old version

This is an old release announcement

See the latest version 8.9.1 LTS

SonarQube 8.6

JavaScript SAST; Azure DevOps Server onboarding; better C++ standards support

December 7th, 2020

SonarQube 8.6 introduces SAST analysis for JavaScript, including detection of SQL injection and path injection vulnerabilities.

Introducing… SAST for JavaScript!

JavaScript isn't just for browsers anymore. With the rise of JS web servers, JavaScript developers face the same security concerns as everyone else. That's why we've added a host of new rules to help you protect your users and your systems.

22 new rules cover cryptography, privacy and HTTP headers

Cryptography - securing the transmissions between the user and the server - is one of the first things developers should consider and one of the easiest to mess up. Nine new rules help you get it right and comply with standards like GDPR and FIPS. Another seven Security Hotspot rules guide you in spotting missing, disabled or mishandled HTTP security headers. An additional six Security Hotspot rules help you spot privacy issues with the handling of user data.

SQL injection and Path injection detection for Node.js, Express.js DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

The danger of SQL injection has long been known, but that doesn't keep such vulnerabilities from being introduced with depressing frequency. Fortunately, this version of SonarQube adds SQL injection detection for Express.js and Node.js code. Additionally, we've added Path injection detection for 15 API modules.

Easy onboarding for Azure DevOps Server projects DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

We've made onboarding your Azure DevOps Server projects easy. Just configure your server. Then setting up a repository for SonarQube for analysis - including PR analysis and decoration! - is a quick, point-and-click operation. And our in-app tutorials will walk you through the remaining few steps you'll need to handle in your Azure Pipelines.

We've also added validation of administrative settings for all ALMs in this version to make set up faster and easier for everyone.

Triage Security Hotspots in-IDE with a direct link from SonarQube

As great as the SonarQube interface is, sometimes you just need to be in the code. That's why we've added a direct link to open Security Hotspots in SonarLint for IntelliJ and SonarLint for Visual Studio (VSCode and Eclipse support coming soon!).

Hint, hint: Type hints yield better PHP vulnerability detection DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

We've done a lot of work in this version to improve PHP vulnerability detection with the use of type hints. Now, analysis can read your type hints to better understand your code and what should be happening - versus what is happening. The net result is more accurate analysis, with more True Positives, and fewer false positives. Learn more.

Better C++ standard support DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

One C++ Quality Profile to rule them all!

We've revisited how standard-specific rules are applied to your code. Previously, having projects targeting different versions of the standard meant juggling multiple Quality Profiles, so that C++14 code wasn't penalized for flouting C++17 requirements and vice versa. Now we only run C++17 rules when the code is compiled to that standard. That means you only need one Quality Profile for all your projects. Whatever the compile-standard, we'll figure it out and act accordingly!

New C++17 rules help you write better code

Each new version of a language standard brings new mechanisms and new best practices and C++17 is no exception. In 8.6, 21 new rules in this version help you write better C++17 code and/or help you migrate your code bases to the newest mechanisms.

Project aggregation comes to Developer Edition DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Sometimes, for whatever technical reason, projects that ship together don't compile together. And if one of them isn't ready to ship, none of them are. Several years ago we introduced Applications - synthetic, aggregate projects - in Enterprise Edition. Now we’re moving the Applications feature to start with Developer Edition so more teams can benefit from this useful feature.

SonarQube default instance security beefed up

We've made SonarQube secure by default by adding limits around the default admin/admin account, and making authenticated access the default. For existing instances where the admin/admin account has not been updated, we've added warnings for the other global admin accounts.

Language Updates

language C#
  • Initial support for C#9

language PHP
  • PHP 8 support
language C++ language C
  • Additional logging options to ease analysis debugging

Time to enjoy all the
new version features!

Get SonarQube