LTA to LTA release notes
LTA to LTA release notes include all new features, update notes, deprecations and removals between version 2025.4 LTA and 2026.1 LTA.
Updating from SonarQube Server 9.9 LTA and 2025.1 LTA
You can update your SonarQube Server from 2025.1 LTA to 2026.1 LTA directly. However, if you are updating from 9.9 LTA you will need to do an intermediate version update to 2025.1 LTA. Refer to the following documentation for more information:
The Update Overview page for detailed procedures.
2025.1 LTA to 2026.1 LTA dependencies
SonarQube Server JRE support
Java 17 or Java 21
Java 17 or Java 21
Java 21 or Java 25 with JDK replacing JRE.
Support for Java 17 has been removed in 2026.1 LTA. See Software requirements
Microsoft SQL Server
13.0 - 16.0
13.0 - 16.0
14.0 - 16.0
2016 MSSQL Server 13.0 support has been removed in 2026.1. See Setup if using an MS SQL Server database
PostgreSQL
13-17
13-17
14-18
Support for PostgreSQL version 13 has been removed in 2026.1 LTA. See Database requirements
Oracle
21ai, 21C, 19C, XE Editions
21ai, 21C, 19C, XE Editions
21ai, 21C, 19C, XE Editions
SonarScanner JRE support (without JRE auto-provisioning)
Java 17
Java 17
Java 21
Java 17 has been deprecated in 2025.6 and is planned to be removed in 2026.3. See General requirements
PostgreSQL in Helm chart
deprecated
deprecated
removed
PostgreSQL dependency in Heml chart has been removed in 2026.1
SonarScanners
Minimum required SonarScanner version at the time of the SonarQube Server release.
Azure DevOps extension
7.1.1
7.3
8.0.1
Compatible with: Azure DevOps Services, Azure DevOps Server (2022.2, 2020.1.2, 2019.1.2.) See Azure DevOps Extension
SonarScanner for Maven
5.0.0.4389
5.1.0.4751
5.5.0.6356
Prerequisite: Maven 3.2.5 or later. See SonarScanner for Maven
SonnarScanner for Gradle
6.0.1.5171
6.2.0.5505
7.2.2.6593
Prerequisite: Gradle 7.6.4 or 8.4, or later. See SonarScanner for Gradle
SonarScanner for .NET
9.0.2
10.3.0.120579
11.0.0.126294
Prerequisite: NET Framework v4.7.2 or later, if using the .NET Framework. See Installing the scanner for .NET
SonarScanner for NPM
4.2.6
4.3.0
4.3.0
Prerequisite: Node.js 18.20.0 or later. See Installing the scannerfor NPM
SonarScanner for Python
0.2.0.520
1.1.0.2035
1.3.0.4086
Prerequisite: Python 3.9 or later. See SonarScanner for Python
SonarScanner for Ant
Deprecated, use SonarScanner CLI
N/A
N/A
Update notes
Java requirements for SonarQube Server runtime (2026.1)
The SonarQube Server runtime now requires Java Development Kit (JDK). The previous requirement of a Java Runtime Environment (JRE) is no longer sufficient, and a full JDK is required.
Added Support for Java 25 in addition to Java 21.
Removed support for Java 17.
See Server host requirements and LTA to LTA release notes sections for additional information.
PostgreSQL support (2026.1)
Support for PostgreSQL versions 14 through 18 is now available, enabling deployments using the most recent PostgreSQL release. PostgreSQL version 13 is not supported anymore. See Installing database for more information.
Kubernetes and Openshift support (2026.1)
Supported Kubernetes Versions: From 1.32 to 1.35. Support for versions 1.30 and 1.31 has been removed.
Supported Openshift Versions: From 4.17 to 4.20. Support for versions 4.11 to 4.16 has been removed.
Upgrade to Microsoft SQL JDBC Auth 12.10.2 package (2025.6.1)
To use integrated security in Microsoft SQL database, upgrade to Microsoft SQL JDBC Auth 12.10.2 package. See Installing database for more information.
