old version

This is an old release announcement

See the latest version 9.1

SonarQube 8.8

GitHub Actions, server-side JavaScript vulnerabilities, security reports & more

April 1st, 2021

SonarQube 8.8 - PR analysis for GitHub Actions and lots more

GitHub Actions branch & PR analysis added DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Your code lives in GitHub.com and with GitHub Actions, so does your CI. Now your SonarQube analysis can live there too! We've added autodetection of branches and PRs in GitHub Actions and a tutorial to help you with the little bit of setup that's needed.

Bitbucket Cloud support adds monorepos and failed pipelines

Now you can fail your Bitbucket Cloud pipeline if analysis fails the Quality Gate. And in Enterprise Edition and above, we've added monorepo PR analysis so that results for each sub-repo in an analysis are reported separately.

Project creation gets clearer & easier for C, C++, C# & GitLab

Better onboarding for .NET, C & C++ and GitLab with Jenkins

Analyzing new projects just got easier if you're coding in C, C++ or C#, with new in-app tutorials to help you configure project analysis for those languages. It's the same for GitLab projects if you're using Jenkins as your CI - a new tutorial will help you onboard new projects smoothly so you're up and running (analyzing!) faster.

SonarQube calls the main branch the same thing you do

No more confusion between the branch named Develop or Main in your repository and "Master" in SonarQube. From now on, the main branch of each new project will be called the same thing in SonarQube that it is in your code repository platform.

Deeper IDE integration: Security Hotspots & taint vulnerabilities in SonarLint

Investigation of Security Hotspots and taint analysis Vulnerabilities (available in commercial editions) is now available in all four versions of SonarLint, for IntelliJ IDEA, Visual Studio, Eclipse and VSCode. No matter which of the four you use, you can now open Security Hotspots in your IDE from SonarQube. And in Connected Mode you can also pull the Vulnerabilities detected by SonarQube taint analysis into SonarLint for deeper investigation and correction.

JavaScript SAST finds Node.js, Express.js server-side vulnerabilities DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

We've done a lot of work in this version to improve the accuracy of our JavaScript SAST analysis of Node.js and Express.js server-side applications. Specifically, the rules to detect injection vulnerabilities in dynamic code execution, OS command execution, HTTP redirects and DOM updates, as well as the SSRF rule (server-side request forgery) now recognize far more vulnerable inputs (sources) and vulnerable outputs (sinks). In addition, analysis now understands arrays, Promises, ES6 classes and async/await. The result is a far richer and more accurate analysis of your code.

Security reporting expands with CWE Top 25, PDF export EE Available on Enterprise Edition DCE Available on Data Center Edition

Security reporting gets a significant expansion in this version. First, we've added reports for CWE Top 25, both the 2020 and 2019 versions of the list. The CWE Top 25 lists the CWEs related to the "most common and impactful issues experienced over the previous two calendar years." The 2019 version of the list is more abstract, versus the more specific nature of the 2020 list. Since both versions are useful, they're both available in SonarQube.

SonarQube 8.8 - Security reporting expands with CWE Top 25, PDF export

Also new in this version is a PDF version of the Security reports. In addition to the overview, you'll find the OWASP Top 10, CWE Top 25 2020, and SonarSource perspectives for the branch of your choice in an easily printable format.

OWASP Top 10 coverage expanded for popular languages

As part of our continuing message to provide Code Security analysis for all developers, we've rounded out our OWASP Top 10 coverage with:

PHP SAST analysis understands Symphony routing DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Symfony is one of the most popular PHP frameworks, and with this version we've closed the Symfony gap by covering routing annotations. Now the user-provided input in your Symfony applications will be properly recognized and traced to any controller methods.

Simplified SAST configuration EE Available on Enterprise Edition DCE Available on Data Center Edition

We've simplified SAST analysis configuration by moving it into the UI. Now you can configure your custom sinks, sources and sanitizers per-project or globally. This centralization allows you to easily manage how your custom frameworks are recognized by taint analysis.

Time to enjoy all the
new version features!

Get SonarQube