SonarQube 8.7
SonarQube 8.7 - More SAST for JavaScript, Mono-repo support & lots of analyzer updates
February 25th, 2021
Features, functionality & precision to secure your apps DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition
Good coverage for OWASP Top 10 and CWE Top 25 vulnerabilities
With every release, we’re adding more value add to keep your code secure. Now, for Java, JavaScript, C & C++ you can expect 80+% detection of OWASP Top 10 and CWE Top 25 vulnerabilities.JavaScript SAST analysis - Round 2!
In SonarQube 8.6, we introduced SAST analysis for JavaScript and this latest release continues the good vibes and brings broader detection covering more issue types!- Reflected XSS vulnerabilities
- DOM-XSS involving core functions
- Regex injection flaws
- Detect NoSQL inj flaws (MongoDB node.js; Mongoose ODM)
Write more secure PHP
Yes, it’s popular and flexible and it’s everywhere AND let’s keep it safe! SonarQube 8.7 includes new functionality to help you find vulnerabilities in PHP Core and the popular frameworks Symfony and Laravel. For Laravel-based applications, the routing system is the most used entry point for attackers and their payload. SonarQube correctly understands this routing system and can identify vulnerabilities that could exploit these entry points. Type information isn’t just making your code more maintainable, it helps make it more secure! The SonarQube security engine uses developer provided type info (Type Hint, PHPDoc) to enhance receiver resolving in control flows. Being declarative gets you more readable code and better security analysis accuracy too!
Improved taint analysis precision makes you more efficient
Finding tricky security vulnerabilities with SonarQube taint analysis is awesome! Finding out a flagged location in the taint flow is actually irrelevant is not efficient. We set an objective to reduce the number of irrelevant flags and came up with a Flow Path annotation technique that more accurately tracks the relationship between variable assignments and where they’re used.More integration flexibility for where your code lives
Mono-repositories are welcome here! EE Available on Enterprise Edition DCE Available on Data Center Edition
SonarQube fits the way your projects are organized. Branch analysis and Pull/Merge Request decoration just came to your mono-repo living in GitHub, GitLab, Azure DevOps and Bitbucket Server.Support for Bitbucket Cloud and Bitbucket Pipelines
SonarQube analysis tightly integrates with your Bitbucket workflow regardless if you stash your code on-prem or in the cloud. Use a red Quality Gate to block Pull Request merges and you’ll ensure you’re only releasing quality code. DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition
Official support for Azure DevOps Services
In the past, there might have been some entrepreneurial folks that hooked SonarQube to Azure DevOps Services 😉. While not ‘officially’ condoned, we understood the reasons. We listened and NOW support for DevOps Services is official! 🍾Project onboarding in CE - Less configuration; more analysis!
If you’re new to SonarQube, we’ve got you covered getting started. Now included with Community Edition, a wizard helps you feel at home and guides you in adding and analyzing all your projects.More language updates
Write better C++17 code DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition
Are you taking full advantage of the new C++17 features? SonarQube is your coding buddy catching issues as you learn and experiment with the new C++17 functionality. Make sure you’re getting the most from the new features and avoiding the common pitfalls.Some Java ❤️
Java Regex rules Message:
Regex - So powerful, so easy to mess up! 😎 SonarQube helps you write clean, error-free regex. We added more rules!Help for secondary locations Message:
Fixing an issue in your code can be tricky and it’s probably not at the top of your joy list - SonarQube gives helpful hints even in secondary locations.Detect cryptography-related issues in C#
Keep the adversaries at bay and your web app users safe. There’s no doubt, encryption is a complex topic so we’ve brought several new rules to check for issues that could compromise private user data.SonarLint & SonarQube for the Win!
Fix vulnerabilities right in Visual Studio and IntelliJ
No sense in letting vulnerabilities get caught by a security audit when you can find and fix them yourself! With SonarLint running in Connected Mode, as soon as SonarQube has analyzed your project, you can investigate any taint vulnerabilities discovered right in your IDE.SonarLint notifications now come as part of Community Edition
With SonarQube 8.7, we’re moving SonarLint Smart Notifications to Community Edition (previously DE+). Now all developers can benefit from getting important analysis notifications right in their IDE.Language Updates
- Python 3.9 support
- Java 15 support
- TypeScript 4.1 support