Support for MSSQL server (2026.1)
Supported MSSQL server is now 2022 (MSSQL Server 16.0); 2019 (MSSQL Server 15.0); 2017 (MSSQL Server 14.0). Support for 2016 MSSQL Server 13.0 support has been removed. See Installing database for more information.
Setting up the Sandbox feature (2025.5)
To ensure the Sandbox feature is active before project analysis, you need to set system properties before restarting your SonarQube Server following the update. The specific configuration varies based on your installation type. See the Sandbox documentation and Setting up the Sandbox feature at the instance level for more information.
See Removals and deprecations for additional information.
New and enhanced features
Languages
Apex
New rules for Apex (2025.6)
Expansion of code quality and security rules for Apex, 42 new rules (98 total rules), to address enterprise coverage gaps, for example:
SOQL
S7960 - SOQL queries should be assigned to Lists to avoid QueryException
S8011 - SOQL queries should use SystemModStamp instead of LastModifiedDate for better performance
S8129 - SOQL queries should not contain hardcoded literals
SOSL
S8048 - SOSL queries in test methods should use "Test.setFixedSearchResults"
Governor limits
Cobol
Cobol improvements (2026.1)
Adds support for parsing additional language constructs and includes fixes for crashes and false positives for COBOL. Related rules include:
CFamily
MISRA C++:2023 rules released (2025.6)
The MISRA C++ 2023 rules have been released and are no longer in Early Access. This expands coverage to all 179 MISRA C++2023 guidelines in Enterprise and Data Center editions plus SonarQube for IDE when in connected mode. See Quality profiles for more information.
New Sonar Misra C++ 2023 quality profile available (2025.6)
A new Sonar MISRA C++ 2023 Compliance quality profile is available starting in Enterprise edition. It combines Sonar way rules with MISRA C++ 2023 rules and is designed for projects seeking MISRA compliance.
GitHub Actions
GitHub Actions support (2025.5)
SonarQube Server now supports analysis of YAML files detected as GitHub Actions.
IaC analysis improved for GitHub Actions (2025.5)
The analysis of Infrastructure as Code (Ansible, Azure Resource Manager, CloudFormation, Docker, Kubernetes, Terraform) has been improved to detect security misconfigurations and vulnerabilities in GitHub Actions. To do so, the following rules have been added:
S7630: GitHub Actions should not be vulnerable to script injections
S7631: Checking out code from a fork in a privileged workflow context is security-sensitive
S7633: Parsing structured data as a secret is security-sensitive
S7634: Passing the full secrets context to a workflow step is security-sensitive
S7635: Passing the full secrets context to reusable workflows is security-sensitive
S7636: Expanding secrets in run blocks is security-sensitive
S7637: Using external GitHub actions and workflows without a full length commit hash is security-sensitive
S6596: Specific version tag for image should be used
Go
Expansion of code quality rules for Go (2025.6)
Added 24 new rules targeting the base Go language, for example:
S8188 - Context cancellation functions should be deferred
S8193 - Variables in if short statements should be used beyond just the condition
S8197 - Use "bytes.Equal" instead of "bytes.Compare" for equality checks
S8206 - Deprecated "InterfaceData" method should not be used
S8208 - HTTP response bodies should be closed to prevent resource leaks
S8210 - Variables should be used
S8239 - Context parameters should be reused instead of creating new background contexts
S8242 - Context should not be stored in struct fields
S8259 - Busy waiting loops should use proper synchronization
Go 1.25 support (2025.5)
Go version 1.25 is now supported.
IaC
IaC improvements (2026.1)
The analysis of Infrastructure as Code (Ansible, Azure Resource Manager, CloudFormation, Docker, Kubernetes, Terraform, GitHub Actions) has been improved.
Helm templates are now evaluated even if values.yaml is missing.
