Supported versions are now from 13 to 17.

SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

  • If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
  • If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:

  1. In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
  2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
  3. In Service provider certificate, enter the certificate.

Server base URL setup now mandatory for SAML authentication

Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See Configuring the SonarQube Server base URL.

Version 24.12.0.100206

None in this release.

Deprecations and removals

This section contains information on the deprecation and removal of SonarQube Community Build features and API endpoints. See also the deprecation policy.

Latest release - 25.6.0.109173

Mercurial SCM is not supported

The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.

Sonar Plugin API

The following deprecated classes have been removed: MutableModuleSettings and MutableProjectSettings.

Previous releases

Version 25.5.0.107428

None in this release.

Version 25.4.0.105899

Removed ProfileExporter and ProfileImporter extension points

Removed two extension points in the plugin-api ProfileExporter and ProfileImporter. The following APIs have been deprecated:

  • GET /api/qualityprofiles/export API endpoint. You can now use GET /api/qualityprofiles/backup instead. 
  • GET /api/qualityprofiles/exporters
  • GET /api/qualityprofiles/importers

See Web API for more information.

Version 25.3.0.104237

None in this release.

Version 25.2.0.102705

Removed sonar.password property

The sonar.password scanner property that was deprecated in SonarQube Server 9.8 has now been removed. 

Removed password hash 

The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.

Version 25.1.0.102122

Deprecation of property encryption on the scanner side 

Property encryption on the scanner side is now deprecated. 

Removed complexity metrics 

The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed: 

  • file_complexity
  • complexity_in_classes
  • class_complexity
  • complexity_in_functions
  • function_complexity
  • function_complexity_distribution
  • file_complexity_distribution

Version 24.12.0.100206

None in this release.


Full release notes

 Latest release version 25.6.0.109173 full release notes in Jira.

Previous releases

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License