Start Free
Latest | Server upgrade and maintenance | Release and deprecation notes | LTA to LTA release upgrade notes

LTA to LTA release upgrade notes

Upgrade notes contain information on breaking changes and important updates to be aware of before upgrading. 

These upgrade notes are intended for users who are directly upgrading SonarQube Server from 9.9 LTA to 2025.1 LTA. Just upgrading a few minor versions? Refer to the regular upgrade notes

For a list of new features since the last LTA, see LTA to LTA release notes.

Authentication

SAML configuration update required (2025.1)

When configuring SAML on your SonarQube Server instance with assertion encryption, response signature must be enforced. You might need to update your SAML configuration:

  • If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
  • If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you store also the public key certificate in SonarQube Community Build (not only the private key). Make sure the certificate is stored in SonarQube as follows:

  1. In SonarQube Community Build, go to Administration > Configuration > General Settings > Authentication > SAML.
  2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
  3. In Service provider certificate, enter the certificate.

Updated GitLab automatic provisioning feature (10.7) 

Automatic user and group provisioning with GitLab now includes permission synchronization, which automatically synchronizes project visibility. To prevent unwanted updates to project permissions and project visibility, upgrading SonarQube will suspend automatic provisioning until you confirm the choice of provisioning method in the authentication settings.

For more information, see the GitLab authentication and provisioning page. 

Updated GitHub automatic provisioning feature (10.2)

Automatic user and group provisioning with GitHub now includes permission synchronization, which automatically synchronizes project visibility:

  • To prevent unwanted updates to project permissions and project visibility, upgrading SonarQube will suspend automatic provisioning until you confirm the choice of provisioning method in the authentication settings.
  • The GitHub app requires new permissions to be added and approved. 

For more information, see the GitHub authentication page. 

SCIM provisioning requires configuration (10.0)

SCIM provisioning for SAML authentication evolves for a tightened synchronization of users and groups. To use the updated set of user and group SCIM provisioning features, see Authentication and provisioning

Without action on your part, upon upgrading, already assigned users are not deleted from SonarQube, but they are no longer bound to your IdP.  You'll need to enable SCIM again in SonarQube and adjust your IdP settings. 

Analysis

Updated built-in Quality Profiles (10.0 - ?)

The built-in Quality Profiles for each language have been updated, meaning rules may have been added, changed, deprecated or dropped. If you are using or extending any of the “Sonar way” built-in Quality Profiles, make sure to check their Changelog to see what has changed.

Cognitive complexity calculation updated for Javascript and Typescript (10.5)

 If you analyze Javascript and Typescript projects, note that we've updated how cognitive complexity is calculated. Notably, nested function complexity is no longer added to the parent. This will translate as a drop in the metric for some users. 

End of support of Node.js 16 in the scanner environment (10.5)

Node.js 16 is no longer supported as a scanner runtime environment. If you're using a custom Node.js installation, we recommend the latest LTS version, currently v20.

JavaScript/TypeScript/CSS configuration (10.4)

A minimum of 4GB memory is now recommended, use sonar.javascript.node.maxspace configuration if you encounter memory issues. Also, file encoding errors will now cause an analysis failure, use sonar.sourceEncoding=UTF-8 if you encounter problems.

Node.js is no longer a requirement for analysis (10.4)

In most cases, installing Node.js in the environment where you’re running analysis is no longer a requirement.

End of support of Java 11 as scanner environment (10.4)

Java 11 is no longer supported as a scanner runtime environment. The minimum required version is Java 17. See the requirements for more information. 

SonarScanner for .NET compatibility (10.4)

Starting with SonarQube 10.4, analysis of .NET projects requires SonarScanner for .NET 5.14+

End of support of MSBuild 14 (10.4)

MSBuild 14 is no longer supported for scanning .NET code. ​​MSBuild 15 is deprecated and support will be removed in a future version. We recommend using MSBuild 16 as a minimal version. 

To know which Web API endpoints and parameters are deprecated after an upgrade, see Deprecated Web API endpoints and parameters.

Dropping support for NET Framework < 4.6.2 (10.1)

The minimum supported .NET Framework version is 4.6.2. Support for earlier versions has been dropped. If you’re running an earlier version, you’ll need to upgrade your build environment wherever your analysis is run. See this release note for more information.

Projects displaying modules are no longer supported (10.0)

The concept of modules was removed in v7.6. SonarQube no longer migrates the structure of projects still displaying modules. Make sure you re-analyze these projects before upgrading to SonarQube 10.0.

Operations

Instance mode feature (10.8)

Your SonarQube Server instance has two modes to choose from: Standard Experience Mode and Multi-Quality Rule (MQR) Mode. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default whereas SonarQube Server 10.2 and later are configured with MQR mode. 

For details on switching modes, see the Changing modes page.

Disable the confidential header in portfolio PDF reports (10.7)

Admin users have a new toggle in the Administration -> Governance -> Portfolio PDF Reports section, allowing them to dynamically enable or disable the "Confidential" header. 

For details, see the Managing portfolios page.

Project overview update in MQR mode (10.4)

If you use MQR Mode, note that issue counts on the overall code of projects reflect the Clean Code software qualities.

These counts will be displayed when you re-analyze your projects. 

Microsoft SQL Server and Integrated Authentication (10.8)

If you use Microsoft SQL Server with Integrated Authentication, note that the minimum supported version of the Microsoft SQL JDBC Driver package has been updated to 12.8.1. See Installing the database for more information.

Elasticsearch system call filters required (10.6)

SonarQube uses Elasticsearch 8.0. System call filters are now required (see the Elastic docs for more information). If you disabled these filters, you'll need to adjust your configuration before starting the server.

seccomp filter required on kernel (10.0)

The version of Elasticsearch has been updated and now requires a kernel with seccomp enabled. Make sure that seccomp is available on your kernel. See Pre-installation steps on Linux for more information. 

Plugins

Updates to custom plugins required (10.5)

For a faster analysis, SonarQube now optimizes the loading of analyzers by default. To avoid dependency errors, you’ll need to update the configuration of your custom plugins. See Plugin basics for more information. Also, if you use third-party plugins, make sure to use the latest ones compatible with this feature.

Updated security policy for page extensions (10.0)

To improve security, pages added to the UI by plugins can no longer include inline scripts. If you use this feature, you might need to update your plugins. See Adding pages to the webapp for more information.

Clean as You Code

Updated Sonar Way quality gate condition (10.3 and 2025.1)

The Sonar way quality gate now uses a zero issue condition on new code. If you’re upgrading from version 10.2 or earlier, note that your Sonar way quality gate is preserved as "Sonar way (legacy)" upon upgrading and the associated projects are moved to that custom quality gate. We recommend to start using the new Sonar way quality gate at your earliest convenience to keep up with the latest standards.

Maximum new code definition value automatically adjusted in existing projects (10.2)

For existing projects, if the value of the Number of days option is set to a higher value than 90 before the upgrade, SonarQube automatically changes it to 90. As a consequence, some issues might move out of the new code. See the About new code page for more information. 

Updated options for new code definition (10.2)

To make them more in line with the Clean as You Code methodology, the following options have been updated for projects:

  • Specific analysis: This setup is now available only via the Web API. Automation is required to ensure the value is kept up to date.
  • Number of days: The maximum value allowed when setting it up is now 90. It's recommended to update your existing projects accordingly.

    See the About new code page for more information.

End of support

Deprecated web services and parameters removed (10.0)

The web services and parameters that were deprecated in versions 8.x and 9.x have been removed. For more information, see the corresponding list and read the API deprecation policy.

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License