The following rules have been added:
S6437: Credentials should not be hard-coded
S7638: ACTIONS_ALLOW_UNSECURE_COMMANDS should not be used
S8232: Workflows should not rely on unverified GitHub context values to trust events
S8233: Write permissions should be defined at the job level
S8262: Artifacts should not contain secrets
S8263: GitHub Action invocations should not be vulnerable to parameter injection attacks
S8264: Read permissions should be defined at the job level
Java
Java improvements (2025.6)
Improvements to Java rules:
S1068: Unused "private" fields should be removed
S1144: Unused "private" methods should be removed
S1479: "switch" statements should not have too many "case" clauses
S1186: Methods should not be empty
S1948: Fields in a "Serializable" class should either be transient or serializable
S1989: Exceptions should not be thrown from servlet methods
S2097: "equals(Object obj)" should test the argument's type
S2187: TestCases should contain tests
S2698: Test assertions should include messages
S3306: Constructor injection should be used instead of field injection
S3329: Cipher Block Chaining IVs should be unpredictable
S4605: Spring beans should be considered by "@ComponentScan"
S5738: "@Deprecated" code marked for removal should never be used
S6813: Field dependency injection should be avoided
Java security (2025.6)
Related rules:
S2076: OS commands should not be vulnerable to command injection attacks
S2083: I/O function calls should not be vulnerable to path injection attacks
S5146: HTTP request redirections should not be open to forging attacks
S6547: Environment variables should not be defined from untrusted input
S7518: Privileged prompts should not be vulnerable to injection attacks
JavaScript / TypeScript / CSS
New CSS rules (2025.6)
The following CSS accessibility rules have been added:
S7923: Orientation of the page is not restricted using CSS transform property
S7924: Text has minimum contrast
S7925: Spacing and height in style attributes is not `!important`
TypeScript support (2025.6)
All versions of through 5.9.3 are supported. See JavaScript/TypeScript/CSS for more information.
JavaScript / TypeScript analyzer speed improvements (2025.6)
Optimization of the analysis engine, moving logic to Node.js and using WebSockets, resulting in up to 40% faster analysis for large projects.
58 Quick Fixes for JavaScript / TypeScript (2025.6)
Automatically enables Quick Fixes in SonarQube IDE for 58 existing JavaScript and TypeScript rules.
AngularJS rules for TypeScript (2025.5)
The following rules related to AngularJS have been added to the TypeScript analysis:
S7655: Angular classes should implement lifecycle interfaces for their lifecycle methods
S7641: Angular lifecycle methods should be used in the correct context
S7656: Angular Pipes should implement PipeTransform interface
S7650: Components and directives should not use the "inputs" metadata property
S7648: Components, Directives, and Pipes should use standalone architecture
S7647: Empty Angular lifecycle methods should be removed
S7649: Input bindings should not be aliased
S7653: Output bindings should not be aliased
S7652: Output bindings should not be named "on" or prefixed with "on"
S7651: Output bindings should not be named as standard DOM events
S7654: The "outputs" metadata property should not be used in Angular components and directives
JavaScript analysis improved (2025.5)
68 rules from the eslint-plugin-unicorn have been added to the JavaScript analysis.
JCL
New leaveFile API for JCL (2026.1)
A new leaveFile API is available for custom rules for JCL language, giving rule authors more control over how files are processed and reported.
.NET and C#
.NET 10 and C# 14 support (2026.1)
Empowers .NET teams to adopt the Long Term Support (LTS) release of .NET 10 and C# 14 immediately, ensuring their analysis remains accurate, performant, and free of false positives associated with new language constructs. See VB.NET and C# for more information.
Related rules:
S1121: Assignments should not be made from within sub-expressions
S1144: Unused private types or members should be removed
S2225: "ToString()" method should not return null
S2292: Trivial properties should be auto-implemented
S2325: Methods and properties that don't access instance data should be static
S2583: Conditionally executed code should be reachable
S2589: Boolean expressions should not be gratuitous
S2692: "IndexOf" checks should not be for positive numbers
S2953: Methods named "Dispose" should implement "IDisposable.Dispose"
S2970: Assertions should be complete
S3063: "StringBuilder" data should be used
S3264: Events should be invoked
S3398: "private" methods called only by inner classes should be moved to those classes
S3459: Unassigned members should be removed
S3877: Exceptions should not be thrown from unexpected methods
S3928: Parameter names used into ArgumentException constructors should match an existing one
S4545: "DebuggerDisplayAttribute" strings should reference existing members
S7039: Content Security Policies should be restrictive
Injection vulnerabilities supported for .NET WPF framework (2025.5)
Taint analysis is now supported for Windows Presentation Foundation (WPF) entry points, such as UI controls, data bindings or command parameters.
