Start Free

LTA to LTA release notes

LTA to LTA release notes include all new features, update notes, deprecations and removals between version 2025.1 LTA and 2025.4 LTA.

Updating from SonarQube Server 9.9 LTA

In order to update SonarQube Server from version 9.9 LTA, first, you will need to do an intermediate version update to 2025.1 LTA. Refer to the following documentation for more information:

Update notes

Security rules for Go in IDEs (2025.3)

To use Go security rules in your VSCode or IntelliJ IDEs, you will need to upgrade to the latest version of SonarQube for IDE. Available in the Enterprise edition and above.

New and enhanced features

Languages, analyzers and scanners

CFamily

Making C and C++ analysis faster (2025.4)

Faster C and C++ analysis on SonarQube Server, particularly when code changes have a limited logical impact, even if they affect widely included header files or large compilation units. Aimed at improving the efficiency of the computationally intensive symbolic execution engine. See C/C++/Objective-C for more information.

New C++ rule (2025.2)

The following C++ rule has been added:

S7172: Named methods should be used to avoid confusion between testing an optional or an expected and testing the wrapped value

Dart

Support for Dart 3.8 (2025.4)

Provides support for Dart 3.8 ensuring that existing rules are applied, and new constructs are handled appropriately without parsing errors.

Go

Support for Go 1.23 (2025.2)

SonarQube Server now supports the analysis of Go 1.23.

Java

Support for Java 23 with new rules (2025.4)

Adds Java 23-specific rules to help developers properly use new Java 23 features.

Error free Parsing for Java 24 (2025.4)

Ensures that the Java analyzer successfully parses Java 24 source files without errors and correctly handles new Java 24 features. Adds Java 24-specific rules and updates existing rules to ensure they properly use new language constructs in Java 24.

Helping developers write performant Java code (2025.4)

Addresses performance issues in Java code by identifying potential performance bottlenecks, providing clear explanations, and offering automated quick-fixes.

Making advanced Java rules smarter (2025.4)

A more advanced Dataflow Bug Detection (DBD) engine replaces Symbolic Execution engine for the following Java rules:

  • S2259: Null pointers should not be dereferenced

  • S3518: Zero should not be a possible denominator

Support for Java 22 and 23 (2025.3)

SonarQube now supports Java versions 22 and 23, ensuring developers can analyze their code with confidence when using the latest Java versions.

Spring Java rules (2025.2)

Adds new and improved Spring Java rules.

New Design and Architecture feature (2025.2)

Through its new Design and Architecture feature, SonarQube Server can now verify the architecture and design of Java source code by:

  • Verifying the code structure against architecture and design patterns.

  • Applying cycle detection to detect circular dependencies in your code.

For more information, see the Design and Architecture Overview page.

Kotlin

Kotlin analysis (2025.2)

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster.

PHP

PHP analysis (2025.2)

The elsif keyword is now taken into account in the Understanding measures and metrics #Cyclomatic complexity calculation.

Python

Rules for Python coroutines (2025.4)

Enables Python developers to write high-quality coroutines and avoid common pitfalls associated with asynchronous programming, targeting popular libraries like asyncio and aiohttp. It helps developers address issues like forgetting await keywords, running blocking code within coroutines, and managing state and error handling in asynchronous flows.

Rules for Python comprehensions (2025.4)

Expands SonarQube’s support for Python comprehensions (list, dictionary, and set comprehensions) by providing both basic coverage and unique rules to identify improper usage.

Improved Issue Suppression for Python (2025.4)

Individual rules can be suppressed in Python using the rule key with # NOSONAR. Additionally, the rules below can be enabled to track usage of # NOSONAR and # noqa:

  • S1291: Track uses of NOSONAR comments

  • S1309: Track uses of noqa comments

You can detect correct usage of # NOSONAR and # noqa with rule:

  • S7632: Issue suppression comment should have the correct format

Support for PySpark (2025.3)

Support for PySpark, a popular Python API to leverage Apache Spark, adds the help data engineers need to identify and address potential issues in their large-scale data processing workflows.

Python analysis (2025.2)

Additional rules that allow you to check performance, maintainability and correctness in your PySpark code in Python and Jupyter Notebook files with SonarQube Server.

Rust

Introducing support for Rust (2025.3)

Initial support for Rust offers:

  • 85 rules

  • Code Coverage import (LCOV and Cobertura formats)

  • Cognitive Complexity metric

  • Cyclomatic Complexity metric

  • Import of Clippy output as external rules (JSON format)

.NET

Upload of test-related metrics at file level (2025.2)

Projects based on .NET now show test-related metrics at the file level. The SonarScanner for .NET will calculate and pass to the server the per-file metrics of:

  • Number of Unit Tests

  • Errors in Unit Tests

  • Failed Unit Tests

  • Skipped Unit Tests

  • Duration of Unit Tests

The SonarScanner for .NET will only support the following test reports:

  • NUnit

  • XUnit

  • Visual Studio

.NET rules improved (2025.2)

A secondary location message has been added to the .NET rules.

