SonarQube 9.7

JS PR speed, GH Security

October 17th 2022

SonarQube 9.7: JS/TS PR speed, GH Security

Faster analysis for JavaScript and TypeScript PRs; lots of new Python rules; GitHub security reporting; enhanced rule descriptions; and a number of goodies for SonarQube admins. We think there's a lot to love in this version, and we know you will too.

Faster JavaScript/TypeScript PR, COBOL analysis DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

With SonarQube 9.7, we've extended analysis caching to COBOL and to JavaScript and TypeScript PRs for significant analysis speed improvements. In both cases, only the changed files are parsed and modeled, and cached representations are used for unchanged files. That leads to an average 40% performance improvement for JavaScript PRs, with an up to 80% improvement on large projects.

Vulnerabilities reported in GitHub Security, plus OWASP ASVS reports
DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

You shouldn't have to go looking for important messages; they should come to you. That's why we've added Vulnerability reporting to GitHub Security. So you get the important security reporting where you're already working.

And on the topic of reporting, in Enterprise Edition we've added a report for the OWASP Application Security Verification Standard, so you can measure your compliance against the requirements of this important standard. This new report will be available both in the UI and as part of the Security Reports PDF.

Python adds test rules, path-sensitive bug detection

You know your code is right if your tests pass, but how do you know your tests are right? We've added eight new rules for test correctness, including five that are unique to the Sonar ecosystem. These unique new rules cover test skipping, making sure tests are executed, and that their assertions are reachable.

And in commercial editions, there are three new path-sensitive bug detection rules to help you detect even more tricky Python bugs.

More AWS support with Python CDK & JS/TS Lambdas

For those using Python in the cloud, we've added 16 new rules to help you use the AWS CDK securely. There are nine new rules on the topic of encryption at rest and in transit; four rules around public access, network, and firewalls; and three rules covering permission and access control.

And in commercial editions, we've added support for taint analysis of inline JavaScript and TypeScript Lambdas in YAML files, in order to further protect your business logic.

Rules more helpful, understandable than ever DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

The effort to improve the user experience continued in 9.7. In the rules UI, we've added the ability to highlight the differences between the compliant and noncompliant code samples to make the changes clearer. Most Java and C# taint analysis rules take advantage of this change, with more rules to be updated in future versions. In addition, we've significantly expanded the educational content of these taint analysis rules for Java and C#. The new content goes even further toward not just helping developers write clean code, but helping them truly understand how and why.

Easier SAML configuration, PII deletion, user messages

Setting up SAML integration will be easier from now on. SonarQube 9.7 adds field validation and configuration testing, as well as significantly enhanced documentation that covers integration with Azure AD, Keycloak and Okta.

For admins seeking GDPR compliance, we've added the ability to remove personally identifiable information from a user record. Doing so will retain the user record, for referential integrity reasons, but fully anonymize its data.

Starting in Enterprise Edition, administrators now have the ability to display a message to all users. The yellow message banner will appear at the top of the window, above the main menu.

And finally, telemetry has been updated in all editions to increase the frequency and the granularity of the data send. Starting in 9.7, a daily payload will include individual, anonymized records for each user and project.

Language Updates

language Java
  • Java 18 parsing, and S1943 updated to avoid False positives
  • New rule: S2068 Find hard-coded passwords in API calls that take passwords
language C#
  • Extend C# 10 support with rule updates for remaining features

language C language C++
  • Handle asserts in path-sensitive issues for both Debug and Release builds
language TypeScript language JavaScript
  • TypeScript 4.8 parsing and rule updates
  • React/JSX False Positive fixes

Time to enjoy all the
new version features!

Get SonarQube