SonarQube 9.1

Project PDFs, JS AWS Lambda taint analysis, Kotlin coroutine rules...

September 20th, 2021

Project PDFs, JS AWS Lambda taint analysis, Kotlin coroutine rules...

Introducing… project reports! EE Available on Enterprise Edition DCE Available on Data Center Edition

It's been a long time coming! SonarQube now offers project report PDFs. And you can subscribe to have them appear automatically in your inbox every day! You'll get the current Quality Gate status and any failing conditions, plus the major metric values on New Code.

As if that's not enough, this version also adds another long-awaited feature: the ability to export all issues and Security Hotspots in a project. The download comes in a JSON format, and is available to instance administrators.

And finally, we've also added a new security report. The 2021 CWE Top 25 Most Dangerous list was released in late July, and we've got the report ready for you in SonarQube 9.1 for projects, applications and portfolios.

Project PDFs, JS AWS Lambda taint analysis, Kotlin coroutine rules...

Taint analysis for your JavaScript AWS Lambdas DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Taint analysis for your JavaScript AWS Lambdas

For secure cloud-native applications, securing your IaC just isn't enough. As you move to the cloud, your Lambdas hold more and more of your critical, core business logic, and you need to secure them too. We're answering the call by adding taint analysis to find the full suite of injection vulnerabilities in the JavaScript Lambdas declared in your CloudFormation .yml or Serverless files.

Master Kotlin coroutines, plus data storage and privacy requirements

Kotlin coroutines are intended to make asynchronous programming easier. Unfortunately, some mistakes are still common. That's why we've added 12 new rules to help you avoid the pitfalls and use coroutines well.

We've also added four rules to help you meet MASVS' Data Storage and Privacy Requirements. These new rules will allow you to validate that you're in compliance with the Mobile Security Testing Guide > Data Storage requirements before you submit your app.

Advanced regex rules for JS/TS, PHP

We talked a lot about regular expressions earlier this year. We had created some unique Java regex rules, and in testing them discovered that it's far easier to make regex mistakes than anyone had ever appreciated before. Of course, it's not just Java developers who write regexes. So we've taken the lessons we learned from that project and applied them to the things that PHP developers and JavaScript / TypeScript developers stumble on in writing regular expressions.

The right results - faster!

The best analysis results in the world are no good if they come too late. That's why we're focusing this year on faster delivery of our high-precision analysis results. In SonarQube 9.1 that means we've switched to using precompiled Typeshed symbols during Python analysis. The impact on SonarQube analysis is modest, but SonarLint users (particularly in PyCharm & VS Code) will reap huge benefits.

In commercial editions, we've optimized taint analysis to eliminate duplicate operations in call graph calculation. That means a speed increase for taint analysis rules of anywhere from 20% in very small projects to 90% in very large ones, with an average gain of 50% in our tests. As an example, analyzing the OWASP JuiceShop project is down to 1.5min versus the 6min it used to take.

Audit logging for security-sensitive actions EE Available on Enterprise Edition DCE Available on Data Center Edition

Global administrators now have easy access to audit logs for changes to users, projects, permissions, and several other areas. The logs are delivered in a JSON format, and housekeeping is configurable.

Beta: Manage your cluster with K8S DCE Available on Data Center Edition

DCE users, this is what you've been waiting for! With 9.1 we begin the official beta for support of Data Center Edition on Kubernetes. With configuration, stopping and starting, robust upgrade and cluster logs, we think we've ticked most of the boxes. But we're depending on you to let us know. So please, take it for a spin and tell us what you think.

Language Updates

language PHP
  • Rules to make WordPress plugins safer.
  • Import of Psalm, PHPStan reports
language JAVA
  • Parsing and rules for Java 16 features, including records
language C#
  • Improved C#9 support including pattern matching, lambdas

language C++
  • False positives on improbable paths eliminated
  • 8 new C++20 rules

Time to enjoy all the
new version features!

Get SonarQube