Our recent acquisition of RIPS Tech is paying dividends. We took the best of SonarSource and
RIPS for Java, C# and PHP analysis and made improvements. You’ll now see fewer open
vulnerabilities due to a reduction in false positives because the analyzer is field
sensitive. This improvement tracks whether individual class members are tainted. With this
ability, a tainted field is distinguished from the entire class being tainted. Get more info
and see an example in
Find more buffer overflow vulnerabilities in C and C++
There’s no doubt, buffer overflows are lame. Three of the top 5 issues listed in the
2020 CWE Top 25
are due to buffer overflows. This calls for action! In SonarQube 8.3, we added rules to
detect a majority of buffer overflow vulnerabilities in C and C++ POSIX APIs. A majority isn’t
100% so, with v8.5, we added more rules to increase detection coverage with additional API
A lot of critical vulnerabilities are related to broken access control and authentication
weaknesses. SonarQube 8.5 helps you clean this up in your C and C++ projects by finding issues
such as loose file permissions and intrusive permission usage.
Detect more C# vulnerabilities
In v8.3, we added XSS detection in C# for Razor and ASP.NET Core MVC. With v8.5, we’re
adding new functionality to detect XSS vulnerabilities in .NET Framework Razor Views.
Additionally, we’ve added support for XSS vulnerability detection in ASP.NET Core MVC
Write cleaner Java & PHP code
Bring code quality to your unit tests
Test code shouldn’t take a backseat to production code. Proper test code coverage and
quality aren’t a nice-to-have anymore - they’re expected. In fact, issues on test code can hide issues in the main code. SonarQube is now your
quality partner for test code too with rules checking your Java & PHP test code. The
nature of test code is different along with a different execution context and intention.
That’s why SonarQube understands the differences and leverages its unique static analysis
capabilities to find bugs and maintainability issues is your test code. Test and
production code both contribute to the default Quality Gate status so it’s easy to know
how you're doing against the overall
Clean As You Code
Write efficient, error-free and safe Regular Expressions in Java
Regular expressions (Regex) are incredibly useful for catching patterns AND they can be
tricky and tend to be error-prone. Maybe you’ve developed a love/hate affair with Java
Regex - well...SonarQube to the rescue! We’ve developed a set of rules to target Java
Regex errors and bring a new layer of defense to Java developers. Now you can code Java
Regex with confidence!
Detect PHP Issues Related to Exceptions
Exception handling is a common PHP task and it can lead to coding errors. Worse still is
when those errors are caught by the compiler of other languages. SonarQube 8.5 adds the
valuable ability to detect errors related to exceptions with four new rules.
Packaged language updates
Starting with SonarQube v8.2, we made SonarQube available as a Docker package. For lots of
folks, this was great - it brought simplicity and ease. With v8.5, language updates are
aligned with SonarQube releases and no longer offered individually in the Marketplace. Now
admins can just grab the latest SonarQube release and know they have the latest updates
for all the languages. If there was a language update since the last SonarQube release,
you’ll automatically get it with your next SonarQube upgrade! Full details available in
In 8.4, we made it easy for administrators to set up GitHub projects and auto-configure PR
decoration. In 8.5, the new in-app tutorial walks you through the minimal configuration
required Jenkins-side to set up your pipeline.
Setting up new projects from GitLab instances is easy with a project onboarding wizard
that walks you through selecting the projects to analyze. The onboarding process includes
guidance to properly configure branch and merge request analysis as part of your GitLab CI
Clear Bitbucket Security Hotspot decoration
The Security Hotspot review metric gets is its own, clear metric for Bitbucket.
Previously, Security Hotspots were presented as part of the Vulnerability metric and that
sent a mixed message. Now, the Security Hotspot review metric stands alongside the Bug,
Code Smell and Vulnerabilities metrics giving you a clear picture.
U.S. Department of Defense (DoD) hardened and approved
With v8.5, we’re making
Docker images available in the
as part of the release. The images adhere to the container format published by the OCI and
are made compliant with the DoD Container Hardening Security Requirements Guide.
Be more efficient with SonarLint in your workflow
If you’re developing in C or C++, you don’t want code analysis to slow you down. SonarLint for Visual Studio adds a lot of value for C and C++ developers by speeding up the analysis
using pre-compiled preambles.
If Java is your passion, you can catch code quality issues in Java 14 from IDE to build
with SonarLint combined with SonarQube. Java 14 is supported for the following SonarLint