Your code lives in GitHub.com and with GitHub Actions, so does your CI. Now your SonarQube analysis can live there too! We've added autodetection of branches and PRs in GitHub Actions and a tutorial to help you with the little bit of setup that's needed.
Bitbucket Cloud support adds monorepos and failed pipelines
Now you can fail your Bitbucket Cloud pipeline if analysis fails the Quality Gate. And in Enterprise Edition and above, we've added monorepo PR analysis so that results for each sub-repo in an analysis are reported separately.
Project creation gets clearer & easier for C, C++, C# & GitLab
Better onboarding for .NET, C & C++ and GitLab with Jenkins
Analyzing new projects just got easier if you're coding in C, C++ or C#, with new in-app tutorials to help you configure project analysis for those languages. It's the same for GitLab projects if you're using Jenkins as your CI - a new tutorial will help you onboard new projects smoothly so you're up and running (analyzing!) faster.
SonarQube calls the main branch the same thing you do
No more confusion between the branch named Develop or Main in your repository and "Master" in SonarQube. From now on, the main branch of each new project will be called the same thing in SonarQube that it is in your code repository platform.
Deeper IDE integration: Security Hotspots & taint vulnerabilities in SonarLint
Investigation of Security Hotspots and taint analysis Vulnerabilities (available in commercial editions) is now available in all four versions of SonarLint, for IntelliJ IDEA, Visual Studio, Eclipse and VSCode. No matter which of the four you use, you can now open Security Hotspots in your IDE from SonarQube. And in Connected Mode you can also pull the Vulnerabilities detected by SonarQube taint analysis into SonarLint for deeper investigation and correction.
Security reporting gets a significant expansion in this version. First, we've added reports for CWE Top 25, both the 2020 and 2019 versions of the list. The CWE Top 25 lists the CWEs related to the "most common and impactful issues experienced over the previous two calendar years." The 2019 version of the list is more abstract, versus the more specific nature of the 2020 list. Since both versions are useful, they're both available in SonarQube.
Also new in this version is a PDF version of the Security reports. In addition to the overview, you'll find the OWASP Top 10, CWE Top 25 2020, and SonarSource perspectives for the branch of your choice in an easily printable format.
OWASP Top 10 coverage expanded for popular languages
As part of our continuing message to provide Code Security analysis for all developers, we've rounded out our OWASP Top 10 coverage with: