SonarQube 9.9 LTS: Better than ever

Faster Pull Request analysis

Pull Request (PR) analysis gets a significant speed boost. With the implementation of incremental analysis and server-side caching, only the changed files are analyzed. 

No matter the programming language, your PR analysis will be considerably faster – the same high-precision results; just delivered faster. For example, a mid-size project with approx 300,000 Lines of Code is now analyzed more than twice as fast as before. This means that a PR that would have taken 5 minutes to be analyzed on SQ 8.x, now takes under 2 minutes. 

And, for Git-based projects, we've also sped up your first full project analysis. Anyone using Git SCM will find that their first analysis is on average 60% faster and up to 90% faster with the improved retrieval of initial blame data. As an example, the first analysis of the main branch for a project with 300K Lines of Code is now completed in less than 10 minutes, an 80% speedup when compared to previous versions.  

Secure Cloud Native applications

As your applications move to the cloud, you have to secure not only your source code but also all associated configurations and deployment. We've added support for the three popular cloud providers – AWS, Google Cloud, Microsoft Azure – and their underlying technologies: serverless and SAM frameworks, AWS CDK, IaC with Terraform and CloudFormation, as well as containerized deployments with Kubernetes and Docker. 

Infrastructure-as-Code (IaC) with TerraForm and Cloudformation

Provisioning your cloud resources with IaC? We’ve added lots of new rules that detect insecure deployment configurations. 

• For those developing on Microsoft Azure and Google Cloud, we have 16 new Terraform rules for Azure and 20 new Terraform rules for GCP 
• For those developing on AWS, we've included 26 CloudFormation rules and 24 Terraform rules

Amazon Serverless/SAM Frameworks (Lambdas) & CDK

AWS Lambdas hold more and more of the critical core business logic and can be entry points for many injection attacks. SonarQube provides new rules for AWS Lambdas and the AWS CDK that help you write and deploy safer Cloud Native applications. 

AWS Lambdas:

SonarQube analyzes JavaScript lambdas defined inline in YAML files to find security hotspots. And in commercial versions, SonarQube secures your lambdas by detecting the full suite of injection vulnerabilities so your cloud applications are protected from malicious user data. For AWS Lambdas configured using AWS Serverless Application Model (SAM)/CloudFormation or Serverless, SonarQube is able to apply a full range of taint analysis rules to the AWS lambda logic written in Python,  JavaScript/TypeScript and declared in the CF, .yml, or serverless files. 

AWS CDK: 

For those describing their AWS infrastructure with AWS CDK using JavaScript/TypeScript or Python, SonarQube now offers new rules covering permissions and access control, traceability, encryption, public access, etc. that allow you to use AWS CDK securely.

Enterprise-grade features for your scaling organization

We’ve added many features in this LTS related to access management, administration, governance, and reporting to help you manage the security and administration of both your SonarQube instance and your portfolio of source code assets. 

Reports, reports and more reports! 

New and improved security & compliance reporting, project & portfolio reports, and PDF reports for internal and external compliance.

• New security & compliance reporting covers Payment Card Industry Data Security Standard (PCI DSS) v3.2 and v4.0 plus the OWASP Application Security Verification Standard (ASVS) so organizations can measure their compliance against these important industry standards. Plus, CWE Top 25 and OWASP Top 10 2021 reports let you track the security of your codebase against identified threats. 
• New project-level reports so managers can now clearly monitor the status and quality of their projects on a regular basis before delivery. Anyone can now subscribe to receive a project status PDF via email.
• Redesign of the Portfolio presentation to bring focus to the status of new code in the dashboard UI and PDF report. In SonarQube 9.9 LTS, managers and developers will share a new unified understanding of their projects' health for a richer, more productive collaboration.
• And there’s portfolio support and metric badges! Managers can create new portfolios to track project branches and track multiple branches within the same project. Starting with the Community Edition, users can show off their project health and stability with metric badges for public as well as private projects. 

