IaC support: analyze CloudFormation, Terraform security
In the 9.2 release, SonarQube adds support for analyzing CloudFormation and Terraform files. With these two new languages, SonarQube helps developers secure not just their code, but also their deployments. Because just moving to the cloud doesn't make your application secure. While AWS manages the security of the cloud; it's still up to you to manage what you're putting there. And that means securing not just the code but also how it's deployed. Among the domains for both CloudFormation and Terraform are the security of your AWS S3 Buckets, permissions, traceability, and encryption at rest and at transit. Additionally import is supported for reports from Cfn-Lint, Amazon's official CloudFormation linter.
Android development easier, more secure across languages
Android developers have a lot to look forward to in 9.2, with a slew of new rules across languages and better support in the underlying development workflow. Starting with rules...
There are a lot of security-sensitive configurations in an Android application, and it's not always obvious how they should be set. Four new rules implemented for Kotlin and Java, and five new rules for XML help developers ensure their users' data is properly secured.
With 9.1, SonarQube added rules to help Kotlin developers meet MASVS' Data Storage and Privacy Requirements. Now the same rules bring parity for Java Android developers.
On the topic of parity, two Vulnerability rules and two Security Hotspot rules previously implemented for Java to ensure Android or general JVM security have been ported to Kotlin for better Android security across languages. Another two Code Smell rules and five new Bug rules were also ported from Java to Kotlin since the pitfalls they cover have a 1:1 correspondence across languages.
Finally, to round out support for mobile developers, we worked with Codemagic to support "auto(code)magic" detection of branches and PRs in that CI/CD platform. From now on, there's no complex YAML logic, just magically easy analysis.
Advanced regex rules for Kotlin & Python
Accuracy in all facets of analysis is SonarSource's guiding star, and nowhere more so than for security-related rules. With 9.2 we've subtly updated several aspects of taint analysis for a better overall experience. First, false negatives were eliminated by differentiating between validators (sanitize the argument and return a boolean), and sanitizers (return a single, sanitized argument). Additional updates include
distinguishing between OS command injection and OS argument injection
splitting detection of reflection injection from detection of code injection
In both cases, approximately the same issues are raised in 9.2 as previously, but now by potentially different rules. The advantage is clarity for developers trying to understand the problem based on the rule description. Now a more appropriate description will be presented in each case.
Additionally, the rule to detect HTTP response splitting, S5167, has been deprecated since it's no longer relevant in modern web contexts. In its place, rules protecting HTTP request redirections and HTTP responses have been implemented.
Automatically find - and fix! - issues in-IDE
SonarLint gives you an early warning on your SonarQube analysis by raising the same issues in-IDE. And now the free IDE extension even offers quick fixes for some Java issues in Eclipse, VSCode and JetBrains' IDEs and for some C and C++ issues in CLion. (More languages & IDEs coming soon!) Just look for the SonarLint icon in issues raised after the upgrade:
Badges for private projects and other long-awaited features
SonarQube 9.2 includes a number of long-awaited features to help you better integrate SonarQube into your organization. First, with this version we've finally been able to deliver badges for private projects. Next, is the new functionality to delegate administration of a single Quality Gate. Previously, administrators could delegate permissions for all Quality Gates; now they can be more selective. Speaking of delegation, delegating authentication to Bitbucket Cloud is now built in.
Another item on the highly-anticipated list is branch handling in Enterprise Edition Portfolios. Users will be able to create new portfolios to track project branches and even track multiple branches within the same project. Also for the benefit of Enterprise Edition users, we've added the ability to export projects from any instance - Community Edition and up - for import into Enterprise Edition. That will make it easier to get all the right projects into your portfolios in the first place.
SonarQube upgrade notifications
Last but very much not least, we've added in-application prompting when it's time to upgrade SonarQube itself. We know SonarQube runs so well that it's easy to lose sight of how long you've been using a particular version. But to get the latest features - and fixes - it's important to stay on a supported version: either the LTS or Latest. So starting from 9.2, we'll keep an eye out for you and let you know when it's time to schedule your next upgrade.