PHP
Reduction in false positives (2026.1)
Reduces false positives on several rules and cleans up build and dependency infrastructure. Related rules:
S1155: "empty()" should be used to test for emptiness
S1172: Unused function parameters should be removed
S2699: Tests should include assertions
S1068: Unused "private" fields should be removed
PHP analysis improved (2025.5)
PHP keyword parsing has been optimized by replacing the regex-based logic.
PL/SQL
Support for PL/SQL 3.18.0.216 (2025.6)
The following PL/SQL rules have been updated:
S1135: Track uses of "TODO" tags
S1192: String literals should not be duplicated
S1854: Unused assignments should be removed
S2340: "LOOP ... END LOOP;" constructs should be avoided
S2454: Columns should be aliased
S2534: Positional and named arguments should not be mixed in invocations
S3651: Individual "WHERE" clause conditions should not be unconditionally true or false
S4081: "PLS_INTEGER" types should be used
S4196: Output parameters should be assigned
S4421: Features deprecated in Oracle 12 should not be used
S5245: Identifiers should be written in lower case
Python
Support for Python 3.14 (2025.6)
Includes the new JIT compiler and defer statement features. See Python for more information. Related rules:
S7931: "NotImplemented" should not be used in boolean contexts
S7941: Compression modules should be imported from the compression namespace
S7942: Template strings should be processed before use
S7943: Template and str should not be concatenated directly
S7945: Template string processing should use structural pattern matching
Rules for Python Pytorch library (2025.6)
Specialized rules for PyTorch to help write efficient, error-free Machine Learning code. The new rules include:
S7697: PyTorch tensor operations should assign results or use in-place variants
S7699: Dropout layers should be defined as model attributes in "__init__" method
S7702: Specify "start_dim" when using "torch.flatten" to preserve batch dimension
S7703: Method calls should use parentheses when saving PyTorch model state
S7704: PyTorch module classes should not be instantiated inline in forward methods
S7706: Use PyTorch Lightning's built-in checkpointing instead of manual checkpoint saving
S7709: Tensor lists should be concatenated with "torch.cat()" instead of "torch.tensor()"
S7708: Tensors should not be concatenated incrementally in loops
S7710: Use "torch.empty()" instead of list comprehensions for empty tensor initialization
S7711: Dataset "__len__" methods should return an integer, not "torch.Size"
S7713: Tensor operations should rely on automatic broadcasting instead of manual expansion
Python security (2025.6)
Related rules:
S2076: OS commands should not be vulnerable to command injection attacks
S2083: I/O function calls should not be vulnerable to path injection attacks
S3649: Database queries should not be vulnerable to injection attacks
S5131: Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
S5144: Server-side requests should not be vulnerable to forging attacks
S5334: Dynamic code execution should not be vulnerable to injection attacks
S7518: Privileged prompts should not be vulnerable to injection attacks
S7693: Operating AI agents without predefined boundaries is security-sensitive
S7698: AI agent code execution without sandboxing is security-sensitive
Python analysis: new rules for PyTorch library (2025.5)
The following rules have been added:
S7508: Redundant collection functions should be avoided
S7675: Tensor copying should use recommended methods
S7695: "super()" calls should not be used in TorchScript methods
Python analysis: AWS Lambda rules (2025.5)
The following rules related to AWS lambdas and common practices have been added to the Python analysis:
S6249: Authorizing HTTP communications with S3 buckets is security-sensitive
S7613: AWS Lambda handlers should return only JSON serializable values
S7609: AWS CloudWatch metrics namespace should not begin with `AWS/`
S6246: Lambdas should not invoke other lambdas synchronously
S7608: S3 operations should verify bucket ownership using ExpectedBucketOwner parameter
S7618: Network calls in AWS Lambda functions shouldn't be made without explicit timeout parameters
S7617: Reserved environment variable names should not be overridden in Lambda functions
S6243: Reusable resources should be initialized at construction time of Lambda functions
S6262: AWS region should not be set with a hardcoded String
S7622: boto3 operations that support pagination should be performed using paginators or manual pagination handling
S7621: AWS waiters should be used instead of custom polling loops
S7620: AWS Lambda handlers should clean up temporary files in /tmp directory
S7625: Long-term AWS access keys should not be used directly in code
S7614: AWS Lambda handlers must not be an async function
S7619: "botocore.exceptions.ClientError" must be explicitly catch and handled
Parallel execution of Python rules (2025.5)
Parallel execution of Python rules is now supported.
