Release notes

Sonar offers extended commercial support for version 2025.4.

Languages

Increasing MISRA C++ 2023 rules coverage

Continued expansion of MISRA C++ 2023 rule coverage with over 25 additional rules as part of Sonar’s MISRA Compliance Early Access. The coverage enhances checks for safety-critical systems and is available for Enterprise Edition and higher.

Relevant rules:

• M23_026: Sections of code should not be 'commented out'.
• M23_029: A variable declared in an 'inner scope' shall not hide a variable declared in an 'outer scope'.
• M23_034: Within character literals and non raw-string literals, '\' shall only be used to form a defined escape sequence or universal character name.
• M23_037: The lowercase form of 'L' shall not be used as the first character in a literal suffix.
• M23_038: String literals with different encoding prefixes shall not be concatenated.
• M23_050: All 'declarations' of a variable or function shall have the same type.
• M23_053: The source code used to implement an 'entity' shall appear only once.
• M23_096: The logical AND and logical OR operators shall not be overloaded.
• M23_103: The right-hand operand of a logical '&&' or '||' operator should not contain 'persistent side effects'.
• M23_106: An unsigned arithmetic operation with constant operands should not wrap.
• M23_125: A 'goto' statement shall reference a label in a surrounding block.
• M23_139: The 'asm' declaration shall not be used.
• M23_145: Functions shall not call themselves, either directly or indirectly.
• M23_154: Within an enumerator list, the value of an implicitly-specified 'enumeration constant' shall be unique.
• M23_173: Conversion operators and constructors that are callable with a single argument shall be 'explicit'.
• M23_320: Octal escape sequences, hexadecimal escape sequences and universal character names shall be terminated.
• M23_327: An argument passed via ellipsis shall have an appropriate type.
• M23_341: A class shall only define an 'initializer-list constructor' when it is the only constructor.
• M23_351: 'User-provided' 'copy assignment operators' and 'move assignment operators' shall handle self-assignment.
• M23_365: 'Symmetrical operators' should only be implemented as non-member functions.
• M23_372: 'Special member functions' shall be provided appropriately.
• M23_379: The operands of 'bitwise operators' and 'shift operators' shall be appropriate.
• M23_380: 'Integral promotion' and the 'usual arithmetic conversions' shall not change the signedness or the 'type category' of an operand.
• M23_381: 'Assignment' between numeric types shall be appropriate.
• M23_389: A 'for-range-initializer' shall contain at most one function call.
• M23_390: 'Legacy for statements' should be 'simple'.
• M23_392: User-defined identifiers shall have an appropriate form.
• M23_406: Floating-point arithmetic should be used appropriately.

Making C and C++ analysis faster

Faster C and C++ analysis on SonarQube Server, particularly when code changes have a limited logical impact, even if they affect widely included header files or large compilation units. Aimed at improving the efficiency of the computationally intensive symbolic execution engine.

Rules for Python coroutines

Enables Python developers to write high-quality coroutines and avoid common pitfalls associated with asynchronous programming, targeting popular libraries like asyncio and aiohttp. It helps developers address issues like forgetting await keywords, running blocking code within coroutines, and managing state and error handling in asynchronous flows.

Relevant rules:

• S7483: Asynchronous functions should not accept timeout parameters
• S7484: Events should be used instead of sleep in asynchronous loops
• S7486: Long sleep durations should use sleep_forever() instead of arbitrary intervals
• S7487: Async functions should not contain synchronous subprocess calls
• S7488: Use non-blocking sleep functions in asynchronous code
• S7489: Async functions should not contain synchronous OS calls
• S7490: Cancellation scopes should contain checkpoints
• S7491: Checkpoints should be used instead of sleep(0)
• S7493: Async functions should not contain synchronous file operations
• S7497: Cancellation exceptions should be re-raised after cleanup
• S7499: Async functions should not contain synchronous HTTP client calls
• S7501: Async functions should not contain input() calls
• S7502: Asyncio tasks should be saved to prevent premature garbage collection
• S7503: Async functions should use async features
• S7513: TaskGroup/Nursery should not be used for a single start call
• S7514: Control flow statements should not be used inside TaskGroup or Nursery blocks
• S7515: “async with” should be used for asynchronous resource management

