old version

This is an old release announcement

See the latest version 9.7.1

SonarQube 8.5

Love for Java, C#, C++ and more; Code Quality for your Java & PHP tests

October 9th, 2020

Lots of security in this release so let’s make that the theme; We could add icons for Java, C++, PHP and C# along with security related icons

More Rules to Keep Your Projects Secure DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Taint Analysis gets a technology boost

Our recent acquisition of RIPS Tech is paying dividends. We took the best of SonarSource and RIPS for Java, C# and PHP analysis and made improvements. You’ll now see fewer open vulnerabilities due to a reduction in false positives because the analyzer is field sensitive. This improvement tracks whether individual class members are tainted. With this ability, a tainted field is distinguished from the entire class being tainted. Get more info and see an example in this Community post.

Find more buffer overflow vulnerabilities in C and C++

There’s no doubt, buffer overflows are lame. Three of the top 5 issues listed in the 2020 CWE Top 25 are due to buffer overflows. This calls for action! In SonarQube 8.3, we added rules to detect a majority of buffer overflow vulnerabilities in C and C++ POSIX APIs. A majority isn’t 100% so, with v8.5, we added more rules to increase detection coverage with additional API calling patterns.

More C++ Core Guidelines rules

With the addition of 16 new rules based on the C++ Core Guidelines, SonarQube 8.5 nicely expands on the set of Core Guidelines rules added in v8.1. We again focused on rules that are valuable and commonly the subject of discussion in the C++ community. See all C++ Core Guidelines implementations.

Clean up C and C++ authentication weaknesses

A lot of critical vulnerabilities are related to broken access control and authentication weaknesses. SonarQube 8.5 helps you clean this up in your C and C++ projects by finding issues such as loose file permissions and intrusive permission usage.
SonarQube 8.5 helps you clean this up in your C and C++ projects by finding issues

Detect more C# vulnerabilities

In v8.3, we added XSS detection in C# for Razor and ASP.NET Core MVC. With v8.5, we’re adding new functionality to detect XSS vulnerabilities in .NET Framework Razor Views. Additionally, we’ve added support for XSS vulnerability detection in ASP.NET Core MVC ViewComponents.

Write cleaner Java & PHP code

Bring code quality to your unit tests

Test code shouldn’t take a backseat to production code. Proper test code coverage and quality aren’t a nice-to-have anymore - they’re expected. In fact, issues on test code can hide issues in the main code. SonarQube is now your quality partner for test code too with rules checking your Java & PHP test code. The nature of test code is different along with a different execution context and intention. That’s why SonarQube understands the differences and leverages its unique static analysis capabilities to find bugs and maintainability issues is your test code. Test and production code both contribute to the default Quality Gate status so it’s easy to know how you're doing against the overall Clean As You Code methodology.

Write efficient, error-free and safe Regular Expressions in Java

Regular expressions (Regex) are incredibly useful for catching patterns AND they can be tricky and tend to be error-prone. Maybe you’ve developed a love/hate affair with Java Regex - well...SonarQube to the rescue! We’ve developed a set of rules to target Java Regex errors and bring a new layer of defense to Java developers. Now you can code Java Regex with confidence!
Regular expressions (Regex) are incredibly useful for catching patterns

Detect PHP Issues Related to Exceptions

Exception handling is a common PHP task and it can lead to coding errors. Worse still is when those errors are caught by the compiler of other languages. SonarQube 8.5 adds the valuable ability to detect errors related to exceptions with four new rules.

Packaged language updates

Starting with SonarQube v8.2, we made SonarQube available as a Docker package. For lots of folks, this was great - it brought simplicity and ease. With v8.5, language updates are aligned with SonarQube releases and no longer offered individually in the Marketplace. Now admins can just grab the latest SonarQube release and know they have the latest updates for all the languages. If there was a language update since the last SonarQube release, you’ll automatically get it with your next SonarQube upgrade! Full details available in the Community post.

More value in your ALM DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition


In 8.4, we made it easy for administrators to set up GitHub projects and auto-configure PR decoration. In 8.5, the new in-app tutorial walks you through the minimal configuration required Jenkins-side to set up your pipeline.


Setting up new projects from GitLab instances is easy with a project onboarding wizard that walks you through selecting the projects to analyze. The onboarding process includes guidance to properly configure branch and merge request analysis as part of your GitLab CI workflow.
Onboarding wizard makes it simple to add your GitLab projects

Clear Bitbucket Security Hotspot decoration

The Security Hotspot review metric gets is its own, clear metric for Bitbucket. Previously, Security Hotspots were presented as part of the Vulnerability metric and that sent a mixed message. Now, the Security Hotspot review metric stands alongside the Bug, Code Smell and Vulnerabilities metrics giving you a clear picture.

U.S. Department of Defense (DoD) hardened and approved

With v8.5, we’re making DoD-compliant Docker images available in the Iron Bank as part of the release. The images adhere to the container format published by the OCI and are made compliant with the DoD Container Hardening Security Requirements Guide.

Be more efficient with SonarLint in your workflow

If you’re developing in C or C++, you don’t want code analysis to slow you down. SonarLint for Visual Studio adds a lot of value for C and C++ developers by speeding up the analysis using pre-compiled preambles.
If Java is your passion, you can catch code quality issues in Java 14 from IDE to build with SonarLint combined with SonarQube. Java 14 is supported for the following SonarLint flavors:

Time to enjoy all the
new version features!

Get SonarQube