Release upgrade notes

This page contains notes about breaking changes and important updates to be aware of before upgrading. We recommend reading the notes for all the versions between your current version and the version you're upgrading to. 

If you're upgrading from the previous LTA, see LTA to LTA release upgrade notes.

For the list of new features in this version, see the Release notes.

Release 2025.1 upgrade notes

Update in PostgreSQL support

PostgreSQL version 11 is no longer supported. Supported versions are now from 13 to 17.

SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

• If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
• If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Server (not only the private key). Make sure the certificate is stored in SonarQube as follows:

1. In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. In Service provider certificate, enter the certificate.

Release 10.8 upgrade notes

Instance mode feature

Your SonarQube Server instance has two modes to choose from: Standard Experience Mode and Multi-Quality Rule (MQR) Mode. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default whereas SonarQube Server 10.2 and later are configured with MQR mode. 

For details on switching modes, see the Changing modes page.

Release 10.7 upgrade notes

Updated GitLab automatic provisioning feature

Automatic user and group provisioning with GitLab now includes permission synchronization, which automatically synchronizes project visibility:

• To prevent unwanted updates to project permissions and project visibility, upgrading SonarQube will suspend automatic provisioning until you confirm the choice of provisioning method in the authentication settings.

For details, see the GitLab authentication and provisioning page.

Disable the confidential header in portfolio PDF reports

Admin users have a new toggle in the Administration -> Governance -> Portfolio PDF Reports section, allowing them to dynamically enable or disable the "Confidential" header. 

For details, see the Managing portfolios page.

Release 10.6 upgrade notes

There are no upgrade notes for SonarQube 10.6. For the release notes, see Release notes.

Release 10.5 upgrade notes

Cognitive complexity calculation updated for Javascript and Typescript

 If you analyze Javascript and Typescript projects, note that we've updated how cognitive complexity is calculated. Notably, nested function complexity is no longer added to the parent. This will translate as a drop in the metric for some users. 

End of support of Node.js 16 in the scanner environment

Node.js 16 is no longer supported as a scanner runtime environment. If you're using a custom Node.js installation, we recommend the latest LTS version, currently v20.

Updates to custom plugins required

For a faster analysis, SonarQube now optimizes the loading of analyzers by default. To avoid dependency errors, you’ll need to update the configuration of your custom plugins. See Plugin basics for more information. Also, if you use third-party plugins, make sure to use the latest ones compatible with this feature.

Full release notes 

Release 10.4 upgrade notes

Project overview update

Issue counts on the overall code of projects now reflect the Clean Code software qualities.

Make sure you re-analyze your projects after upgrading to compute and display these counts.

JavaScript/TypeScript/CSS configuration

A minimum of 4GB memory is now recommended, use sonar.javascript.node.maxspace configuration if you encounter memory issues. Also, file encoding errors will now cause an analysis failure, use sonar.sourceEncoding=UTF-8 if you encounter problems.

Node.js is no longer a requirement for analysis

In most cases, installing Node.js in the environment where you’re running analysis is no longer a requirement.

End of support of Node.js 14 in the scanner environment

Node.js 14 is no longer supported as a scanner runtime environment. Also, Node.js v16 will soon be unsupported. If you are using a custom Node.js installation, we recommend the latest LTS version, currently v20.

End of support of Java 11 as scanner environment

Java 11 is no longer supported as a scanner runtime environment. The minimum required version is Java 17. See the requirements for more information. (SONAR-21157)

SonarScanner for .NET compatibility

Starting SonarQube 10.4, analysis of .NET projects requires SonarScanner for .NET 5.14+. 

End of support of MSBuild 14 

MSBuild 14 is no longer supported for scanning .NET code. ​​MSBuild 15 is deprecated and support will be removed in a future version. We recommend using MSBuild 16 as a minimal version. (SONAR-21554)

Release 10.3 upgrade notes

Updated quality gate conditions for Clean as You Code

Clean as You Code conditions have evolved: The Sonar way quality gate now uses a 0 issues condition on new code. We recommend updating your custom quality gates after the upgrade. The ratings on the project overview page will stay unchanged while your quality gate may now fail. For details, see Quality gates.