Additionally, we are providing IDE quick-fixes for the following rules:

• S7486: Long sleep durations should use sleep_forever() instead of arbitrary intervals
• S7489: Async functions should not contain synchronous OS calls
• S7491: Checkpoints should be used instead of sleep(0)
• S7501: Async functions should not contain input() calls

Rules for Python comprehensions

Expands SonarQube’s support for Python comprehensions (list, dictionary, and set comprehensions) by providing both basic coverage and unique rules to identify improper usage. Assists engineering teams address performance pitfalls, readability issues, and non-idiomatic usage.

Relevant rules:

• S7492: List comprehensions should not be used with “any()” or “all()”
• S7494: Comprehensions should be used instead of constructors around generator expressions
• S7496: Creation of collections with literals or comprehensions should not be wrapped in type constructors
• S7498: Literal syntax should be preferred when creating empty collections or dictionaries with keyword arguments
• S7500: Comprehensions only used to copy should be replaced with the respective constructor calls
• S7504: When iterating over an iterable object, using “list()” should be avoided
• S7505: Generators and comprehensions should be preferred over the usage of “map” and “lambda” when creating collection
• S7506: Dictionary comprehension should not use a static key
• S7507: “defaultdict” should not be initialized with “default_factory” as a keyword argument
• S7508: Redundant collection functions should be avoided
• S7510: The “sorted” function call should not be passed to the “reversed” function as an argument
• S7511: Passing a reversed iterable to “set()”, “sorted()”, or “reversed()” should be avoided
• S7512: Using “.items()” to iterate over a dictionary should be avoided if possible.
• S7516: “sorted” should not be wrapped directly inside “set”
• S7517: Iteration over a dictionary key value pairs should be done with the items() method call
• S7519: Populating a dictionary with a constant value should be done with dict.fromkeys() method call

Additionally, we are providing IDE quick-fixes for the following rules:

• S7498: Literal syntax should be preferred when creating empty collections or dictionaries with keyword arguments
• S7500: Comprehensions only used to copy should be replaced with the respective constructor calls
• S7504: When iterating over an iterable object, using “list()” should be avoided
• S7508: Redundant collection functions should be avoided
• S7517: Iteration over a dictionary key value pairs should be done with the items() method call

Improved Issue Suppression for Python

Individual rules can be suppressed in Python using the rule key with # NOSONAR (eg #NOSONAR(S5655)). Additionally, the rules below can be enabled to track usage of # NOSONAR and # noqa:

• S1291: Track uses of "NOSONAR" comments
• S1309: Track uses of noqa comments

You can detect correct usage of # NOSONAR & # noqa with rule:

•  S7632: Issue suppression comment should have the correct format

Support for Dart 3.8

Provides support for Dart 3.8 in SonarQube, ensuring that existing rules are applied, and new constructs are handled appropriately without parsing errors.

Support for Java 23 with new rules

Adds Java 23-specific rules to help developers properly use new Java 23 features.

Relevant rules:

• S125: Sections of code should not be commented out
• S1123: Deprecated elements should have both the annotation and the Javadoc tag
• S7474: Markdown, HTML and Javadoc tags should be consistent
• S7476: Comments should start with the appropriate number of slashes

Error free Parsing for Java 24 

Ensures that the Java analyzer successfully parses Java 24 source files without errors and correctly handles new Java 24 features. Adds Java 24-specific rules and updates existing rules to ensure they properly use new language constructs in Java 24.

