SonarQube 9.0

Official Bitbucket Pipes & GitHub Actions, Kotlin security for mobile, C++20...

July 5th, 2021

Official Bitbucket Pipes & GitHub Actions, Kotlin security for mobile, C++20 & more

Continuous improvements for your continuous integration

Full Bitbucket Cloud integration

SonarQube now offers full support for Bitbucket Cloud, including project onboarding with an analysis configuration wizard, in addition to the PR analysis and decoration that is already available in commercial editions. We've also added official Bitbucket Pipes for analysis and checking Quality Gate status.

GitHub support expands to Actions & decoration of every commit DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

In SonarSource's own Clean as You Code journey, we've realized that analyzing pull requests isn't enough. That's why this version makes Quality Gate status available for each commit in GitHub, so you can take appropriate actions in your pipelines for every branch. In addition, we've provided official GitHub Actions for analysis and checking Quality Gate status, and an analysis configuration wizard for GitHub users of Azure Pipelines.

Android developers get boost in writing clean, safe Kotlin

We're targeting Kotlin for significant analysis improvements this year. The goal is to help developers know what they need to do to secure their Android Mobile Apps before they submit to Google Play Store. As first steps, we've added four new rules to detect unsecured network communication, and six new rules for problematic cryptography. In addition, there is now support for ktlint, Detekt and AndroidLint as well as custom linter rules.

Taint analysis precision honed across languages DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Improved precision is the focus this time. That starts with precise detection of which parts of a URL are user-controlled in taint analysis rules detecting Open Redirect, XSS and SSRF in Java, C#, PHP and JavaScript/TypeScript. There are also significant precision improvements for individual languages:

Python: We've reduced false positives in Python by adding field-sensitivity in taint analysis rules, so issues are only raised on the tainted fields in an object rather than on all fields.
Java: Taint analysis now understands Java lambda expressions, eliminating false negatives where tainted values move through them.
PHP: We've eliminated false negatives in PHP by adding support for the Zend and Laminas frameworks to existing taint analysis rules.
JS/TS: DOM-XSS vulnerabilities are now detected in Angular and React applications.

Compatibility expands with C++20 & Compilation Database support DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

As you work to adopt C++20, we're working to help you use it well. This version adds parsing support for many significant C++ features, including template syntax for lambdas and designated initializers, as well as partial support for parsing Concepts and Coroutines. We've also added 18 new C++20-specific rules, including eight for the new spaceship operator (<=>). Many existing rules have also been updated to support the new features including the addition of the spaceship operator to rules related to comparison.

We've also updated our handling of the STL to ensure uniform issue detection across all implementations. This eliminates false negatives and a few false positives.

Onboarding and analysis get easier in this version. We've added onboarding tutorials to help with analysis configuration for all main CI systems as well as support for using a Compilation Database as an alternative to the Build Wrapper (although the Build Wrapper is still preferred if your compiler is supported).

Language Updates

language JAVA
  • Java 16 parsing
language RPG
  • Full support for free-form syntax
language C#
  • Parsing of C#9 records and `target_typed_new` expressions

Time to enjoy all the
new version features!

Get SonarQube