Code security and compliance

Increasing MISRA C++ 2023 rules coverage (2025.4, 2025.3, 2025.2)

Expansion of MISRA C++ 2023 rule coverage with additional rules as part of Sonar’s MISRA Compliance Early Access. The coverage enhances checks for safety-critical systems and is available for Enterprise edition and higher. See Understanding the analysis #External standard rule tags for more information.

Secrets Detection (2025.4, 2025.3)

Secrets detection now covers over 400 distinct secret patterns, powered by 346 rules. This update includes a number of newly added rules, currently in BETA, designed to enhance your security coverage even further. All the new rules are active by default.

Related topics:

  • Detects passwords and secrets by default in Kotlin.

  • Detects passwords and secrets in YAML and JSON files. This feature can be enabled by an opt-in parameter sonar.yaml.activate = true and sonar.json.activate = true.

  • Detects secret leaks in files located within directories or hidden files that begin with a dot.

Taint Analysis for JavaScript/TypeScript (2025.4)

Next-generation taint analysis engine for JavaScript / TypeScipt projects provides more accurate and actionable security findings. As an administrator, you can enable Use new JS/TS Taint Analysis engine under Administration > Configuration > General Settings > SAST Engine. See JavaScript/TypeScript/CSS for more information.

Taint Analysis for Go (2025.4)

Taint analysis for Go tracks untrusted user input with data flow analysis across functions and files to find injection vulnerabilities and other security weaknesses.

Taint Analysis for VB.NET (2025.4)

Provides full Static Application Security Testing (SAST) capabilities, including taint analysis, for the VB.NET programming language.

Static Application Security Testing (SAST) for Kotlin (2025.3)

The addition of SAST for Kotlin, including taint analysis, extends security checks to Kotlin-based projects.

New rules for mobile security (2025.3, 2025.2)

Sonar offers a solution that enables Android developers to assess their applications against the OWASP Mobile Top 10, ensuring they meet industry standards for security.

New rules that cover the OWASP Mobile top 10 for 2024 security standards include:

  • 7 new rules for Kotlin

  • 2 new rules for Java

  • 6 new rules for Dart

  • 1 new rule for XML

See Security-related rules #OWASP Mobile Top 10 security standards covered by Sonar for version 2024 for more information.

New foundational Go security rules (2025.2)

24 foundational rules for Go for detecting vulnerabilities and security hotspots have been added.

SonarQube Advanced Security

Automatic detection of new dependency risks without reanalysis (2025.4)

Automatically detects newly discovered vulnerabilities in project dependencies on permanent branches (including the main branch) without a need to re-analyze the project. Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

Machine-readable SCA report (2025.4)

Provides a machine-readable report of dependency risks for projects, applications, and portfolios, available in both JSON and CSV formats. The report includes details such as project, dependency chain, risk title, CVE/CWE IDs, severity, discovery date, status, and remediation information. Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

Customizable risk severity for SCA (2025.4)

Allows for customization of the severity level of dependency risks in SonarQube thus enabling you to adjust how a risk affects a particular software quality. Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

Risk rating for SCA (2025.4)

Introduces ABCDE risk ratings for Software Composition Analysis (SCA), specifically for overall dependency risk, security dependency risk (vulnerabilities), and maintainability dependency risk (disallowed licenses). These ratings are displayed on projects, and applications overview screens. Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

SCA for PHP (2025.4)

Introduces Software Composition Analysis (SCA) support for PHP projects that use Packagist and Composer for dependency management. The feature analyzes PHP code to identify and manage public vulnerabilities and licenses in third-party dependencies. Also, it generates entries in a Software Bill of Materials (SBOM). Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

General Availability of SonarQube Advanced Security (2025.3)

General availability of SonarSource Advanced Security as part of SonarQube Advanced Security license for Enterprise edition and higher. It extends the core security capability by adding support for open source code. New capabilities include:

  • Enhanced visibility of security and licensing risks on each dependency version in pull requests and overall code.

  • Configurable Quality Gates can include dependency risk scores, preventing code with high-risk dependencies from entering production.

  • Configurable company’s license compliance policy allows organizations to define and enforce custom license compliance policies within SonarQube.

  • The project overview screen now displays dependency risk counts, providing developers with immediate insights into the health of their project dependencies.

  • Discovery and analysis of dependency risks across multiple applications and portfolios.

  • Enhanced API access for SCA results and Software Bill of Materials (SBOMs) for seamless integration with other tools and custom reporting.

  • Broad and growing language coverage for SCA, starting with Java, C#, Python, JavaScript, TypeScript, Go, Rust, and Ruby, ensures that developers can quickly analyze third-party dependencies for vulnerabilities and licensing issues.

See SonarQube Advanced Security Introduction page for more information.

AI capabilities

New environment variables (2025.4, 2025.2)

  • SONAR_AI_CODEFIX_HIDDEN : Disables the AI CodeFix in SonarQube Server and hides the feature from all users, including System Administrators. sonar.ai.codefix.hidden is the corresponding property.