Relevant rules:

• S6906: Virtual threads should not run tasks that include synchronized code
• S2093: Try-with-resources should be used
• S7478: "transformClass" method should be used instead of "build" when transforming a class
• S7477: Class name should be omitted when unchanged by class transform
• S7479: "ClassBuilder.withMethodBody" should be preferred to "ClassBuilder.withMethod"
• S7482: Don't provide an initializer for a stateless stream gatherer
• S7629: When a defaultFinisher is passed to a Gatherer factory, use the overload that does not take a finisher
• S7481: Gatherer.ofSequential() should be used to build sequential gathers

Helping developers write performant Java code 

Addresses performance issues in Java code by identifying potential performance bottlenecks, providing clear explanations, and offering automated quick-fixes.

Related rules:

• S4030: Collection contents should be used
• S3063: "StringBuilder" data should be used
• S3024: Arguments to "append" should not be concatenated
• S3033: ".isEmpty" should be used to test for the emptiness of StringBuffers/Builders

Making advanced Java rules smarter

A more advanced Dataflow Bug Detection (DBD) engine replaces Symbolic Execution engine for Java rules S2259 (Null pointers should not be dereferenced) and S3518 (Zero should not be a possible denominator). 

Security

Secrets Detection

SonarQube’s secrets detection now covers over 400 distinct secret patterns, powered by 346 rules. This update includes 89 newly added rules, currently in BETA, designed to enhance your security coverage even further. All the new rules are active by default. 

Related topics:

• Detects passwords and secrets by default in Kotlin. 
• Detects passwords and secrets in YAML and JSON files. This feature can be enabled by an opt-in parameter sonar.yaml.activate = true  and sonar.json.activate = true.

Related rule:

• S6418 - Hard-coded secrets are security-sensitive

Taint Analysis for JavaScript/TypeScript 

Next-generation taint analysis engine for JavaScript/TypeScript projects provides more accurate and actionable security findings. As an administrator, you can enable Use new JS/TS Taint Analysis engine under Administration > Configuration > General Settings > SAST Engine.

Taint Analysis for Go

Provides taint analysis for the Go programming language. It tracks untrusted user input with data flow analysis across functions and files to find injection vulnerabilities and other security weaknesses.

Taint Analysis for VB.NET

Provides full Static Application Security Testing (SAST) capabilities, including taint analysis, for the VB.NET programming language. 

SonarQube Advanced Security

Automatic detection of new dependency risks without reanalysis

Automatically detects newly discovered vulnerabilities in project dependencies on permanent branches (including the main branch) without a need to re-analyze the project. Available as part of SonarQube Advanced Security license for Enterprise Edition and higher.

SCA for PHP

Introduces Software Composition Analysis (SCA) support for PHP projects that use Packagist and Composer for dependency management. The feature analyzes PHP code to identify and manage public vulnerabilities and licenses in third-party dependencies. Also, it generates entries in a Software Bill of Materials (SBOM). Available as part of SonarQube Advanced Security license for Enterprise Edition and higher.

Machine-readable SCA report

Provides a machine-readable report of dependency risks for projects, applications, and portfolios, available in both JSON and CSV formats. The report includes details such as project, dependency chain, risk title, CVE/CWE IDs, severity, discovery date, status, and remediation information. Available as part of SonarQube Advanced Security license for Enterprise Edition and higher.

Customizable risk severity for SCA

Allows for customization of the severity level of dependency risks in SonarQube thus enabling you to adjust how a risk affects a particular software quality. Available as part of SonarQube Advanced Security license for Enterprise Edition and higher.

Risk rating for SCA

Introduces ABCDE risk ratings for Software Composition Analysis (SCA), specifically for overall dependency risk, security dependency risk (vulnerabilities), and maintainability dependency risk (disallowed licenses). These ratings are displayed on projects, and applications overview screens. Available as part of SonarQube Advanced Security license for Enterprise Edition and higher.

Reporting

Improvements to security report PDFs at a project level

Allows for customization and download of security report PDFs at a project level. Customize a report to conform with specific security standards, such as: OWASP Top 10, CWE Top 25, STIG, CASA, and others. Available for Enterprise Edition and higher.

