LTA to LTA release notes

This page presents the features released in SonarQube Server 10.0 to 2025.1 LTA. They are all included in the 2025.1 LTA version. 

To check for breaking changes and other important notes before you upgrade, see the LTA to LTA release upgrade notes and deprecation and removals pages.

Instance administration

Java 21 supported for running SonarQube Server (2025.1)

SonarQube Server can now run in a Java 21 environment. 

Automatic detection of AI-generated code from GitHub Copilot (2025.1)

Knowing if your project contains AI-generated code helps raise awareness of code ownership and code security. To help build this awareness, SonarQube Server can autodetect AI-generated code in projects on GitHub using GitHub Copilot. You can then protect these projects using the AI code assurance features. See the Autodetecting AI code page for more information

Introducing Multi-Quality Rule Mode (10.8)

You can now toggle your SonarQube Server instance between the Standard Experience  and Multi-Quality Rule Mode (MQR). 

See Instance mode overview for more information. Note that in both modes, it is possible to customize the severity of issues and rules.

New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

Installation on OpenShift supported (10.7)

SonarQube now better supports deploying its helm chart on OpenShift. 

Modern Authentication for SMTP server (10.7)

SonarQube can now use modern authentication, required to integrate with email SMTP servers. See Setting up the email notifications feature for more information.

Password policy rules (10.7)

Administrators can define a password policy for local accounts.

FIPS compliance (10.6)

SonarQube server can now run in FIPS-enforced environments.

SonarQube Server autoscaling in Kubernetes (10.6)

With Kubernetes' Horizontal Pod Autoscaling (HPA), you can automatically scale your SonarQube Server out and in, resolving any performance issues you may have. See Setting up autoscaling on Kubernetes for more information.

Upgrade predictability and monitoring during the database migration (10.6)

The upgrade now shows the progress of the database migration and gives an estimate of when it will complete.

New log file shows deprecated APIs And API parameters (10.4)

To make upgrading smoother, we added a log file containing details when you call deprecated web APIs and use deprecated web API parameters. 

Improved upgrade messaging (10.3)

After you upgrade to the new version and new rules are applied with a new analysis, there will likely be changes to your analysis results. To help you clearly understand the impact, the details of each change appear in the Activity tab of your project’s page.

Minimizing reindexing disruptions post-upgrade (10.2)

Starting SonarQube Server after an upgrade or after a restore from a backup triggers a rebuild of the Elasticsearch indexes. You can run analyses on your projects on the CI side while indexes are being rebuilt. 

Project administration

Guided configuration of all projects in a monorepo (10.5)

Monorepos are single repositories that contain multiple projects. As of this release, SonarQube Server will guide you through setting up each project in the monorepo. For more details, see the Monorepos page.

Flexible main branch designation (10.2)

You can now choose a different, existing branch to become the new main branch of a project. See Maintaining the branches of your project for more information.

Guidance on project onboarding  (10.1)

As new projects are onboarded, by default, project admins are guided to configure the recommended new code period properly according to their development context to ensure that projects are set up to practice Clean as You Code from the first step. 

DevOps integration

Improvement to BitBucket server onboarding (2025.1)

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

Automatic provisioning: added visibility on group membership (10.8)

When using GitHub or GitLab automatic provisioning features, admins can now see which users are assigned to each group in the SonarQube Server UI for both GitHub and GitLab projects. This makes it easier to identify any issues between SonarQube Server and GitHub or GitLab. 

Provision and sync users, groups and permissions from GitLab (10.4 and 10.7)

Admins can now delegate the synchronization of users, groups and permissions to GitLab. See Gitlab provisioning modes for more information.

Simplified monorepo setup for Azure DevOps and Bitbucket (10.6)

An in-product walkthrough for setting up monorepo projects is now available for AzureDevOps and Bitbucket, rounding out the setup of monorepos in all four DevOps platforms.

Provision GitHub projects (10.3)

When you use a GitHub Action to create and configure your GitHub project, SonarQube Server can handle it. You don’t need to make changes between GitHub and SonarQube Server to ensure they are configured the same. Fore more information, see Importing GitHub repositories.

