developers face the same security concerns as everyone else. That's why we've added a host
of new rules to help you protect your users and your systems.
22 new rules cover cryptography, privacy and HTTP headers
Cryptography - securing the transmissions between the user and the server - is one of the
first things developers should consider and one of the easiest to mess up. Nine new rules
help you get it right and comply with standards like GDPR and FIPS. Another seven Security
Hotspot rules guide you in spotting missing, disabled or mishandled HTTP security headers.
An additional six Security Hotspot rules help you spot privacy issues with the handling of
The danger of SQL injection has long been known, but that doesn't keep such
vulnerabilities from being introduced with depressing frequency. Fortunately, this version
of SonarQube adds SQL injection detection for Express.js and Node.js code. Additionally,
we've added Path injection detection for 15 API modules.
We've made onboarding your Azure DevOps Server projects easy. Just configure your server.
Then setting up a repository for SonarQube for analysis - including PR analysis and
decoration! - is a quick, point-and-click operation. And our in-app tutorials will walk
you through the remaining few steps you'll need to handle in your Azure Pipelines.
We've also added validation of administrative settings for all ALMs in this version to
make set up faster and easier for everyone.
Triage Security Hotspots in-IDE with a direct link from SonarQube
As great as the SonarQube interface is, sometimes you just need to be in the code. That's
why we've added a direct link to open Security Hotspots in SonarLint for IntelliJ and
SonarLint for Visual Studio (VSCode and Eclipse support coming soon!).
We've done a lot of work in this version to improve PHP vulnerability detection with the
use of type hints. Now, analysis can read your type hints to better understand your code
and what should be happening - versus what is happening. The net result is more accurate
analysis, with more True Positives, and fewer false positives.
One C++ Quality Profile to rule them all!
We've revisited how standard-specific rules are applied to your code. Previously, having
projects targeting different versions of the standard meant juggling multiple Quality
Profiles, so that C++14 code wasn't penalized for flouting C++17 requirements and vice
versa. Now we only run C++17 rules when the code is compiled to that standard. That means
you only need one Quality Profile for all your projects. Whatever the compile-standard,
we'll figure it out and act accordingly!
New C++17 rules help you write better code
Each new version of a language standard brings new mechanisms and new best practices and
C++17 is no exception. In 8.6, 21 new rules in this version help you write better C++17
code and/or help you migrate your code bases to the newest mechanisms.
Sometimes, for whatever technical reason, projects that ship together don't compile
together. And if one of them isn't ready to ship, none of them are. Several years ago we
introduced Applications - synthetic, aggregate projects - in Enterprise Edition. Now we’re
moving the Applications feature to start with Developer Edition so more teams can benefit
from this useful feature.
SonarQube default instance security beefed up
We've made SonarQube secure by default by adding limits around the default admin/admin
account, and making authenticated access the default. For existing instances where the
admin/admin account has not been updated, we've added warnings for the other global admin
Additional logging options to ease analysis debugging