SonarQube 8.3

Even more Python love, Security Hotspot review on New Code joins built-in Quality Gate and XSS detection in Java & C#

April 30th, 2020

Lots more Python rules to help find vulnerabilities

The Python Analysis Good Vibes continue…

For several releases now, we’ve continued to bring more value to Python analysis and v8.3 is no exception. For some, Python isn’t their first language and it’s easy to make common mistakes. We added new rules to help ensure these common errors don’t slip into your code base by checking for issues related to exceptions, operand type incompatibility and defining methods/functions. Support for Python v3.8 is added as well.

More Python injection flaw detection rules to prevent malicious activity DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Vulnerabilities related to arbitrary code injection/execution are the second most common issue in Python OSS projects. To counter this, we’ve added detection for issues stemming from OS commands, dynamic code execution and de-serialization (unpickling). Additional rules extend taint analysis coverage to keyword arguments and data passed to dictionaries.
Finding Python de-serialization inj flaw

Enforce Security Hotspot review as part of Clean as You Code

At SonarSource, we firmly believe that developers own the security of their code. Merging with un-reviewed Security Hotspots violates clean coding best practices. When we dogfooded Security Hotspots, compliance was inconsistent - sometimes doing the right thing isn’t easy! To that end, the built-in SonarWay Quality Gate now includes the Security Hotspots Reviewed metric on New Code so you can’t ‘green light’ your merge without addressing them.
Enforce Security Hotspot review in New Code Quality Gate

The right info, in the right place, at the right time DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Back in v7.7, we added the ability to decorate analysis results right in your ALM. Since then, we’ve continued to add features so you can easily see what needs fixing, right when you’re working on it. The latest release takes more steps toward that goal.

Clear Security Hotspot metric decoration

The Security Hotspot review metric gets is its own, clear metric for GitHub and GitLab. Previously, Security Hotspots were presented as part of the Vulnerability metric and that sent mixed messages. Now, the Security Hotspot review metric stands alongside the Bug, Code Smell and Vulnerabilities metrics so you get a clear picture.
Security Hotspots metric clearly decorated in GH and GL


Analysis results in GitHub Conversation tab

SonarQube already decorates analysis results in the GitHub Checks. Back by popular demand, we’re also including the metrics in the Conversation tab for increased visibility.
Analysis results in GitHub Conversations tab

Spot XSS vulnerabilities in Java & C# frameworks DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

SonarQube v8.3 extends XSS injection flaw detection to several common frameworks. JSP and Spring are covered for Java; Razor and ASP.NET Core MVC are added for C#.
Find XSS vulnerabilities in Java & C# frameworks


Find buffer overflow vulnerabilities in C/C++ DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Buffer overflows haven’t gone away, so let’s find them! Version 8.3 adds rules to detect the majority of buffer overflow vulnerabilities in C/C++ POSIX APIs.

Fast, easy branch and PR analysis with Jenkins DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Modern coding practices depend on the creation of branches and pull requests. For folks that rely on Jenkins, SonarQube now auto-detects your environment variables so analysis is fast and hands-free.

Write clean code in your IDE with SonarLint

SonarLint + SonarQube is a great clean coding combo and now you can find issues in Java with SonarLint for VS Code!

If C++ is your language, you’ll want to pair SonarQube with SonarLint for Visual Studio. The last several releases focused on C++ functionality and performance.

Language Updates

With every release, we add more rules and capabilities so you can find more issues:

language Java
  • Performance Tuning, Custom Rules and Public API improvements

language C#
  • .NET analyzers push branch coverage data to SonarQube
language Python
  • Python 3.8 support

Time to enjoy all the
new version features!

Get SonarQube