Ruby
New rules for Ruby (2025.6)
33 new language-specific and framework-specific rules for Ruby, including 12 targeting Ruby-on-rails, for example:
S7839: Global variables should not be used in Rails applications
S7844: Asset compilation should be disabled in production environments
S7867: Rails API controllers using "respond_to" should include "ActionController::MimeResponds"
S7875: Rails applications should define a root route with proper controller#action syntax
S7887: Before destroy callbacks should use proper halt mechanism
S7895: HTTP status codes should use symbols instead of numeric values
S7897: Rails queries should use "find_by" instead of "where.take" for single record retrieval
S7899: Rails collections should use "ids" instead of "pluck(:id)" for primary keys
S7904: Rails model callback methods should be private
S7905: Controllers should inherit from appropriate base classes
Rust
Rust analysis improvements (2025.5)
The Clippy analysis can now be run offline by setting sonar.rust.clippy.offline to true. This prevents Clippy from trying to fetch dependencies. Dependencies must still be available locally for the analysis to work correctly. This setting is intended for air-gapped environments. See Rust for more information.
Secrets
Reduced false positives (2026.1)
Secrets rules have been improved to reduce the detection of false positives and the following rule have been added:
S6418: Hard-coded secrets are security-sensitive
S2068: Hard-coded passwords are security-sensitive
S7552: SMTP credentials should not be disclosed
S8350: xAI API keys should not be disclosed
New rules have been added for Secrets detection (2025.6):
S8135: JSON Web Tokens should not be disclosed
S8136: HTTP authentication credentials should not be disclosed
S8214: Handsontable License Keys should not be disclosed
S8215: Password hashes should not be disclosed
S8217: HTTP Authentication Bearer tokens should not be disclosed
S8219: Azure DevOps App secrets should not be disclosed
Shell / bash
Shell/bash analysis (2025.6)
Introduction of 31 code quality and security rules specifically for shell/bash scripts. For example:
S1481: Unused local variables should be removed
S4830: Server certificates should be verified during SSL/TLS connections
S6506: Allowing downgrades to a clear-text protocol is security-sensitive
S7684: Variable names should follow shell naming conventions
S7674: Variables should be quoted during expansion
S7677: Error messages should be sent to stderr
S7689: Command substitution should use modern "$()" syntax instead of backticks
Swift
Support for Swift 5.9 through 6.1 (2025.6)
Comprehensive support for Swift versions 5.9 through 6.1, including macros, variadic generics, and new syntax features.
Support SwiftUI (2025.6)
Targeted support for SwiftUI that silences irrelevant rules and disables rules in preview sections, for example:
S107: Functions should not have too many parameters
S3087: Closure expressions should not be nested too deeply
SAST for Swift (2025.6)
Introduces Static Application Security Testing (SAST) for Swift, targeting cryptography and communication issues.
Detect passwords and secrets in Swift (2025.6)
Enhanced secret detection for Swift using entropy checks and post-processing to reduce noise.
