version v7.2.
For up-to-date documentation, see the
latest version.
What's new
6 minute read
SonarQube has released a new version with exciting features and improvements.
We will discuss some of the key highlights that are activated and available within the Software Factory.
Features to look for in SonarQube Server 2025.1 LTA
For this new major SonarQube Server version the following new features will be available:
Project Administration
- Guided configuration of all projects in a monorepo
- Flexible main branch designation
- Guidance on project onboarding related to new code configuration .
Analyzers, Scanners
- Faster analysis bootstrap
- Faster scan times
- Improved experience for C and C++ analysis
- Maven scanner scans all files
- New C, C++, and Objective-C GitHub Action
Quality Gates and Quality Profiles
- Set rule priority to uphold your coding standards
- Updated Sonar Way quality gate condition
- Exclude rule from inherited quality profile
- Dual operating modes with Standard Experience Mode that preserves familiar rule and issue qualities and severities for users or Multi Quality Rule (MQR) Mode to more accurately represent the impact an issue has on all software qualities
Issue: Refers to a problem or defect detected in the source code that does not comply with a rule. It can potentially impact the quality and maintainability of the software. Here are the 5 common types of issues in SonarQube:
- Bug: An issue that represents something wrong in the code that can cause incorrect or unexpected behavior in the software,
- Code Smells: Maintainability-related issue that indicate potential problems in the code’s structure,
- Security Hotspot: Security-sensitive pieces of code that need to be manually reviewed,
- Vulnerabilities: Security-related issues that can make the application susceptible to attacks,
- Duplication: Identified code duplications which could increase the maintenance effort.
SonarQube for IDE
- Advanced bug detection on Java and Python dataflow
- Open an issue in the IDE
UI Improvements
- Branch summary shows issue count and overall code shows software qualities
- UI updates on the following elements:
- Quality Gate page
- Rules page
- Quality Profiles page
- DevOps platform configuration modal is visible during project onboarding
- Project, project onboarding, applications
Issue Management
- New rule format
- Dismiss issues marked as “Accepted” and keep track of how many
- Pull requests show issues that will be fixed when merged
- Issue count and issue classification using MQR Mode issue categorization
- Resolve external issues in SonarQube Server in the same place as issues raised by SonarQube Server
Code Security
- Advanced secrets detection
- Based on the results of your analysis, Cloud Application Security Assessment (CASA) and Security Technical Implementation Guides (STIGs) security reports are available for your projects
- Additional support for Spring framework in Java to reach a coverage of 92% for security-sensitive Spring features
- More Java public libraries for Deeper SAST
- Alias tracking is improved during branching to prevent the loss of an alias
- PHP code taint analysis is improved by supporting global variables
- All comparison operators in Java, JavaScript, Python, and C# are considered as validators
- Show security issues in GitLab vulnerability report
- Secrets detection
- Find security misconfigurations in Azure Resource Manager (ARM) templates
- Advanced Support for PHP Super-Global Arrays
- The Security Reports page in SonarQube Server now contains the 2023, 2022 and 2021 CWE Top 25 Report
- Enhanced security for Dockerfiles
- Improved Java security
- Sync Security Hotspots with SonarQube for VSCode or IntelliJ family IDEs
Languages
- Analysis now supports asymmetric property visibility (PHP 8.4)
- Analysis supports the STIG security standard and more language constructs
- We’ve added 2 new rules for VB analysis
- Analysis of Dart/Flutter apps is now available with 115 Dart rules introduced
- Analysis of Ansible IaC is now available
- We’ve added rules to analyze Job Control Language (JCL) , a commonly used mainframe scripting language used to orchestrate the execution of COBOL programs
- It is now possible to analyze Kotlin multi-platform (KMP) projects for cross-platform code development
Java/Maven improved support
- Maven 4.0 is supported
- Java 21 LTS is supported
- Introducing architecture rules for Java: architecture rules help developers find circular dependencies across classes in Java code
- Improved code efficiency: added eleven new rules for Java enterprise and Java Android mobile developers
Python
- The Django framework in Python is now supported, with basic rules that cover bugs and code smells
- New rules to support the NumPy and Pandas Python libraries. Support for Python 3.12 new syntax, new rules, and error-free parsing.
- Addition of rules for top libraries used by Data Scientists: NumPy, Pandas.
- Graphene (GraphQL for Python) is supported. The FastAPI framework is supported, rounding out our support of the top 3 API frameworks for Python, including Flask and Django.
- Increase support for machine learning with 7 new rules for the PyTorch library.
- Analysis of Jupyter Notebooks, previously added in VS Code, is now available.
- The TensorFlow library is now supported.
- Added seven new rules to avoid pitfalls when using Date & Time libraries.
- The Scikit-learn libraries, one of the top Python libraries used for AI and machine learning development, are now supported.
JavaScript & TyprScript
- To help you write accessible code for front-end applications, we have ported sixteen rules from JavaScript to HTML
- TypeScript 5.4 is supported and First-class support of React with more than 60 rules
C#/.NET improved support
- Support of LTS .NET 8 and C#12
- Support for Blazor framework
- Added fifteen new rules for logging
C/C++ improved support
- C++23 is now supported
- Multiple C/C++ code variant analysis: Developers can now analyze multiple code variants (e.g. compilers, compiler flags, platforms etc.) of their code using the same project.
- Misra C++ 2023 new rules: SonarQube Server’s new MISRA C++ 2023 rules include 43 rules aligned with MISRA guidelines, all selectable in your Quality Profile.
Kubernetes/Helm improved support
- SonarQube Server now supports scanning Helm Charts for Helm-based Kubernetes deployments using the same Kubernetes rules that are applied to other YAML files with sixteen security rules and sixteen maintainability best practice rules for Kubernetes and Helm Charts.
Deprecations
Deprecations to prepare for in advance for the new SonarQube version 2025.1 LTA are:
End of support of Node.js 14 and Node.js 16 in the scanner environment
Node.js 14 and Node.js 16 are no longer supported as scanner runtime environment. If you’re using a custom Node.js installation, we recommend the latest LTS version .
End of support of Java 11 as scanner environment
Java 11 is no longer supported as a scanner runtime environment. The minimum required version is Java 17. See the requirements for more information. (SONAR-21157 )
SonarScanner for .NET compatibility
Starting SonarQube 10.4, analysis of .NET projects requires SonarScanner for .NET 5.14+
End of support of MSBuild 14
MSBuild 14 is no longer supported for scanning .NET code. MSBuild 15 is deprecated and support will be removed in a future version. We recommend using MSBuild 16 as a minimal version. (SONAR-21554 )
Projects displaying modules are no longer supported
The concept of modules was removed in v7.6. SonarQube no longer migrates the structure of projects still displaying modules.
Make sure you re-analyze these projects before upgrading to SonarQube 2025.1 (SONAR-17706 ).
Deprecated web services and parameters removed
The web services and parameters that were deprecated in versions 8.x and 9.x have been removed. For more information, see the corresponding list