  • SONAR_ENFORCEAZUREOPENAIDOMAINVALIDATION : Ensures that configured Azure OpenAI endpoints strictly end with .openai.azure.com for enhanced security and authenticity. Disabling this setting can expose the instance to security risks by allowing connections to potentially unauthorized services. sonar.enforceAzureOpenAiDomainValidation is the corresponding property.

Autodetection of AI code (2025.3)

Autodetect AI code for Copilot-generated code is not limited anymore to GitHub projects. Available in the Enterprise edition and above.

Support of self-hosted LLMs on Azure OpenAI (2025.2)

You can now choose your own Azure OpenAI LLM as the provider for AI CodeFix. See AI CodeFix for more information.

Expansion of rules coverage (2025.2)

The AI CodeFix’s rule coverage has been extended across multiple programming languages (C#, C++, JavaScript / TypeScript, Python), ultimately improving code quality and developer productivity with relative ease.

Reporting

Improvements to security report PDFs at a project level (2025.4)

Allows for customization and download of Security reports PDFs at a project level. Customize a report to conform with specific security standards such as: OWASP Top 10, CWE Top 25, STIG, CASA, and others. Available for Enterprise edition and higher.

Improvements to regulatory reports (2025.4)

Improvements to the Regulatory reports include:

  • A new download option on the project’s Overview page.

  • An addition of Distribution of issues based on insights in the PDF report.

  • An addition of Maintainability issues (in Multi-Quality Rule Mode) and Code Smells (in Standard Experience) in a CSV file, along with other general improvements.

New security reports for CWE and OWASP Mobile (2025.3)

SonarQube now provides Security reports aligned with the latest CWE Top 25 for 2024 and OWASP Mobile Top 10 for 2024 standards. Available in the Enterprise edition and above.

Quality gate and issue filters

Default Quality Gate (2025.3)

As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. See Changing quality gate for more details.

Issue filters now more compact (2025.2)

The vertical padding of the issue filter conditions has been reduced.

Instance administration and deployment

Deploying with Data Center edition with Istio (2025.4)

The Data Center edition now supports installation on Kubernetes clusters with Istio pre-installed. This integration provides capabilities for observing and managing communication between SonarQube Server nodes. See Customizing the DCE Helm chart #Deploying with Istio for setup information.

IPv6 support (2025.2)

SonarQube Server now supports IPv6 addresses:

  • For the ZIP installation: all editions.

  • For the Docker installation: Developer edition and Enterprise edition.

For setup information, see Advanced setup #Enabling IPv6 for Zip installation or Advanced setup for Docker installation.

Data Center edition server logs available from the UI (2025.2)

If you have a Data Center edition, you can now download the server logs for all the nodes by using the Administration > System menu on any node.

Java options in system info more accurate (2025.2)

The system info now includes Java options information:

  • For a Developer or Enterprise edition: for each process (Web, Compute Engine, or Search) instead of globally.

  • For a Data Center edition: for each node instead of just the application nodes.

Deprecated POST and PATCH parameters now logged into the deprecated log file (2025.2)

Whenever a V2 deprecated POST or PATCH parameter is used, a deprecation message is logged into the deprecated log file indicating what is or will be deprecated and since when. See Monitoring API deprecation for more information.

SonarQube for IDE

MISRA early access rules available in the IDE (2025.4)

Early-access MISRA C++2023 rules are available directly within the SonarQube for IDE (VSCode, Visual Studio, IntelliJ/CLion). MISRA C++2023 issues appear in their C++ files and can be fixed locally. Rule descriptions are also available directly within SonarQube for IDE.

Software Composition Analysis (SCA) in the IDE (2025.4)

Software Composition Analysis (SCA) results will be visible to developers in their IDE for Visual Studio, IntelliJ, and VSCode with the upcoming SonarQube for IDE releases. Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See SonarQube Advanced Security Introduction page for more information.

Leverage AI CodeFix directly in the IDE (2025.3)

AI CodeFix in SonarQube for IntelliJ and SonarQube for VS Code provides developers with real-time code remediation suggestions. Available in the Enterprise edition and above.

Deprecations and removals

Secrets (2025.3)

The inputString field for heuristic and statistical post filters has been discontinued. Previously, this field was used to apply post filters to the named capturing group specified within it. The functionality has been extended to allow applying post filters directly to named capturing groups. See Secrets for more details.

Mercurial SCM is not supported (2025.3)

The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.

Sonar Plugin API (2025.3)

The following deprecated classes have been removed:

  • MutableModuleSettings

  • MutableProjectSettings

Removed ProfileExporter and ProfileImporter extension points (2025.2)

Removed two extension points in the plugin-api ProfileExporter and ProfileImporter. The following APIs have been deprecated:

  • GET /api/qualityprofiles/exportAPI endpoint. You can now use GET /api/qualityprofiles/backup instead.

  • GET /api/qualityprofiles/exporters

  • GET /api/qualityprofiles/importers

See Web API for more information.

PreviousRelease notesNextProduct release lifecycle

Last updated

Was this helpful?