GitHub user, group and permission auto-provisioning and auto-sync (10.1, 10.2 and 10.3)

Admins can now delegate the synchronization of users, groups and permissions to GitHub. It’s also possible to synchronize GitHub teams with SonarQube Server groups. See the GitHub authentication and provisioning page for more information.

User and group management with SCIM (10.0)

User provisioning and deprovisioning now covers Microsoft Entra ID – extending our support from SAML/Okta released earlier. See ​​the SCIM section for more information.

Analyzers, scanners

Faster analysis bootstrap (2025.1)

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

Improved experience for C and C++ analysis (10.6)

To improve the experience of setting up C and C++ project analysis: 

•  Sonar’s Build Wrapper now generates a compilation database.
• An automatic configuration mode is now available. Using Build Wrapper is no longer a requirement for scanning most C and C++ projects.

For details, see Analysis modes.

New C, C++, and Objective-C GitHub Action (10.5)

A SonarQube Server GitHub Action for C, C++, and Objective-C is now available. This milestone eliminates the manual setup of a GitHub Action to scan your C, C++, and Objective-C code. You can find the official Sonar-supplied GitHub Action in the GitHub Action Marketplace. 

Maven scanner scans all files (10.5)

SonarScanner for Maven version 3.11 and later automatically scans all files from the root of a Maven project, including Dockerfiles, CI config files, src/main/resources, etc. You can adjust the analysis scope. For more information, see the SonarScanner for Maven page. 

Faster scan times (10.0 and 10.4)

Scan times and bandwidth are significantly reduced. The scanner now only downloads the analyzers required for the project being analyzed based on the files and languages in the project. Previously, the scanner downloaded all the analyzers regardless of the project details.

Quality gates and quality profiles

Set rule priority to uphold your coding standards (10.6) 

A dev manager or anyone who determines company code standards can now configure the priority of rules in the quality profile and add a quality gate condition to the overall code so that developers can address the corresponding issues before the next release.

Updated Sonar Way quality gate condition (10.3)

The new Sonar Way quality gate uses a zero issue condition on new code. If you’re upgrading from versions 10.2 and earlier, note that the previous Sonar way quality gate is preserved as "Sonar way (legacy)" and the associated projects have been moved to that quality gate.  

Exclude rule from inherited quality profile (10.3)

When you inherit a Quality Profile, the undesired rules can be selectively excluded from the parent Quality Profile. See the Quality profiles page for more information.

SonarQube for IDE 

Advanced bug detection (10.7)

To help you detect issues earlier in the development cycle, Java and Python dataflow bug detection (DBD) issues are now reported to IntelliJ and Eclipse when working in connected mode. 

Open an issue in the IDE (10.3 and 10.4) 

When working in Connected Mode you can open an issue directly in your IDE with a click of a button, and if you have not yet linked your instance to SonarQube for IDE, SonarQube Server walks you through connecting to SonarQube for IDE. See the Connected mode page for more information.

Also, new to the 10.4 release, SonarQube Server Enterprise Edition downloads your custom secrets rules to SonarQube for IDE, and the secrets are highlighted as you code.

UI improvements

Branch summary shows issue count and overall code shows software qualities (10.4)

The branch summary shows a single count of issues, bringing it in line with the pull request decoration and pull request summary. The overall code tab is also changing to show software quality and a count of high, medium, and low severity issues.

UI updates (10.2 - 10.3)

To improve your experience with the SonarQube Server UI, the following elements were updated:

• Quality Gate page
• Rules page
• Quality Profiles page
• DevOps platform configuration modal is visible during project onboarding
• Project, project onboarding, applications

Issue management

New rule format (10.2 - 10.5)

More rules have been enhanced to help you understand why the issue matters. In SonarQube Server 10.5, 1,700 rules were updated with improvements and additions to the How can I fix it? and More info sections. Information explaining the links between code smells and more severe issues is also included.

Dismiss issues marked as “Accepted” and keep track of how many (10.4)

Developers can now mark an issue as “accepted” instead of “won’t fix”. The number of accepted issues is displayed in the branch summary and pull request decoration to help measure the technical debt. See Issue management solution overview for more information. 