Improvements to regulatory reports

Improvements to the regulatory reports include a new download option on the project’s Overview page, an addition of a Distribution of issues based on insights in the PDF report and Maintainability issues (in Multi-Quality Rule Mode), and Code Smells (in Standard Experience) in the CSV file, along with other general improvements.

SonarQube Server Platform

The Data Center Edition now supports installation on Kubernetes clusters using Istio. This integration provides capabilities for observing and managing communication between SonarQube Server nodes.

SonarQube for IDE

MISRA early access rules available in the IDE

Early-access MISRA C++2023 rules are available directly within the SonarQube for IDE (VSCode, Visual Studio, IntelliJ/CLion). MISRA C++2023 issues appear in their C++ files and can be fixed locally. Rule descriptions are also available directly within SonarQube for IDE.

Software Composition Analysis (SCA) in the IDE

Software Composition Analysis (SCA) results will be visible to developers in their IDE for Visual Studio, IntelliJ, and VSCode with the upcoming SonarQube for IDE releases. Available as part of SonarQube Advanced Security license for Enterprise Edition and higher

General Availability of SonarQube Advanced Security 

Advanced Security, now generally available as an add-on pack starting in Enterprise edition, extends the core security capability by adding support for open source code. New capabilities include:

• Enhanced visibility of security and licensing risks on each dependency version in pull requests and overall code.
• Configurable Quality Gates can include dependency risk scores, preventing code with high-risk dependencies from entering production.
• Configurable company’s license compliance policy allows organizations to define and enforce custom license compliance policies within SonarQube.
• The project overview screen now displays dependency risk counts, providing developers with immediate insights into the health of their project dependencies.
• Discovery and analysis of dependency risks across multiple applications and portfolios.
• Enhanced API access for SCA results and Software Bill of Materials (SBOMs) for seamless integration with other tools and custom reporting.
• Broad and growing language coverage for SCA, starting with Java, C#, Python, JavaScript, TypeScript, Go, Rust, and Ruby, ensures that developers can quickly analyze third-party dependencies for vulnerabilities and licensing issues.

Core security enhancements

Static Application Security Testing (SAST) for Kotlin

The addition of SAST for Kotlin, including taint analysis, extends security checks to Kotlin-based projects. 

Continued additions to secrets detection

Ongoing enhancements to secrets detection ensure SonarQube keeps pace with evolving cloud application security needs and brings our coverage to over 300 patterns. Additionally, SonarQube can detect secret leaks in files located within directories or hidden files that begin with a dot.

AI capabilities

Leverage AI CodeFix directly in the IDE

Integrating AI CodeFix into SonarQube for IntelliJ and SonarQube for VS Code provides developers with real-time code remediation suggestions. Available in the Enterprise edition and above.

Autodetection of AI code

Autodetection of AI code for Copilot-generated code is not limited anymore to GitHub projects. Available in the Enterprise edition and above.

Compliance capabilities

More MISRA:C++2023 rules

Continued expansion of MISRA:C++2023 rule coverage as part of our MISRA Compliance Early Access enhances compliance checks for safety-critical systems. Available in the Enterprise edition and above.

New security reports for CWE and OWASP Mobile

SonarQube now provides security reports aligned with the latest CWE Top 25 for 2024 and OWASP Mobile Top 10 for 2024 standards. Available in the Enterprise edition and above.

Default Quality Gate

As a Quality Gate administrator you can now set a default Quality Gates that is not compliant with Clean as You Code. See Changing the default quality gate for more details.