The previous Sonar way quality gate is preserved as "Sonar way (legacy)" upon upgrading. You can keep using it if you’re not ready for the change. (SONAR-20604 & SONAR-20607)

Full release notes

Release 10.2 upgrade notes

Maximum new code definition value automatically adjusted in existing projects  

For existing projects, if the value of the Number of days option is set to a higher value than 90 before the upgrade, SonarQube automatically changes it to 90. As a consequence, some issues might move out of the new code. See the About new code page for more information. (SONAR-20155)

Updated GitHub automatic provisioning feature

Automatic user and group provisioning with GitHub now includes permission synchronization, which automatically synchronizes project visibility:

• To prevent unwanted updates to project permissions and project visibility, upgrading SonarQube will suspend automatic provisioning until you confirm the choice of provisioning method in the authentication settings.
• The GitHub app requires new permissions to be added and approved. 

For details, see the GitHub authentication page. (SONAR-20309)

Clean Code updates

The classification of issues and rules has evolved:

• Issue types are deprecated. Issues are now classified based on Clean Code attributes and software qualities.
• The severity of an issue is now tied to the issue's impact on the software qualities. 

Existing types and severities are preserved and are still used to evaluate the Quality Gate conditions. Type and severity can no longer be edited on issues and rules via the UI.

For details, see Issues and Clean Code. (SONAR-20023)

Release 10.1 upgrade notes

Dropping support for NET Framework < 4.6.2
The minimum supported .NET Framework version is 4.6.2. Support for earlier versions has been dropped. If you’re running an earlier version, you’ll need to upgrade your build environment wherever your analysis is run. See this release note for more information.

Updated options for new code definition
To make them more in line with the Clean as You Code methodology, the following options have been updated for projects:

• Specific analysis: This setup is now available only via the Web API. Automation is required to ensure the value is kept up to date.
• Number of days: The maximum value allowed when setting it up is now 90. It's recommended to update your existing projects accordingly.
  
  See the About new code page for more information. (SONAR-19294)

Full release notes

Release 10.0 upgrade notes

SCIM provisioning requires configuration
SCIM provisioning for SAML authentication evolves for a tightened synchronization of users and groups. To use the updated set of user and group SCIM provisioning features, see Authentication and provisioning. 

Without action on your part, upon upgrading, already assigned users are not deleted from SonarQube, but they are no longer bound to your IdP.  You'll need to enable SCIM again in SonarQube and adjust your IdP settings. (SONAR-18797).

Updated security policy for page extensions
To improve security, pages added to the UI by plugins can no longer include inline scripts. If you use this feature, you might need to update your plugins. See Adding pages to the webapp for more information. (SONAR-18809).

Projects displaying modules are no longer supported
The concept of modules was removed in v7.6. SonarQube no longer migrates the structure of projects still displaying modules. Make sure you re-analyze these projects before upgrading to SonarQube 10.0. (SONAR-17706).
Deprecated pull request configuration properties removed
DevOps Platform Integration settings are no longer inferred from scanner-level analysis parameters, which were deprecated in SonarQube 8.1. To prevent pull request decoration from failing, make sure you have configured each project with the settings found under the project-level Project Settings > DevOps Platform Integration.

This particularly affects users integrating with Azure DevOps who formerly relied on the Extension for Azure DevOps to pass these properties. (SONAR-17711).

Deprecated web services and parameters removed
The web services and parameters that were deprecated in versions 8.x and 9.x have been removed. For more information, see the corresponding list and read the API deprecation policy.

Microsoft SQL Server and Integrated Authentication
If you use Microsoft SQL Server with Integrated Authentication, note that the minimum supported version of the Microsoft SQL JDBC Driver package has been updated to 11.2.3. See Installing the database for more information.

seccomp filter required on kernel

The version of Elasticsearch has been updated and now requires a kernel with seccomp enabled. Make sure that seccomp is available on your kernel. See Pre-installation steps on Linux for more information. (SONAR-17714)

Full release notes

Release 9.9 and earlier upgrade notes

See the SonarQube Server 9.9 LTA Release upgrade notes.