Pull requests show issues that will be fixed when merged (10.4)

Now you can see which issues will be resolved before merging the pull request. The pull request decoration in all 4 CI platforms (GitLab, GitHub, Azure DevOps, Bitbucket) and the pull request summary in SonarQube Server show the issues that will be fixed upon merging the pull request.

Issue count and issue classification (10.3)

The following features are now available:

• Show issue count in pull request comments in all 4 DevOps platforms
• External Issues are classified using the MQR Mode issue categorization

Resolve external issues in SonarQube Server (10.3)

You can now resolve External Issues inside SonarQube Server in the same place as issues raised by SonarQube Server.

Code Security

Advanced secrets detection (10.8)

The commercial editions of SonarQube Server got a further boost in secrets detection with the addition of 29 new rules, bringing the total to 119 rules covering 166 secrets patterns and 113 cloud services. 

Security reports (10.7) 

Based on the results of your analysis, Cloud Application Security Assessment (CASA) and Security Technical Implementation Guides (STIGs) security reports are available for your projects.

Additional support for Spring framework in Java (10.7)

To improve security coverage, we’ve added advanced security rules for the Spring Framework to reach a coverage of 92% for security-sensitive Spring features.

More Libraries for Deeper SAST (10.5)

In our continued effort to improve deeper SAST, we’ve significantly increased our coverage of public Java libraries, so we now cover the two thousand public libraries most used by developers. The result is that Deeper SAST is even more powerful in detecting deeply hidden vulnerabilities and will uncover more issues in your code.

Top security requests (10.3)

The top security enhancement requests were included in the SonarQube Server 10.3 release.

• Alias tracking is improved during branching to prevent the loss of an alias.
• PHP code taint analysis is improved by supporting global variables.
• All comparison operators in Java, JavaScript, Python, and C# are considered as validators.

Show security issues in GitLab vulnerability report (10.2)

When your SonarQube Server instance is configured with GitLab, vulnerability issues are automatically synced from SonarQube Server to GitLab and you can view them in GitLab.

Also, status changes of issues in the GitLab Vulnerability Report are automatically replicated back to the corresponding issue in SonarQube Server in the subsequent analysis, eliminating any discrepancy between the two systems. 

Secrets detection (10.2 and 10.5)

SonarQube Server can now identify secrets across 29 cloud services and detects a comprehensive range of more than 100 common patterns that contain the most sensitive secrets/tokens. 

You can create your own custom rules to detect company-specific secrets.

Since SonarQube Server 10.5, when running on a multicore/multi-CPU machine, the secrets detection engine leverages parallel CPUs for secret scanning. This guarantees that secret detection analysis has zero performance impact on overall analysis performance. 

Find security misconfigurations in Azure Resource Manager (ARM) templates (10.2)

We’ve added new rules to identify security misconfigurations in Azure Resource Manager (ARM) templates created via Microsoft Bicep. With the addition of targeted rules, you can now catch these issues right in your ARM templates. 

Advanced Support for PHP Super-Global Arrays (10.2)

SonarSecurity now has improved support for PHP super-global arrays. This update increases the precision of the PHP analysis, effectively reducing false negatives.

2023 CWE Top 25 Report (10.2)

The Security Reports page in SonarQube Server now contains the CWE Top 25 2023 Report for use when assessing your risk against it. As of the 10.3 release, the Security Reports page has data from the 2023, 2022, and 2021 CWE Top 25 Reports.

Enhanced security for Dockerfiles (10.0 and 10.2)

Sonar helps you create clear and consistent Dockerfiles by adding more rules for Dockerfiles. SonarQube Server 10.0 introduced support for bash command parsing and over 20+ best practice rules. SonarQube Server 10.2 added more than 20 new rules.

Improved Java security (10.1)

Java security analysis engine detects and helps you fix even more security issues. With the many improvements to the engine, we are able to achieve > 90%+ True Positive Rate (TPR) on the selected top OWASP security benchmarks. 

Sync Security Hotspots with SonarQube for IDE (10.1)

If you are using VSCode or IntelliJ family IDEs in connected mode, you’ll be able to synchronize the status of security hotspots in real time with SonarQube Server. 

Added CWE Top 25 2022 security report (10.0)

We’ve added the CWE Top 25 2022 security risk report to help assess the risk of your codebase against commonly reported security vulnerabilities. 