Languages

Introducing support for Rust
Initial support Rust offers:

• 85 rules
• Code Coverage import (LCOV and Cobertura formats)
• Cognitive Complexity metric
• Cyclomatic Complexity metric
• Import of Clippy output as external rules (JSON format)

Support for Java 22 and 23
SonarQube now supports Java versions 22, ensuring developers can analyze their code with confidence when using the latest Java versions. New Java 22 rules:

• S7466: Unnamed variable declarations should use the var identifier
• S7467: Unused exception parameter should use the unnamed variable pattern
• S7475: Types of unused record components should be removed from pattern matching

Support for PySpark
Support for PySpark, a popular Python API to leverage Apache Spark, adds the help data engineers need to identify and address potential issues in their large-scale data processing workflows. New PySpark rules:

• S7193: PySpark DataFrame toPandas function should be avoided
• S7468: PySpark dropDuplicates subset argument should not be provided with an empty list
• S7469: PySpark's DataFrame column names should be unique
• S7470: PySpark's RDD.groupByKey, when used in conjunction with RDD.mapValues with a commutative and associative operation, should be replaced by RDD.reduceByKey
• S7471: master and appName should be set when constructing PySpark SparkContext and SparkSession

New rules for mobile security

Following are the new mobile security rules that cover the OWASP Mobile top 10 for 2024 security standards:

Kotlin

• S5344 - Passwords should not be stored in plaintext or with a fast hashing algorithm. This rule covers the M2 category of the OWASP Mobile Top 10 for 2024.
• S6474 - Using remote artifacts without authenticity and integrity checks is security-sensitive. This rule covers M2 from the OWASP Mobile Top 10 for 2024.
• S7204 - Obfuscation should be enabled for release builds. This rule covers the M7 and M8 category of the OWASP Mobile Top 10 for 2024.
• S7409 - Exposing Java interfaces in WebViews is security-sensitive. This rule covers the M8 category of the OWASP Mobile Top 10 for 2024.
• S7410 - Keyboard cache should be disabled for password inputs. This rule covers the M2 category of the OWASP Mobile Top 10 for 2024.
• S7416 -  Android production release targets should not be debuggable. This rule covers the M7 category of the OWASP Mobile Top 10 for 2024.
• S7435 - Processing persistent unique identifiers is security-sensitive.This rule covers the M6 category of the OWASP Mobile Top 10 for 2024.

Java

• S7409 - Exposing Java interfaces in WebViews is security-sensitive. This rule covers M8 of the OWASP Mobile Top 10 2024.
• S7435 - Processing persistent unique identifiers is security-sensitive. This rule covers M6 of the OWASP Mobile Top 10 2024.

Dart

• S5324 - Accessing Android external storage is security-sensitive. This rule covers M9 of the OWASP Mobile Top 10 for 2024.
• S4830 - Server certificates should be verified during SSL/TLS connections. This rule covers M5 of the OWASP Mobile Top 10 for 2024.
• S4790 - Using weak hashing algorithms is security-sensitive (crypto). This rule covers M10 of the OWASP Mobile Top 10 for 2024.
• S2245 - Using pseudorandom number generators (PRNGs) is security-sensitive. This rule covers M9 of the OWASP Mobile Top 10 for 2024.
• S6362 - Enabling JavaScript support for WebViews is security-sensitive. This rule covers M8 of the OWASP Mobile Top 10 for 2024.
• S7409 - Exposing Java interfaces in WebViews is security-sensitive. This rule covers M4 and M8 of the OWASP Mobile Top 10 for 2024.

XML

• S7207 - Components should be explicitly exported. This rule covers M8 of the OWASP Mobile Top 10 for 2024.

Server operation

IPv6 support

SonarQube Server now supports IPv6 addresses:

• For the ZIP installation: all editions.
• For the Docker installation: Developer Edition and Enterprise Edition.

An additional configuration is required. For setup information, see Enabling IPv6 in ZIP installation or Docker installation. 

System info and server logs improved

Data Center Edition server logs available from the UI

If you have a Data Center Edition, you can now download the server logs for all nodes by using the Administration > System menu on any node. 

Java options in system info more accurate 

The system info now includes Java options information:

• For a Developer or Enterprise Edition: for each process (Web, Compute Engine, or Search) instead of globally.
• For a Data Center Edition: for each node instead of only for application nodes.