T-SQL
T-SQL analyzer update (2025.6)
Updates to ensure T-SQL analysis are ready for the upcoming Long Term Active (LTA) release. Related fixes and improvements to:
XML
Improvements to the XML rules (2025.6)
Various improvements to XML rules and analyzer. Related rules:
S2068: Hard-coded credentials are security-sensitive
S3330: Creating cookies without the "HttpOnly" flag is security-sensitive
S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
S5734: Allowing browsers to sniff MIME types is security-sensitive
S7630: GitHub Actions should not be vulnerable to script injections
Analysis
JFrog Evidence Collection with SonarQube Server (2026.1)
This integration provides a single, verifiable audit trail if you use both SonarQube and JFrog with strict audit trail and compliance requirements. SonarQube analysis results are automatically signed and directly attached to your JFrog packages to create a single, verifiable source of truth. You no longer have to jump between tools to prove your code meets security standards. Everything you need for a rigorous audit is now visible within the JFrog Evidence Collection interface. This feature is available in the Enterprise edition and above. See JFrog Evidence Collection integration for more information.
High-volume file move detection (2025.6)
SonarQube now stops the analysis when a high-volume file move is detected and raises a warning to let users revert to their initial project configuration in case of an unintended file move.
Sandboxing of issues coming from SonarQube update (2025.5)
Some SonarQube updates may introduce new issues in your code on sections that have not been changed since the previous analysis. These new issues may lead to abrupt and unexplained quality gate and pipeline failures, causing frustration and delays in releases.
To eliminate these pain points, you can enable sandboxing. This way:
The sandboxed issues won’t impact your quality gate.
Users will be able to triage the sandboxed issues at their own pace.
See Sandboxing of issues coming from SonarQube update and Update notes for more information.
Feedback mechanism for self-hosted LLMs (2026.1)
Improves the success rate of generating valid AI CodeFix suggestions from self‑hosted LLMs.
Quality gate fudge factor improved (2026.1)
To avoid overly strict enforcement of small changes, the quality gate ignores coverage and duplication conditions for very small sets of new code. See Changing instance's default quality gate for more information.
Integrations
Jira (2025.6)
This feature introduces a secure, app-based connection for integrating SonarQube Server with Jira Cloud. This lays the groundwork for powerful future workflows, such as issue tracking, release readiness assessment and creating Jira work items from SonarQube issues. For more information see the following documentation:
Jira Cloud integration on an instance level
Jira Cloud integration on a project level
Slack (2025.6)
Delivers real-time notifications for quality gate status changes (failed or failed-to-passed) directly into Slack channels. See Setting up Slack notifications or more information.
GitHub Enterprise Cloud with Data Residency now supported (2025.6)
SonarQube’s integration with GitHub Enterprise Cloud with Data Residency is now supported.
Navigation from SonarQube to GitHub (2025.6)
You can now navigate from your SonarQube project to the bound GitHub repository by selecting the project bound icon.
Reporting
AI and mobile compliance reporting (2026.1)
Extends our regulatory coverage to include critical AI and Mobile security standards such as OWASP Top 10 for LLM and OWASP MASVS for project security reports. This feature is available in the Enterprise edition and above. See Security-related rules for more information. Security standards (2025.6)
SonarQube Server rules and security reports have been updated to comply with the most recent security standards. The new and updated security standards are:
OWASP Top 10 2025: Updating security rule mappings, documentation, and reporting to align with the newly released OWASP Top 10 2025
STIG ASD version 6: Integration and mapping of our security rules to the latest security technical implementation guide (STIG) for application security and development, version 6.
Security reports are available in the Enterprise edition and higher. See Security reports for the full list of security standards and language coverage.
WCAG Accessibility compliance (2025.6)
Introduces Accessibility reports via API to monitor compliance with WCAG 2.1 AA and 2.2 AA standards.
Security
New rules for detecting LLM issues (2025.6)
The new version of security analyzer contains new and improved rules for detecting LLM related security issues.
Detect security misconfigurations in bash shell files (2025.6)
Detects unsafe file permissions, insecure commands (curl / wget), and hardcoded secrets in .sh files.
SonarQube Advanced Security
Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See Advanced Security for more information.
Malicious package detection (2026.1)
Receive blocker-level alerts if a dependency matches publicly known datasets of known malicious packages.
ASAST configs refreshed for C# and Java top 1k libraries, and Python top 100 (2025.6)
Automatically delivers optimized Advanced SAST configurations for the Top 1,000 most used libraries in C# and Java, and top 100 Python libraries.