Languages 

PHP (2025.1)

Analysis now supports asymmetric property visibility (PHP 8.4).

T-SQL (2025.1)

Analysis supports the STIG security standard and more language constructs.

VB (2025.1)

We've added 2 new rules for VB analysis.

Dart/Flutter (10.6 - 10.8)

Analysis of Dart/Flutter apps is now available. 115 Dart rules were introduced. 

Ansible IaC (10.8)

Analysis of Ansible IaC is now available.

JCL (10.5)

We’ve added rules to analyze Job Control Language (JCL), a commonly used mainframe scripting language used to orchestrate the execution of COBOL programs.

Java/Maven (10.0 - 10.8)

• Maven 4.0 is supported.
• Java 21 LTS is supported.
• Introducing architecture rules for Java: architecture rules help developers find circular dependencies across classes in Java code. 
• Improved code efficiency: added eleven new rules for Java enterprise and Java Android mobile developers.

Python (10.0 - 10.5)

• The Django framework in Python is now supported, with basic rules that cover bugs and code smells.
• New rules to support the NumPy and Pandas Python libraries. Support for Python 3.12 new syntax, new rules, and error-free parsing. Addition of rules for top libraries used by Data Scientists: NumPy, Pandas.
• Graphene (GraphQL for Python) is supported. The FastAPI framework is supported, rounding out our support of the top 3 API frameworks for Python, including Flask and Django.
• Increase support for machine learning with 7 new rules for the PyTorch library. Analysis of Jupyter Notebooks, previously added in VS Code, is now available. 
• The TensorFlow library is now supported. 
• Added seven new rules to avoid pitfalls when using Date & Time libraries.
• The Scikit-learn libraries, one of the top Python libraries used for AI and machine learning development, are now supported.

HTML (10.5)

To help you write accessible code for front-end applications, we have ported sixteen rules from JavaScript to HTML bringing the total number of accessibility rules between JavaScript, Typescript, and HTML to just under one hundred. The same accessibility coverage you have for writing JavaScript and React code now covers you when you write HTML code.

TypeScript (10.0 - 10.5)

• TypeScript 5.4 is supported.
• First-class support of React with more than 60 rules.

C#/.NET (10.3 - 10.5)

• Support of LTS .NET 8 and C#12
• Support for Blazor framework 
• Added fifteen new rules for logging

Helm Charts (10.4 - 10.5)

• SonarQube Server now supports scanning Helm Charts for Helm-based Kubernetes deployments using the same Kubernetes rules that are applied to other YAML files.
• The number of rules doubles in SonarQube Server 10.5 to reach sixteen security rules and sixteen maintainability best practice rules for Kubernetes and Helm Charts.

C/C++ (10.1 - 10.5)

• C++23 is now supported.
• Multiple C/C++ code variant analysis: Developers can now analyze multiple code variants (e.g. compilers, compiler flags, platforms etc.) of their code using the same project. 
• Misra C++ 2023 new rules: SonarQube Server's new MISRA C++ 2023 rules include 43 rules aligned with MISRA guidelines, all selectable in your Quality Profile.

Kotlin (10.0)

It is now possible to analyze Kotlin multi-platform (KMP) projects for cross-platform code development.

AI features

AI code assurance (10.7 - 10.8)

• You can now flag projects as containing AI-generated code. The flagged projects will use the Sonar way quality gate to ensure the ai-generated code is clean. 
• AI Code Assurance custom quality standards: The Sonar way for AI Code quality gate is available to support recommended standards for AI Code Assurance. It’s possible to modify this quality gate or customize any quality gate with higher standards to mark your project as qualified for AI code. 
• The Standards for AI-generated code page has all the information you need to learn about AI Code Assurance.
• Enable AI CodeFix at the project level: Instance Admins can now enable or disable AI CodeFix for all projects or on selected projects. It is also possible to completely hide the feature from the SonarQube UI at the SonarQube installation level.

AI-generated fix suggestions (10.7)

This feature is available in Early Access for all commercial editions of SonarQube Server.

When investigating an issue, you can ask for an AI-generated fix suggestion and open it directly in your IDE (VS Code, IntelliJ, and Eclipse).