Download
Download

SonarQube 8.7

SonarQube 8.7 - More SAST for JavaScript, Mono-repo support & lots of analyzer updates

February 25th, 2021

SonarQube 8.7 Bringing more SAST to JS, mono-repos join the family, lots of language updates & DataCenter Edition on Docker

Features, functionality & precision to secure your apps DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Good coverage for OWASP Top 10 and CWE Top 25 vulnerabilities

With every release, we’re adding more value add to keep your code secure. Now, for Java, JavaScript, C & C++ you can expect 80+% detection of OWASP Top 10 and CWE Top 25 vulnerabilities.

JavaScript SAST analysis - Round 2!

In SonarQube 8.6, we introduced SAST analysis for JavaScript and this latest release continues the good vibes and brings broader detection covering more issue types!
  • Reflected XSS vulnerabilities
  • DOM-XSS involving core functions
  • Regex injection flaws
  • Detect NoSQL inj flaws (MongoDB node.js; Mongoose ODM)

Write more secure PHP

Yes, it’s popular and flexible and it’s everywhere AND let’s keep it safe! SonarQube 8.7 includes new functionality to help you find vulnerabilities in PHP Core and the popular frameworks Symfony and Laravel. For Laravel-based applications, the routing system is the most used entry point for attackers and their payload. SonarQube correctly understands this routing system and can identify vulnerabilities that could exploit these entry points. Type information isn’t just making your code more maintainable, it helps make it more secure! The SonarQube security engine uses developer provided type info (Type Hint, PHPDoc) to enhance receiver resolving in control flows. Being declarative gets you more readable code and better security analysis accuracy too!
SonarQube 8.7 SonarQube correctly understands this routing system and can identify vulnerabilities

Improved taint analysis precision makes you more efficient

Finding tricky security vulnerabilities with SonarQube taint analysis is awesome! Finding out a flagged location in the taint flow is actually irrelevant is not efficient. We set an objective to reduce the number of irrelevant flags and came up with a Flow Path annotation technique that more accurately tracks the relationship between variable assignments and where they’re used.

More integration flexibility for where your code lives

Mono-repositories are welcome here! EE Available on Enterprise Edition DCE Available on Data Center Edition

SonarQube fits the way your projects are organized. Branch analysis and Pull/Merge Request decoration just came to your mono-repo living in GitHub, GitLab, Azure DevOps and Bitbucket Server.

Support for Bitbucket Cloud and Bitbucket Pipelines

SonarQube analysis tightly integrates with your Bitbucket workflow regardless if you stash your code on-prem or in the cloud. Use a red Quality Gate to block Pull Request merges and you’ll ensure you’re only releasing quality code. DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition
SonarQube 8.7 SonarQube analysis tightly integrates with your Bitbucket workflow
SonarQube 8.7 Use a red Quality Gate to block Pull Request

Official support for Azure DevOps Services

In the past, there might have been some entrepreneurial folks that hooked SonarQube to Azure DevOps Services 😉. While not ‘officially’ condoned, we understood the reasons. We listened and NOW support for DevOps Services is official! 🍾

Project onboarding in CE - Less configuration; more analysis!

If you’re new to SonarQube, we’ve got you covered getting started. Now included with Community Edition, a wizard helps you feel at home and guides you in adding and analyzing all your projects.

More language updates

Write better C++17 code DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Are you taking full advantage of the new C++17 features? SonarQube is your coding buddy catching issues as you learn and experiment with the new C++17 functionality. Make sure you’re getting the most from the new features and avoiding the common pitfalls.

Some Java ❤️

Java Regex rules Message:

Regex - So powerful, so easy to mess up! 😎 SonarQube helps you write clean, error-free regex. We added more rules!

Help for secondary locations Message:

Fixing an issue in your code can be tricky and it’s probably not at the top of your joy list - SonarQube gives helpful hints even in secondary locations.

Detect cryptography-related issues in C#

Keep the adversaries at bay and your web app users safe. There’s no doubt, encryption is a complex topic so we’ve brought several new rules to check for issues that could compromise private user data.

SonarLint & SonarQube for the Win!

Fix vulnerabilities right in Visual Studio and IntelliJ

No sense in letting vulnerabilities get caught by a security audit when you can find and fix them yourself! With SonarLint running in Connected Mode, as soon as SonarQube has analyzed your project, you can investigate any taint vulnerabilities discovered right in your IDE.

SonarLint notifications now come as part of Community Edition

With SonarQube 8.7, we’re moving SonarLint Smart Notifications to Community Edition (previously DE+). Now all developers can benefit from getting important analysis notifications right in their IDE.

Language Updates

language Python
  • Python 3.9 support

language JAVA
  • Java 15 support
language Typescript
  • TypeScript 4.1 support

Time to enjoy all the
new version features!

Get SonarQube

Product announcements delivered directly to your inbox!

We will never share your email address or spam you

A SonarSource™ Product

Get Started

Features

Get Involved

About SonarQube

© 2008-2019, SonarSource S.A, Switzerland. All content is copyright protected. SONARQUBE and SONARSOURCE are trademarks of SonarSource SA.

All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.

Privacy Policy | Distributed under LGPL v3