SonarQube 9.5 includes a little something for everyone. We've made analysis faster for C and C++ and for users of all languages running the first analysis of a Git project. Python and Java users get new security rules plus runtime crash detection. C# adds deadlock detection and expanded C#10 support. And developers in all languages will benefit from updates to the Issues interface to bring a focus on the issue at hand.
DevOps folks will be glad to see limited token permissions and executives will appreciate the detailed release reporting this version adds.
Faster analysis with Git, C & C++
Even the best analysis results are no good if they come too late. So we're focusing on the speed of analysis this year, with several significant improvements in this version. First, anyone with Git-based projects will find that the first analysis is now up to 60% faster with improved retrieval of the initial blame data. Also on the topic of first analysis, we've significantly improved the documentation on importing coverage reports for flagship languages, to make it easier to get going regardless of your SCM.
In commercial editions, we've enabled analysis caching and multi-threading for all C and C++ users by default. Analysis speed will be proportional to the number of files affected by the change set, and thread count will scale to the number of CPUs on the build agent.
Issue interface update adds focus, clarity
You'll find an updated issue interface in this version. It offers a close focus on the issue at hand and easier, more obvious access to the underlying rule description. The new presentation brings the Issues experience closer to the Security Hotspots view, and is just the first step in making it even easier to understand your issues and how to deal with them.
We've added five new Java rules in this version to help you prevent runtime errors and crashes. These new rules: 1 Blocker, 3 Critical, and 1 Major, are the first installment of what we're calling Advanced Bug Detection. It detects runtime errors by following your data through methods and across files to understand where crashes will occur. The new rules detect illegal arguments, class cast problems, bad collection operations and infinite recursion.
Python rules for CDK S3 buckets & Java secret detection
The AWS CDK gives users of object-oriented languages the ability to create patterns that can be individually tested, distributed, and shared. While the CDK provides experience-tested default values, security misconfigurations are still too easy. That's why we've added four Python rules to detect Security Hotspots in S3 buckets created using the CDK, in order to help infrastructure designers provide their users with a cloud infrastructure based on a secure and stable infrastructure.
And for Java, we've added a rule (S6418) to detect hard-coded secrets in variables named "secret", "token", and so on.
C# deadlock detection and record structs
Debugging a deadlock can be a difficult, painful process, and the best approach is preventing them in the first place. So we've added S2222 to help you make sure your C# locks are released along all execution paths - not just some!
Also in this version, we've added support for C# 10 record structs, updating 31 rules to recognize and properly handle the new syntax. This is just one step in our ongoing work to support C#10. Future versions will add support for mixed assignment and declaration in a deconstruction, parameter-less constructors and field initializers in structs, and more.
With SonarQube, you can be confident you and your team are releasing clean code. But what happens when you're called on to prove it? Now SonarQube offers a regulatory report for just such occasions. It gives the status of your project in detail, and is designed to be filed for each release version. So you not only have peace of mind that you're delivering great code, but that you can prove it, too.
Token updates limit scope, add prefix
Need to generate an analysis token without giving away free access to all your administrative privileges? SonarQube 9.5 adds token types, so now you can create an analysis token for a specific project or for all projects.
Newly generated tokens include a brief prefix to help you distinguish among the project (sqp), global analysis (sqa), and legacy / user (squ) types.