What’s on the SonarQube radar?

Last updated May 2019.
If you’ve got questions, join in the discussion on our community.

We created this roadmap page to share planned additions to SonarQube and some insights into what lies ahead. We’re giving you a high-level view here and by no means does it represent all our plans. Additionally, features listed here should not be considered as committed. Rather, this is a snapshot of the main topics on our mind @ SonarSource - some closer to delivery than others.

As always, our Community Forum is the best place to get in touch if you need more insights!

The Next LTS (Long Term Support) Version

SonarQube v7.9 is the next LTS version with a planned release in early July.

What is an LTS version and why would I want it? In its purest form, the LTS is about a couple of things. Foremost, our main goal is a robust, stable release that can serve the needs of organizations for at least a year (not everyone can upgrade bi-monthly, and we understand that). So, we’re putting in the hard work and effort to make sure your migration from 6.7.x (already dating back to 2017) to 7.9 will be efficient and reliable. Our Community forum is a rich source of additional information (see for example insights into our LTS Model).

Here are a few things left for us to harden before we can issue a stable LTS:

  • New Email Notification Engine - we’ll fix some shortcomings around reducing the number of messages generated to lessen noise and server load. Also we're building in some role-specific profiles so message content and frequency are more appropriate.
  • Java 11 Underpinnings - Oracle Java 11 is the next LTS and will be supported until at least Sept. 2021 so it makes a sensible platform and we’ll end support for Java 8 in upcoming SonarQube 8.x versions.

And it’s only fair to mention some of the key deliveries since the 6.7 LTS.

Community Edition:

  • Now natively supporting Go, Kotlin, Scala, Ruby and CSS
  • Security Hotspot analysis to help developers understand which code can be security-sensitive, and make sure no vulnerability is hiding there
  • Project organization based on file structure (module concept dropped)
  • Support for importing analysis reports from a few standard and open 3rd-party linters

Commercial Edition Features:

  • Pull request analysis and decoration in your favorite ALMs*
  • Finding injection flaws in Java, C# and PHP
  • Live updating for projects, portfolios and applications

*GitHub Enterprise, Azure DevOps Server and BitBucket Server decoration

That’s not an exhaustive list and when the LTS release comes out, we’ll publish a more comprehensive list of all the feature additions that this v7.9 LTS offers in comparison to the previous v6.7 LTS (released at the end of 2017).

Application Security

In 2018, we rolled out injection flaw detection related to the OWASP top 10 categories. We focused on user inputs in applications where the data isn’t sanitized prior to sensitive actions such as construction of SQL requests, directory paths, command lines, etc. With this new vulnerability detection capability, SonarQube evolved into a fully fledged SAST (Static Application Security Testing) solution, fully covering Java, C# and PHP.

In addition, we added Security Hotspot detection last year. Not all vulnerabilities are cut and dried. To help you find those elusive bad actors we added Security Hotspot detection. By highlighting security sensitive code, we save you from combing through thousands of lines of code looking for the bad actors.

In 2019 we’re building on these successes with improvements in many security areas. Our efforts will concentrate on the following:

  • Improving the security UI/UX to better align with the different roles (e.g., project manager vs. developer) and their use cases (e.g., reporting vs. actionable links)
  • Providing the best Code Review features to help developers catch and correct vulnerabilities earlier in the development cycle
  • Expanding the supported languages for Injection Flaw and Security Hotspot detection
  • A robust engine for fast, accurate analysis
  • Fewer false positives and less noise
  • Tunable configurations that allow you to tailor the performance to fit your organization
  • Expanding the security auditor workspace in the SonarQube UI to give added insights

Building applications with Quality Code should be the domain of the developer as they are in the best position to quickly identify and resolve code issues. This same concept is true for eliminating vulnerabilities. Developers that become familiar with identifying and resolving security issues can directly and efficiently contribute to lowering the vulnerability of an application. Imagine highlighting Security Hotspots directly in a PR, where they can be reviewed and true vulnerabilities resolved so they never make it into the master!

Continuous Language Updates

The SonarSource Language Team is continuously advancing its in-house bug and vulnerability detection engines. Across all our programming languages, you can expect recurring additions of new static analysis rules and even new languages based on interest and relevance! Make sure to check out to get the full picture and see all the rules that pertain to your language(s)!

We appreciate your interest in SonarQube! If you have any questions or comments, please reach out on our Community Forum!