Release notes

New layout and navigation for SonarQube Server

The SonarQube Server UI has a refreshed layout and navigation. The horizontal top menu has been replaced with an intuitive vertical sidebar, introducing a new context switcher that allows users to instantly jump between enterprises, organizations, portfolios, and projects without losing their place.

In-code issue resolution (sonar-resolve)

New in-code annotations let you resolve specific issues by rule, with a mandatory comment and status (accepted or false positive), so deviations stay visible in SonarQube’s UI and auditable rather than being blindly suppressed. This structured alternative to NOSONAR helps teams comply with standards such as MISRA C++:2023 and reduces the risk of accidentally hiding critical issues on the same line. See Editing issues for more information.

Key Capabilities:

• Set resolution status (accept or fp for false-positive) directly in the code.

• Administrative control via global and project-level settings.

Supported languages: C, C++, Objective-C

AI CodeFix enhancements

Improvements to AI CodeFix configuration to make it model-agnostic, enabling better flexibility in AI-powered code fix suggestions. This feature is available in Enterprise edition and higher. See AI CodeFix for more information.

License management improvements

SonarQube Server now automatically refreshes SonarQube license every 12 hours for instances using online activation, ensuring immediate access to new features and LOC limit updates without manual intervention. See Online license management for details.

Advanced Security

Available as part of SonarQube Advanced Security license for Enterprise edition and higher. See Advanced Security for more information. See Introduction to Advanced Security for more information.

Dependency risks in security reports

Sonar security reports now include a Dependency risk column. This weaves Software Composition Analysis (SCA) data directly into application and portfolio-level reports in both the SonarQube Server UI and exported PDFs. See Security reports for details.

Risk report and SBOM in regulatory reports

Project regulatory reports now include both a risk report and a software bill of materials SBOM that you can download from your projects. See Regulatory reports for details.

ASAST Configurations for the Python Top 1K

We are expanding Advanced Static Application Security Testing (ASAST) support with the top 1,000 most utilized libraries in the Python ecosystem.

Languages

Apex code quality rules

SonarQube Server 2026.2 expands Apex support with 23 new code quality rules, providing enhanced coverage for Salesforce developers. Apex support is available in Enterprise edition and higher. See Apex for more information.

• S1213: The members of an interface or class declaration should appear in a pre-defined order

• S1659: Multiple variables should not be declared on the same line

• S7951: Database SaveResult objects should be checked for errors

• S7965: Future methods should not accept sObjects or custom objects as parameters

• S7972: Apex cursor fetch should use small chunk sizes to avoid governor limits

• S7994: AuraEnabled methods should be static when they don't require instance state

• S7999: Email operations should include proper error handling

• S8000: Test classes should create required test data within the test

• S8001: SOQL LIKE clauses should not use leading wildcards

• S8008: Encryption keys should not be hardcoded

• S8020: Server actions that retrieve data should be marked as cacheable

• S8028: Future methods should not be called from batch or queueable contexts

• S8032: Database.Stateful should only be used when state retention is needed

• S8035: Change Data Capture event objects should follow the correct naming convention

• S8041: Apex callouts should implement retry logic for reliability

• S8044: FormulaEval.FormulaBuilder should be properly configured with null checks, type safety, and return type

• S8125: Field-level permissions should be checked before accessing fields

• S8130: Retired Salesforce API versions should not be used

• S8451: Schema describe operations should not be called inside loops

• S8452: Classes should override both equals and hashCode or neither

• S8453: Test assertions should include descriptive messages

• S8455: SObject describe calls should use deferred loading

• S8456: Annotations should use PascalCase naming convention

Improved Go analyzer performance

Go analyzer is now 30 times faster. New rules include the same rules as listed for Apex above.

Java 25 support

SonarQube 2026.2 introduces error-free parsing and deep semantic analysis for Java 25 LTS, the first long-term support release since JDK 21. We've added critical rules targeting new features like Scoped Values (JEP 506), Flexible Constructor Bodies (JEP 513), and Module Imports (JEP 511). Crucially, these rules are designed to catch syntactically valid but semantically broken code generated by AI assistants trained on outdated preview APIs. See Java for more information.

Examples of new rules:

• S1128: Redundant imports should be removed

• S3051: Main methods should be used only as program entry point

• S8432: "ScopedValue.where" results should not be ignored

• S8433: Constructors should not perform complex work before the call to super() when there is no explicit constructor call

• S8433: Validation logic should be placed in constructor prologue when possible

• S8444: Validation and data preparation logic before super() should not bloat constructor

• S8445: Group import declarations by specificity

• S8446: Only one "main" method should be present

• S8447: Initialize subclass fields before super() when superclass constructor may call overridable methods

• S8450: Use IO.readln() for console input instead of BufferedReader boilerplate

• S8465: "ScopedValue" instances should be assigned to a stable reference

• S8469: Use IO.readln(String prompt) instead of IO.print followed by IO.readln()

JavaScript / TypeScript security rules

Six new security rules have been added for JavaScript / TypeScript. See JavaScript/TypeScript/CSS

• S5335: Imports should not be vulnerable to injection attacks

• S6547: Environment variables should not be defined from untrusted input

• S5496: Server-side templates should not be vulnerable to injection attacks

• S6641: Connection strings should not be vulnerable to injection attacks

• S6549: Accessing files should not lead to filesystem oracle attacks

• S7518: Privileged prompts should not be vulnerable to injection attacks

Kotlin 2.3.10 support

Upgraded the Kotlin analyzer for version 2.3.10 support.

Python

Python Django framework rules

New rules specifically targeting Django best practices and common pitfalls for web developers. See Python for more information.

Rules added:

• S8437: Class-Based Views should override "get_context_data" correctly

• S8438: Django view functions should declare URL parameters explicitly

• S8439: Django view functions should include all URL parameters in their signature

• S8440: Querysets should use "select_related()" or "prefetch_related()" to avoid N+1 queries

• S8443: Django Command classes should inherit from BaseCommand

• S8486: Django middleware should call super().init() with appropriate parameters

Python Flask rules

Flask services get dedicated rules to harden configuration, routing, and error handling, focusing on security and correctness of HTTP behavior. See Python for more information.

Related rules:

• S6863: Flask error handlers should set HTTP status code

• S6965: Flask REST API actions should be annotated with an HTTP verb attribute

• S8370: Query parameters should not be used to carry body data in POST requests

• S8371: HTTP headers should be accessed safely to avoid KeyError

• S8374: Flask class-based view decorators should be applied using the decorators attribute

• S8375: Flask preprocess_request() return values should be handled

• S8385: send_file should specify mimetype or download_filename

• S8388: Flask applications should not bind to all network interfaces

Python FastAPI rules

FastAPI projects now get framework‑aware rules around routing, Pydantic models, dependencies, and documentation, aimed at catching typical FastAPI mistakes early. See Python for more information.

Related rules:

• S8389: File upload endpoints should use Form() with Pydantic

• S8392: FastAPI applications should not bind to all network interfaces

• S8396: Optional Pydantic fields should have explicit default values

• S8397: FastAPI applications should be passed as import strings when using reload

• S8400: Endpoints returning 204 should have an empty body

• S8401: Child routers should be included before parent router registration

• S8405: TestClient requests should use the content parameter

• S8409: Endpoints should not specify redundant response_model parameters

• S8410: Dependencies should use Annotated type hints

• S8411: Path parameters should be included in route function signatures

• S8412: Generic route decorators should not be used

• S8413: Router prefixes should be defined during APIRouter initialization

• S8414: CORSMiddleware should be added last in the middleware chain

• S8415: HTTPException responses should be documented in endpoint metadata

Groovy language support (beta)

Initial support for Groovy language with 30+ code quality rules, enabling analysis of Groovy-based build files and scripts. See Groovy for more information.

Related rules:

• S8289: File operations should specify charset encoding

• S8298: "@TimedInterrupt" should not be used on static methods

• S8299: AST transformation classes should be annotated with "@CompileStatic"

• S8322: Simple "@Grab" annotations should use shorthand notation

• S8268: Thread.sleep() should not be used in loops for busy waiting

• S8287: Test methods should contain assertions

• S8323: Property names should use camelCase

• S8314: Static imports should appear before regular imports

• S8309: Use appropriate sorting methods to avoid mutation confusion

• S8285: Method names should follow camelCase naming conventions

• S8269: "wait()" calls should be inside "while" loops

• S8315: Empty strings should not be used for type conversion

• S8308: Elvis operator should be used for null-safe operations and ternary simplification

• S8304: Duplicate import statements should be removed

• S8275: Null checks should use correct logical operators

• S8320: GString expressions should not be used as map keys

• S8326: Range methods should be used appropriately

• S8311: Method names should not use reserved keywords

• S8272: Classes with a "clone()" method should implement "Cloneable"

• S8303: Star imports should be replaced with explicit imports

• S8307: Semicolons should be omitted in Groovy

• S8306: Control structures should use braces

Ruby (beta)

There are eight ruby rules in beta and two that have been removed. See Ruby for more information.