Operating and managing SonarQube is easier 

Audit-logging, secure token handling, improved user management, and user communication make the administration of the SonarQube instance so much easier.

• Audit logging allows admins to track security-sensitive changes such as updates to users, projects, and permissions with easy-to-parse logs so it’s easy to understand who changed what, and when. 
• Secure token handling so admins can now enforce token expiration by globally setting the max token lifespan for new tokens. Plus, you can now also create project tokens.
• User management SCIM integration to synchronize user deactivation from Okta(SAML) systems to automatically deactivate user records and invalidate tokens to eliminate any potential security loopholes. 
• Communication and login guidance allows admins to provide a customized message to users – for example, to provide guidance on which credentials to use for login. Admins can also display mass communication about server downtime, maintenance, etc. 
• Instance management is easier. You can deploy SQ clusters with Kubernetes (Data Center Edition only), with the addition of support for Prometheus monitoring for all editions.
• And starting with the Community Edition, we've added support for SAML request signing and assertion encryption for secure SAML transactions so organizations can delegate authentication and streamline Single-Sign-On. Admins now have a button to test the configuration and get more information on how to configure SAML through our vastly improved documentation. Last but not the least, admins can now also delegate authentication to Bitbucket Cloud. 
  

UI improvements, richer educational guidance & new integrations

Knowing there are issues in your code isn't enough if you don't know how to fix them. We added rich educational content to make most taint analysis rules easy to understand and contextual to your specific code and framework (Available in Developer Edition and above). 

We also added clarity and focus in the UI to improve the overall accessibility with the goal to get closer to WCAG compliance. 

In the Community Edition, we added the ability for Bitbucket pipes and GitHub actions to trigger the analysis and Quality Gate status. Plus full integration support for Bitbucket Cloud that now includes project onboarding. 

Using CodeMagic CI/CD? We now support the detection of branches and PRs so developers can get the benefits of SonarQube in their DevOps platform of choice.

Lots of new rules, including Kotlin for mobile

Writing Android applications? SonarQube 9.9 LTS brings new Kotlin rules for detecting unsecured network communications, problematic cryptography, and data security. Commercial editions include a variety of Android taint analysis rules for Java to ensure compliance with Mobile AppSec Verification Standard (MASVS) Data Storage and Privacy requirement. Now your applications are secure from development – before they are submitted to the Google Play Store. 

You can also benefit from several new rules for the languages you program in. If you are programming in JavaScript, we've added new React rules to find infinite loops, dead code, and rules to write better Mocha and Chai tests. For those programming in C++, we’ve added new rules that support C++ 20 coroutines as well as improved the precision and analysis configurations across popular compilers. Writing regular expressions in Python, Java, JS/TS or PHP? Our robust rules help you write efficient, error-free regular expressions. And for Java, we’ve added new rules to prevent runtime errors and clashes and now support Java 19 parsing. Java users can see a considerable boost – an average of 30% and up to 60% – for their first project analysis. That’s just a glimpse! Visit our rules repository to see the comprehensive coverage for each language.   

Clean as You Code, the mantra to a Clean Code state

Our mission is deeply rooted in the fact that the Clean as You Code approach is the most sustainable way organizations can reach a Clean Code state. And we want every organization to achieve this. This is why we fine-tuned the Quality Gate (QG) workflow to help you practice Clean as You Code. Quality Gates that are not compliant with Clean as You Code can now be easily identified and fixed. 

Smoother experience for writing Clean Code

Starting from your favorite IDE with SonarLint through every stage of the development workflow, we’ve added many enhancements for a streamlined Clean Code delivery. 

Particularly, we made improvements for an easy Connected Mode setup in SonarLint, added updates to provide real-time synchronization of Quality Profiles from SonarQube into your connected IDE, and added branch awareness for projects. We've also added new rules to detect Cloud Secrets and Quick Fixes to automatically fix certain issues on-the-fly as you code in your IDE with SonarLint.