SonarQube LTS:
Better than ever

Download SonarQube 8.9 LTS
SonarQube LTS: Better than ever
  • Developers take ownership
    of Code Security

    Developers take control of Code Security with static application security testing (SAST) for more languages, with more rules, better detection and improved workflows.

  • In-cloud? On-prem?
    Your platform is covered!

    Whether your code lives in-cloud or on-prem, SaaS or self-managed, code repository platform integrations help you write better code, faster. From initial project import to failing the pipeline for a failed Quality Gate, we've got just about everyone covered.

Developers take ownership
of Code Security

Developers take control of Code Security with static application security testing (SAST) for more languages, with more rules, better detection and improved workflows.

Unparalleled SAST precision - now including JavaScript & more

Security Vulnerability detection has vastly expanded with new languages, new rules, and an improved detection engine to bring unparalleled precision and performance in security analysis of Java, C#, PHP, Python, JavaScript, TypeScript, C and C++. In addition to a vastly expanded breadth and depth of analysis, we've also expanded developer access to these findings. Issues are raised in-IDE, with SonarLint, in SonarQube itself, and in PR decoration in commercial editions.

Among the improvements:

  • SAST analysis added for Python, JavaScript, TypeScript, C and C++

  • Full OWASP Top 10 coverage for Java and C# with significant coverage for the other languages

  • Buffer overflow detection in POSIX functions for C and C++

Commercial editions add taint analysis rules to find: injection flaws, broken access control, XSS, and insecure deserialization, with the ability to sync those taint analysis issues into SonarLint in connected mode.

Security Hotspot review arms developers to write safer code

Security Hotspots help developers write safer code by bringing attention to security-sensitive pieces of code and arming developers with the tools to diagnose the potential impact. We've expanded the range of Security Hotspot languages to include TypeScript, C and C++. And now you have a specialized interface for triaging Security Hotspots, and a single click to open them in your IDE via SonarLint.

Reporting and configuration increase clarity & precision EE Available on Enterprise Edition DCE Available on Data Center Edition

Security reporting includes both CWE Top 25 2019 and CWE Top 25 2020, with a PDF download of the top reports. And if you use home-grown frameworks, taint analysis configuration gives you a UI to set your home-grown sources, sinks, and sanitizers for better overall precision and, in the end, higher Code Security.

Learn more
Developers take ownership 
            of Code Security
Operating SonarQube is easier than ever

Operating SonarQube is easier than ever

We've made running SonarQube easier and more secure than ever. SonarQube has been security-hardened to U.S. Department of Defense standards (i.e. STIG-hardened), with a Docker image per edition on Docker Hub and in the DoD's Iron Bank. That plus a Helm chart for Kubernetes support make SonarQube easier than ever to deploy.

Routine maintenance is easier too, with support for hot database backups. And upgrading is easier than ever with progressive availability during upgrades; now SonarQube is available for analysis and limited browsing even before reindexing is complete.

Learn more

Time for Python devs to onboard with SonarQube

Python support hasn’t always been our top focus in the past, and this LTS changes that once and for all. We did what it takes to offer best-in-class static code analysis for Python, making it a no-brainer for Python developers to go ahead and adopt SonarQube.

This LTS adds in-depth analysis to catch the tricky Bugs and Vulnerabilities developers expect, with the sane defaults, high performance and minimal configuration that's standard to SonarQube. We’ve got Python support for up to version 3.9 of the language, in order to properly track issues through all language structures, frameworks, and types. And for teams just transitioning from other tools, there is easy import of Pylint and Flake8 reports, plus the ability to write custom rules.

And on top of all this is support in commercial editions for taint analysis rules to detect taint analysis Vulnerabilities such as injection flaws.

Learn more
Python gets full support
C++ brings the rules & performance developers want

C++ brings the rules & performance developers want

With comprehensive coverage of the C++ Core Guidelines and a broad set of C++17-specific rules, we've made following modern best practices easy. And if your shop uses multiple standard versions, managing your Quality Profile gets easy too: enable the rules for all the versions you use and we'll activate them based on the standard version the project compiles to. In addition, we've made several improvements to analysis performance and added support for a broad range of additional compilers.

That's in addition to a significant expansion of security-focused rules, including the detection of buffer overflows in POSIX functions.

And finally, Community Edition users can use C++ analysis for free with the newly-introduced SonarLint for CLion, as well as in SonarLint for VisualStudio.

Learn more

Clean as You Code, best practices move to the front

As part of our ongoing mission to help every developer write better code every day, we've given some love to elements often overlooked by the industry. First, you'll find a re-written project homepage. The new interface puts the quality and security of New Code front and center to help you better focus on Cleaning as You Code. Second, we've added rules in Java, PHP and C# to help you write tests correctly. And finally, we've made Applications available to all commercial versions, so that more teams can monitor the quality of projects that ship together in one aggregated, synthetic project.

Best practices move to the front
The most secure LTS yet!

The most secure LTS yet!

We don't just care about the security of your code, we also care about the security of your overall SonarQube environment. That's why we've:

  • Applied additional hardening to the build of SonarQube itself and to our internal build pipeline
  • Limited library loading in SonarQube to only those libraries provided by SonarSource
  • Limited plugins' access to core functionality to only what's available through APIs
  • Added additional controls to the plugin Marketplace

You will also find simple but effective new safeguards such as forcing SonarQube administrators to change the default admin credentials.

Learn more

The abiding value of an LTS

Last but not least, this is the new Long-Term Support version! That means support and patches for blocker bugs and vulnerabilities for at least the next 18 months - until the next LTS is released. If you're looking for the stability of a hardened, fully-supported version, the LTS is what you're after.
So what are you waiting for?