New beta rules:

• S8418: Unused method and block parameters should be removed or prefixed with underscore

• S8419: Function parameters should not be immediately reassigned

• S8421: Underscore-prefixed variables should not be used

• S8422: Trailing underscores in multiple assignment should be removed

• S8423: Parameter default values should not reference themselves

• S8424: Constants should not be reassigned

• S8425: Constants should be explicitly scoped to avoid ambiguous resolution

• S8426: Variables should not be assigned only to be implicitly returned

Removed rules

• S1854: Unused assignments should be removed

• S7819: Variables and methods should be accessible in their usage context

AI and mobile compliance reporting

Extends our regulatory coverage to include critical AI and Mobile security standards such as OWASP Top 10 for LLM and OWASP MASVS for project security reports. This feature is available in the Enterprise edition and above. See Security-related rules for more information.

Feedback mechanism for self-hosted LLMs

Improves the success rate of generating valid AI CodeFix suggestions from self‑hosted LLMs.

JFrog Evidence Collection with SonarQube Server

This integration provides a single, verifiable audit trail if you use both SonarQube and JFrog with strict audit trail and compliance requirements. SonarQube analysis results are automatically signed and directly attached to your JFrog packages to create a single, verifiable source of truth. You no longer have to jump between tools to prove your code meets security standards. Everything you need for a rigorous audit is now visible within the JFrog Evidence Collection interface. This feature is available in the Enterprise edition and above. See JFrog Evidence Collection integration for more information.

SonarQube Advanced Security

This feature is available in the Enterprise edition and above.

Malicious package detection

Receive blocker-level alerts if a dependency matches publicly known datasets of known malicious packages. See Advanced Security for more information.

Quality gate fudge factor improved

To avoid overly strict enforcement of small changes, the quality gate ignores coverage and duplication conditions for very small sets of new code. See Changing instance's default quality gate for more information.

Languages

Cobol

Adds support for parsing additional language constructs and includes fixes for crashes and false positives for COBOL. Related rules include:

• S3938: Track uses of forbidden statements

• S1725: Open files should be closed explicitly

• S1574: Data items should be initialized with data of the correct type

• S1289: Unused data item blocks should be removed

IaC

The analysis of Infrastructure as Code (Ansible, Azure Resource Manager, CloudFormation, Docker, Kubernetes, Terraform, Shell, GitHub Actions) has been improved.

Helm templates are now evaluated even if values.yaml is missing.

The following rules have been added:

• S6437: Credentials should not be hard-coded

• S7638: ACTIONS_ALLOW_UNSECURE_COMMANDS should not be used

• S8232: Workflows should not rely on unverified GitHub context values to trust events

• S8233: Write permissions should be defined at the job level

• S8262: Artifacts should not contain secrets

• S8263: GitHub Action invocations should not be vulnerable to parameter injection attacks

• S8264: Read permissions should be defined at the job level

JCL

A new leaveFile API is available for custom rules for JCL language, giving rule authors more control over how files are processed and reported.

.NET 10 and C# 14 support

Empowers .NET teams to adopt the Long Term Support (LTS) release of .NET 10 and C# 14 immediately, ensuring their analysis remains accurate, performant, and free of false positives associated with new language constructs. See VB.NET and C# for more information.