AI features

AI CodeFix 

Support of self-hosted LLMs on Azure OpenAI

You can now choose your own Azure OpenAI LLM as the provider for AI CodeFix. See Enabling AI-generated fix suggestions.

Expansion of rules coverage

The AI CodeFix's rule coverage has been extended across multiple programming languages, ultimately improving code quality and developer productivity with relative ease.

The following rules have been updated to support AI CodeFix:

• C#: S3241
• C++:  S125, S995, S5416, S5350, S1238, S1905, S3490, S3659, S1155, S3229, S959, S2259, S6229, S905, S3923, S1768, S1751
• JavaScript / TypeScript: S878, S1874, S125, S3358, S905, S1854, S1481, S6644
• Python: S112, S5754, S1186, S1940, S1854, S6660, S1515, S1110, S5795

New SONAR_AI_CODEFIX_HIDDEN environment variable

You can now use the SONAR_AI_CODEFIX_HIDDEN environment variable to disable AI CodeFix in SonarQube Server in addition to the sonar.ai.codefix.hidden property.

Analyzers, scanners, languages

New Design and Architecture feature

Through its new Design & Architecture feature, SonarQube Server can now verify the architecture and design of Java source code by:

• Verifying the code structure against architecture and design patterns.
• Applying cycle detection to detect circular dependencies in your code.

The verification process is as follows:

• You specify in a configuration file your architecture model including architectural constraints. 
• SonarQube Server compares your code with your model based on architecture rules. It raises issues when it identifies divergences and when it detects circular dependencies. 

For more information, see Design and Architecture.

CFamily analysis

New C++ rule

The following C++ rule has been added:

• S7172: Named methods should be used to avoid confusion between testing an optional or an expected and testing the wrapped value

New Misra C++ 2023 rules in Early Access

New Misra C++ 2023 rules are supported from the Enterprise Edition in Early Access.

To enable the new rules in your SonarQube Server instance, go to Administration > General Settings > Early Access Features.

Note: To disable the Early Access warning, see Disabling the Misra 2023 C++ Early Access warning.

Go analysis

Go 1.23 now supported

SonarQube Server now supports the analysis of Go 1.23 code.

New foundational Go security rules

The following foundational Go security rules have been added:

Vulnerability issues:

• S4423: Weak SSL/TLS protocols should not be used
• S3330: Creating cookies without the “HttpOnly” flag is security-sensitive
• S2092: Creating cookies without the “secure” flag is security-sensitive
• S4507: Delivering code in production with debug features activated is security-sensitive
• S2068: Hard-coded credentials are security-sensitive
• S2612: Setting loose POSIX file permissions is security-sensitive
• S1313: Using hardcoded IP addresses is security-sensitive
• S2245: Using pseudorandom number generators (PRNGs) is security-sensitive
• S4790: Using weak hashing algorithms is security-sensitive
• S6437: Credentials should not be hard-coded
• S5547: Cipher algorithms should be robust
• S3329: Cipher Block Chaining IVs should be unpredictable
• S5542: Encryption algorithms should be used with secure mode and padding scheme
• S5445: Insecure temporary file creation methods should not be used
• S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
• S4830: Server certificates should be verified during SSL/TLS connections
• S5527: Server hostnames should be verified during SSL/TLS connections
• S4426: Cryptographic keys should be robust
• S2053: Password hashing functions should use an unpredictable salt

Security hotpots:

• S6418: Hard-coded secrets are security-sensitive
• S5443: Using publicly writable directories is security-sensitive
• S5332: Using clear-text protocols is security-sensitive
• S4036: Searching OS commands in PATH is security-sensitive
• S2077: Formatting SQL queries is security-sensitive

Java analysis

The following Spring Java rules have been added:

