SonarQube 9.6

K8S, Incremental Java PRs

August 15th, 2022

SonarQube 9.6 - New rules for Kubernetes, AWS, Azure Functions & C# deconstruction, plus incremental Java PR analysis and more

The big theme of SonarQube 9.6 is security: security rules for Kubernetes, JavaScript use of the AWS CDK, better descriptions for taint analysis rules, improved understanding of common Java libraries - for more taint analysis true positives - and auto-detection of home grown validators - for fewer taint analysis false positives!

But that's not all we worked on. There's also new support for Azure Functions, incremental Java PR analysis, new JS/TS React rules (and rule improvements), and significant Ops improvements.

Introducing: Security rules for Kubernetes, plus more for AWS

Can your code truly be secure if the environment it runs in isn't? Six new Security Hotspot rules for Kubernetes mean you don't have to wonder. They'll flag configurations that need double-checking and help you understand what the dangers could be.

If you're using AWS S3 buckets instead, JavaScript analysis adds five new Security Hotspot rules to help you avoid common CDK pitfalls, in order to help infrastructure designers provide their users with a cloud infrastructure based on a secure and stable infrastructure. And we've extended support for JavaScript Lambda analysis to also cover the ones defined in YAML files.

Java developers now have help coding for AWS as well. Seven new rules cover Lambda development, AWS Client best practices, use of the AWS SDK, and access key security.

Azure Function rules and C# deconstruction support

Speaking of Cloud development, we've added six new Code Smell rules to help C# developers avoid common pitfalls in Azure Function development. They cover resource management, error handling, and entity interface design. We've also updated 16 rules to support C#’s tuple deconstructor syntax

Incremental analysis for Java PRs DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

And now what you've all been waiting for… Faster PR analysis! With this version, we're introducing incremental analysis for Java PRs. The underlying mechanism is a new server-side analysis cache. It allows us to limit PR analysis to only the changed files, while still performing a thorough analysis. The numbers aren't really in yet, but on one test project, the Java portion of analysis dropped from 160 seconds to 20. Now that we've proved out the mechanisms, you can look for this in additional languages in future releases.

Issue UI improves focus, adds more help for taint analysis

You'll notice an updated Issues UI in this version. SonarQube 9.5 introduced a UI designed to help developers focus on the current issue and 9.6 further streamlines the presentation by moving all issue actions to the top of the issue interface.

In commercial editions, the changes go even farther, with additional content in six taint analysis rules to help you better understand the issues, and patch instructions specifically tailored to the framework in use for some rules.

Taint analysis scope, accuracy grow DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Very few have the luxury of working in new projects with best-practice use of modern frameworks. And even if you're one of the lucky few, you may still have a few home-grown input validators out there, making sure user data is clean and safe. That's why we've updated Taint Analysis to automatically recognize custom validators in order to reduce false positives and give you a better overall experience.

At the same time, we've also improved detection by extending coverage to the 100 most-used Java libraries. This better understanding of the underlying libraries, means more taint analysis true positives in your Java projects.

React: New rules, improved accuracy for JS/TS

Seven new React-specific Bug rules help you find infinite loops, dead code, state problems and more. In addition, 14 other rules have been updated for better accuracy in React, and JSX/TSX code.

PCI DSS reporting EE Available on Enterprise Edition DCE Available on Data Center Edition

The Payment Card Industry Data Security Standard is a list of 12 high-level requirements (with a total of 240 low-level requirements) that apply to all organizations that handle credit card data. SonarQube 9.6 adds reporting for versions 3.2 and 4.0 of the standard. Both versions are available in the UI, and the Security Report PDF includes version 4.0.

Ops advances: SAML security, token expiry

As a followup to the addition of token types in SonarQube 9.5, this version further secures tokens by adding the ability to set token expiration. Token lifespan can be set by the user during token generation, or globally, by an admin who chooses maximum lifespan for new tokens.

Additionally, organizations using SAML authentication may want to update their configurations with request signing and assertion encryption, both newly supported in SonarQube 9.6.

And finally, with this version we've replaced the Java Service Wrapper with WinSW on Windows and `nohup` for MacOS and Linux.

Keeping up with new language versions

A lot of programming language updates have been released in the last few months, and SonarQube 9.6 catches up on parsing them. Analysis now understands these language versions:

In addition, SonarQube 9.6 correctly parses Go 1.18, and the Go rules have been updated to understand the Go 1.18 syntax additions, including generics.

Time to enjoy all the
new version features!

Get SonarQube