Continuous improvements for your continuous integration
Full Bitbucket Cloud integration
SonarQube now offers full support for Bitbucket Cloud, including project onboarding with an analysis configuration wizard, in addition to the PR analysis and decoration that is already available in commercial editions. We've also added official Bitbucket Pipes for analysis and checking Quality Gate status.
In SonarSource's own Clean as You Code journey, we've realized that analyzing pull requests isn't enough. That's why this version makes Quality Gate status available for each commit in GitHub, so you can take appropriate actions in your pipelines for every branch. In addition, we've provided official GitHub Actions for analysis and checking Quality Gate status, and an analysis configuration wizard for GitHub users of Azure Pipelines.
Android developers get boost in writing clean, safe Kotlin
We're targeting Kotlin for significant analysis improvements this year. The goal is to help developers know what they need to do to secure their Android Mobile Apps before they submit to Google Play Store. As first steps, we've added four new rules to detect unsecured network communication, and six new rules for problematic cryptography. In addition, there is now support for ktlint, Detekt and AndroidLint as well as custom linter rules.
Python: We've reduced false positives in Python by adding field-sensitivity in taint analysis rules, so issues are only raised on the tainted fields in an object rather than on all fields.
Java: Taint analysis now understands Java lambda expressions, eliminating false negatives where tainted values move through them.
PHP: We've eliminated false negatives in PHP by adding support for the Zend and Laminas frameworks to existing taint analysis rules.
JS/TS: DOM-XSS vulnerabilities are now detected in Angular and React applications.
As you work to adopt C++20, we're working to help you use it well. This version adds parsing support for many significant C++ features, including template syntax for lambdas and designated initializers, as well as partial support for parsing Concepts and Coroutines. We've also added 18 new C++20-specific rules, including eight for the new spaceship operator (<=>). Many existing rules have also been updated to support the new features including the addition of the spaceship operator to rules related to comparison.
We've also updated our handling of the STL to ensure uniform issue detection across all implementations. This eliminates false negatives and a few false positives.
Onboarding and analysis get easier in this version. We've added onboarding tutorials to help with analysis configuration for all main CI systems as well as support for using a Compilation Database as an alternative to the Build Wrapper (although the Build Wrapper is still preferred if your compiler is supported).