• S7177: Use appropriate @DirtiesContext modes
• S7178: Injecting data into static fields is not supported by Spring
• S7179: @Cacheable and @CachePut should not be combined
• S7180: "@Cache*" annotations should only be applied on concrete classes
• S7183: @InitBinder methods should have void return type
• S7184: "@Scheduled" annotation should only be applied to no-arg methods
• S7185: @eventlistener methods should have one parameter at most
• S7186: Methods returning "Page" or "Slice" must take "Pageable" as an input parameter
• S7190: Methods annotated with "@BeforeTransaction" or "@AfterTransaction" must respect the contract

The following Spring Java rules have been improved:

• S6856: "@PathVariable" annotation should be present if a path variable is used
  This rule will now raise an issue if a method has a path template with a placeholder, but no corresponding @PathVariable, or vice-versa.
• S6809: Methods with Spring proxy should not be called via "this"
  This rule will now also check for methods annotated with Spring's @Cacheable annotation.

Kotlin analysis

Over 80 rules have been rebuilt to support Kotlin 2.0 and the new K2 compiler. As a result, Kotlin analysis is now 50% faster than before this release. Kotlin developers can now not only use Sonar to analyze Kotlin 2.0 and newer, but it also performs better than before.

.NET analysis

Upload of test-related metrics at file level

Projects based on .NET now show test-related metrics at the file level. The SonarScanner for .NET will calculate and pass to the server the per-file metrics of:

• Number of Unit Tests
• Errors in Unit Tests
• Failed Unit Tests
• Skipped Unit Tests
• Duration of Unit Tests

The SonarScanner for .NET will only support the following test reports:

• NUnit
• XUnit
• Visual Studio

.NET rules improved

A secondary location message has been added to the .NET rules.

PHP analysis

The elsif keyword is now taken into account in the Cyclomatic Complexity calculation.

Python analysis

The following rules are now available to allow you to check performance, maintainability and correctness in your PySpark code in Python and Jupyter Notebook files with SonarQube Server:

• S7181: PySpark Window functions should always specify a frame
• S7182: The “subset” argument should be provided when using PySpark DataFrame “dropDuplicates” method
• S7187: PySpark Pandas DataFrame columns should not use a reserved name
• S7189: PySpark DataFrames used multiple times should be cached or persisted
• S7191: PySpark withColumns should be preferred over withColumn when multiple columns are specified
• S7192: The “how” parameter should be specified when joining two PySpark DataFrames
• S7195: PySpark lit(None) should be used when populating empty columns
• S7196: Complex logic provided to PySpark “withColumn”, “filter” and “when” methods should be refactored into separate expressions

README for local project installation improved

Information about building locally has been added to the README.

New rules to cover OWASP Mobile Top 10

By now providing at least one rule for each of the OWASP Mobile Top 10 categories, with the exception of M4: Insufficient Input/Output Validation, Sonar offers a solution that enables Android developers to assess their applications against the OWASP Mobile Top 10, ensuring they meet industry standards for security.

Issue retrieval and fixing

Issue filters now more compact

The vertical padding of the issue filter conditions has been reduced.

Web API

Deprecated POST and PATCH parameters now logged into the deprecated log file

Whenever a V2 deprecated POST or PATCH parameter is used, a deprecation message is logged into the deprecated log file indicating what is or will be deprecated and from when.

Server operation

Java 21 supported for running SonarQube Server

SonarQube Server can now run in a Java 21 environment. 

DevOps platform integration

Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

AI features

Automatic detection of AI-generated code from GitHub Copilot

Knowing if your project contains AI-generated code helps raise awareness of code ownership and code security. To help build this awareness, SonarQube Server can autodetect AI-generated code in projects on GitHub using GitHub Copilot. You can then protect these projects using the AI code assurance features. See the Autodetecting AI code page for more information.

Analyzers, scanners, languages

Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

PHP analysis

PHP analysis now supports asymmetric property visibility (PHP 8.4).

T-SQL analysis

T-SQL analysis supports the STIG security standard and more language constructs.

VB analysis

VB analysis has 2 new rules.

None in this release.

2025.3

AI CodeFix

AI CodeFix is no longer available in the Developer edition and is still available in the Enterprise and Data Center editions. As an instance administrator, you can enable AI-generated fix suggestions in the administration section. See AI-generated fix suggestions for more details.

Security rules for Go in IDEs

To use Go security rules in your VSCode or IntelliJ IDEs, you will need to upgrade to the latest version of SonarQube for IDE. Available in the Enterprise edition and above.

2025.2

None in this release.

2025.1

Update in PostgreSQL support

PostgreSQL version 11 is no longer supported. Supported versions are now from 13 to 17.

SAML configuration update required

When configuring SAML on your SonarQube Server instance with assertion encryption, the response signature must be enforced. You might need to update your SAML configuration:

• If you use SAML with Microsoft Entra, make sure you sign the response by selecting Sign SAML response or Sign SAML response and assertion as the sign-in response. See Step 2 > If you use encryption, enforce response signature in Setup of security features.
• If you use SAML with PingID, make sure you sign the response by selecting Sign Response or Sign Assertion & Response as the sign-in response. See Step 2 > To enable the encryption of SAML assertions in Setup of security features.

In addition, the assertion decryption now requires that you also store the public key certificate in SonarQube Server (not only the private key). Make sure the certificate is stored in SonarQube as follows:

1. In SonarQube Server, go to Administration > Configuration > General Settings > Authentication > SAML.
2. In SAML Configuration > SAML, select Edit. The Edit SAML configuration dialog opens.
3. In Service provider certificate, enter the certificate.

Server base URL setup now mandatory for SAML authentication

Your SAML authentication setup will not work if the SonarQube Server base URL is not set in SonarQube Server. See Configuring the SonarQube Server base URL.

If migrating from 10.7: AI Code Assurance lost on projects

In SonarQube Server 10.7, the Sonar way quality gate was enforced on projects marked as containing AI Code. If you're migrating from this version, these projects will loose AI Code Assurance. To resolve this, you must apply a quality gate qualified for AI Code Assurance to these projects. To do so, you can use the Sonar way for AI Code quality gate or a custom quality gate you have qualified for AI Code Assurance. See Assuring your AI Code.

None in this release.

2025.3

Secrets

The inputString field for heuristic and statistical post filters has been discontinued. Previously, this field was used to apply post filters to the named capturing group specified within it. The functionality has been extended to allow applying post filters directly to named capturing groups. See Secrets for more details.

Mercurial SCM is not supported

The Community plugin for Mercurial SCM is no longer compatible with SonarQube Server.

Sonar Plugin API

The following deprecated classes have been removed: MutableModuleSettings and MutableProjectSettings.

2025.2

Removed ProfileExporter and ProfileImporter extension points

Removed two extension points in the plugin-api ProfileExporter and ProfileImporter. The following APIs have been deprecated:

• GET /api/qualityprofiles/export API endpoint. You can now use GET /api/qualityprofiles/backup instead. 
• GET /api/qualityprofiles/exporters
• GET /api/qualityprofiles/importers

See Web API for more information.

2025.1

Property encryption on scanner side deprecated

Property encryption on the scanner side is now deprecated. 

sonar.password property removed

The sonar.password scanner property that was deprecated in SonarQube Server 9.8 has now been removed. 

BCrypt password hashing method removed

The BCrypt hash method used for passwords was deprecated in SonarQube Server 8.9. It has now been removed. As a result, the passwords of users who have not logged in since SonarQube 8.9 are deactivated and an admin must reset them if these users need to log in again.

Some complexity metrics removed

The following complexity metrics, which were deprecated in SonarQube Server 6.7, have now been removed: 

• file_complexity
• complexity_in_classes
• class_complexity
• complexity_in_functions
• function_complexity
• function_complexity_distribution
• file_complexity_distribution