Related rules:

• S1121: Assignments should not be made from within sub-expressions

• S1144: Unused private types or members should be removed

• S2225: "ToString()" method should not return null

• S2292: Trivial properties should be auto-implemented

• S2325: Methods and properties that don't access instance data should be static

• S2583: Conditionally executed code should be reachable

• S2589: Boolean expressions should not be gratuitous

• S2692: "IndexOf" checks should not be for positive numbers

• S2953: Methods named "Dispose" should implement "IDisposable.Dispose"

• S2970: Assertions should be complete

• S3063: "StringBuilder" data should be used

• S3264: Events should be invoked

• S3398: "private" methods called only by inner classes should be moved to those classes

• S3459: Unassigned members should be removed

• S3877: Exceptions should not be thrown from unexpected methods

• S3928: Parameter names used into ArgumentException constructors should match an existing one

• S4545: "DebuggerDisplayAttribute" strings should reference existing members

• S7039: Content Security Policies should be restrictive

PHP

Reduces false positives on several rules and cleans up build and dependency infrastructure for PHP. Related rules:

• S1155: "empty()" should be used to test for emptiness

• S1172: Unused function parameters should be removed

• S2699: Tests should include assertions

• S1068: Unused "private" fields should be removed

Scala

Include fixes to false positives and negatives for Scala on the following rules:

• S1192: String literals should not be duplicated

• S126: "if ... else if" constructs should end with "else" clauses

Secrets

Secrets rules have been improved to reduce the detection of false positives and the following rule have been added:

• S6418: Hard-coded secrets are security-sensitive

• S2068: Hard-coded passwords are security-sensitive

• S7552: SMTP credentials should not be disclosed

• S8350: xAI API keys should not be disclosed

VB6

Fixes parse errors and line count for VB6. Related rules:

• S138: Subs and functions should not have too many lines

• S1151: "Case" clauses should not have too many lines

None in this release.

Java requirements for SonarQube Server runtime

• The SonarQube Server runtime now requires Java Development Kit (JDK). The previous requirement of a Java Runtime Environment (JRE) is no longer sufficient, and a full JDK is required.

• Added Support for Java 25 in addition to Java 21.

• Removed support for Java 17.

See Software requirements for more details.

PostgreSQL support

Support for PostgreSQL versions 14 through 18 is now available, enabling deployments using the most recent PostgreSQL release. PostgreSQL version 13 is not supported anymore. See Installing database for more information.

Kubernetes and Openshift support

• Supported Kubernetes Versions: From 1.32 to 1.35. Support for versions 1.30 and 1.31 has been removed.

• Supported Openshift Versions: From 4.17 to 4.20. Support for versions 4.11 to 4.16 has been removed.

Support for MSSQL server

Supported MSSQL server is now 2022 (MSSQL Server 16.0); 2019 (MSSQL Server 15.0); 2017 (MSSQL Server 14.0). Support for 2016 MSSQL Server 13.0 support has been removed. See Installing database for more information.

SonarQube Server includes Elasticsearch 8.x

SonarQube Server 2026.1 LTA and later includes Elasticsearch 8.x, which requires read and write access to the /tmp directory. This is a requirement from Elasticsearch itself and cannot be disabled. For more information and a solution, see Elasticsearch filesystem requirements.

None in this release.

Java 17 not supported any more

Java version 21 is the minimum version required to run SonarQube Server. See Software requirements for more details.

PostgreSQL in Helm charts removed

The deprecated PostgreSQL dependency in the Helm chart has been removed. If you were relying on this dependency for production, you must take the following steps to upgrade to the new chart: back up their existing database, import the data into a new database, and then update the JDBC URL within the SonarQube chart configuration. See Installing Helm chart for more information.

Kubernetes and Openshift versions removed

• Support for versions 1.30 and 1.31 has been removed.

• Support for versions 4.11 to 4.16 has been removed.

2016 MSSQL Server 13.0 support removed

Support for 2016 MSSQL Server 13.0 support has been removed. See Installing database for more information.

Deprecation of Ingress NGINX

Due to the retirement of the ingress-nginx controller in November 2025 (with best-effort support ceasing in March 2026), the dependency on this chart is now deprecated.

We advise migrating to the Gateway API, which is the modern successor to Ingress. Should you need to continue using Ingress, consult the Kubernetes documentation for a list of suitable alternative controllers. A replacement dependency will be provided in a future release.

Deprecation of Automatic AI Code Detection

Autodetect AI-Generated Code has been deprecated. Sonar will adjust the AI Code Assurance offering to adapt to the industry changes with high AI adoption. A warning callout has been added to the SonarQube UI in global and project settings. See AI Code Assurance for more information.