C/C++ support for Conan and vcpkg projects - beta (2025.6)
Allows customers to analyze C and C++ projects that utilize the Conan or vcpkg package managers to return vulnerability and license information.
Software bill of materials (SBOM) import (CycloneDX, SPDX) - beta (2025.6)
Allows customers to import software bill of materials (SBOM) in CycloneDX or SPDX format to retrieve vulnerability information. This supports the scanning of arbitrary applications and dependencies, including container images and complex C++ applications.
SPDX 3.0 support (2025.6)
Ensures support for the latest SPDX 3.0 standard.
SCA service activation at the project level (2025.5)
In the previous version, Software Composition Analysis (SCA) was enabled in the UI at the instance level for all projects. With this new version, when you enable the service as an instance admin, you can additionally define the default activation status (on or off) for all projects in your instance.
Server operation
In-product communication of product news (2025.6)
Sonar will now provide in-product notifications to users regarding important product updates. These messages will be tailored to specific audiences. Users will receive alerts for new messages and will have access to a complete message history.
Announcement messages improved (2025.5)
It’s now possible to add links to your custom announcement messages in the UI. For more information, see Announcements.
JRE auto-provisioning can be disabled at instance level (2025.5)
JRE auto-provisioning for the scanners on CI/CD host is enabled by default. It was possible to disable it through an analysis parameter. You can now disable it at the SonarQube Server instance level.
Improved memory consumption of Sonar scanners (2025.5)
In order to reduce memory consumption for the scanner-engine, visibility information is now discarded for excluded files.
UI and UX
Rules statuses visible on the Issues page (2025.6)
Surfacing the rule status, specifically beta, directly on the Issues and Issues detail pages. This clarifies the maturity of the rule that generated the issue.
Update to the login page (2025.6)
Updated accessibility, layout, and error messages resulting in an improved overall login experience.
Removals and deprecations
Java 17 not supported any more (2026.1)
Java version 21 is the minimum version required to run SonarQube Server. See Software requirements for more information.
PostgreSQL in Helm charts removed (2026.1)
The deprecated PostgreSQL dependency in the Helm chart has been removed. If you were relying on this dependency for production, you must take the following steps to upgrade to the new chart: back up their existing database, import the data into a new database, and then update the JDBC URL within the SonarQube chart configuration. See Installing Helm chart for more information.
Kubernetes and Openshift versions removed (2026.1)
Support for versions 1.30 and 1.31 has been removed.
Support for versions 4.11 to 4.16 has been removed.
2016 MSSQL Server 13.0 support removed (2026.1)
Support for 2016 MSSQL Server 13.0 support has been removed. See Installing database for more information.
Deprecation of Ingress NGINX (2026.1)
Due to the retirement of the ingress-nginx controller in November 2025 (with best-effort support ceasing in March 2026), the dependency on this chart is now deprecated.
We advise migrating to the Gateway API, which is the modern successor to Ingress. Should you need to continue using Ingress, please consult the Kubernetes documentation for a list of suitable alternative controllers. A replacement dependency will be provided in a future release.
Deprecation of Automatic AI Code Detection (2026.1)
Autodetect AI-Generated Code has been deprecated. Sonar will adjust the AI Code Assurance offering to adapt to the industry changes with high AI adoption. A warning callout has been added to the SonarQube UI in global and project settings. See AI Code Assurance for more information.
Deprecation of Design and Architecture features (2025.6)
The cycle detection and architecture as code for Java and JS/TS are deprecated (S7027, S7091, S7134, S7197), pending removal in January 2026. They will be replaced by improved architecture capabilities.
Deprecation of Java 17 as a scanner runtime (2025.6)
Java 17 is deprecated as a supported scanner runtime environment and its support ends with SonarQube 2026.3 (July 2026). There is no impact for this change if you use JRE auto-provisioning, enabled by default on scanners that support it, because it keeps Java version requirements always up to date. If you disabled JRE auto-provisioning or your scanner doesn’t support it, you need to update to Java 21 or newer. See:
Java runtime environment (JRE) requirements for all SonarScanners.
Community post for more information about the deprecation.
Managing JRE auto-provisioning for additional information.
Last updated
Was this helpful?