SonarQube Server

Home

Request trial

SONARQUBE 8.9 LTA

SonarQube 8.9 LTA: Better than ever

Developers take control of Code Security with static application security testing (SAST) for more languages, with more rules, better detection, and improved workflows in addition to many additional upgrades in the latest SonarQube LTA.

Download now
  • Request demo
  • Take a product tour
  • Sonar Community
  • Contact us

Note: SonarQube 9.9 LTA is the latest LTA version. If you require the 8.9 LTA version, it can be downloaded here.

Enhanced code security in SonarQube 8.9 LTA


Unparalleled SAST precision - now including JavaScript & more

Security Vulnerability detection has vastly expanded with new languages, new rules, and an improved detection engine to bring unparalleled precision and performance in security analysis of Java, C#, PHP, Python, JavaScript, TypeScript, C and C++. In addition to a vastly expanded breadth and depth of analysis, we've also expanded developer access to these findings. Issues are raised in-IDE, with SonarLint, in SonarQube itself, and in PR decoration in commercial editions.


Among the improvements:
  • SAST analysis added for Python, JavaScript, TypeScript, C and C++
  • Full OWASP Top 10 coverage for Java and C# with significant coverage for the other languages
  • Buffer overflow detection in POSIX functions for C and C++


Commercial editions add taint analysis rules to find: injection flaws, broken access control, XSS, and insecure deserialization, with the ability to sync those taint analysis issues into SonarLint in connected mode.


Security Hotspot review arms developers to write safer code

Security Hotspots help developers write safer code by bringing attention to security-sensitive pieces of code and arming developers with the tools to diagnose the potential impact. We've expanded the range of Security Hotspot languages to include TypeScript, C and C++. And now you have a specialized interface for triaging Security Hotspots, and a single click to open them in your IDE via SonarLint.


Reporting and configuration increase clarity & precision

Security reporting includes both CWE Top 25 2019 and CWE Top 25 2020, with a PDF download of the top reports. And if you use home-grown frameworks, taint analysis configuration gives you a UI to set your home-grown sources, sinks, and sanitizers for better overall precision and, in the end, higher Code Security.

Learn more -->


In-cloud? On-prem? Your platform is covered!

Whether your code lives in-cloud or on-prem, SaaS or self-managed, code repository platform integrations help you write better code, faster. From initial project import to failing the pipeline for a failed Quality Gate, we've got just about everyone covered.


Streamlined project setup

Streamlined project setup gives you an easy interface to import your projects whatever your code repository platform: GitHub, GitLab, Azure DevOps, and Bitbucket; both on-prem and in-cloud. Yes, all eight! 


Once your projects are imported, tutorials will walk you through setting up analysis in GitHub Actions, Jenkins, GitLab CI, or Azure DevOps Pipelines; with language-specific tutorials for .NET, C, C++ and Objective-C projects. 


And now, regardless of which CI you use, you can fail the pipeline for a failing analysis.


PR analysis on steroids

Code Repository Platform integration doesn't stop at onboarding. We support pull request decoration for GitHub, Bitbucket, Azure DevOps and GitLab; both on-prem and in-cloud. Yes, all eight! And Enterprise Edition adds PR decoration in monorepos.


And it's not just decoration; Developer Edition also brings automagic branch and PR configuration for most workflows: Jenkins, GitHub Actions, Gitlab CI, Azure Pipelines and Bitbucket Pipelines.

Ready to download SonarQube 8.9 LTA?

Operating SonarQube is easier than ever 

We've made running SonarQube easier and more secure than ever. SonarQube has been security-hardened to U.S. Department of Defense standards (i.e. STIG-hardened), with a Docker image per edition on Docker Hub and in the DoD's Iron Bank. That, plus a Helm chart for Kubernetes support, makes SonarQube easier than ever to deploy.


Routine maintenance is easier too, with support for hot database backups. Upgrading is easier than ever with progressive availability during upgrades; now, SonarQube is available for analysis and limited browsing even before reindexing is complete.

Time for Python devs to onboard with SonarQube 

This LTA adds in-depth analysis to catch the tricky Bugs and Vulnerabilities developers expect, with the sane defaults, high performance, and minimal configuration that's standard to SonarQube. We’ve got Python support for up to version 3.9 of the language to properly track issues through all language structures, frameworks, and types. For teams just transitioning from other tools, there is a tool to easily import Pylint and Flake8 reports, plus the ability to write custom rules.


In addition to all this, commercial editions support taint analysis rules to detect taint analysis Vulnerabilities such as injection flaws.

C++ brings the rules & performance developers want

With comprehensive coverage of the C++ Core Guidelines and a broad set of C++17-specific rules, we've made following modern best practices easy. If your shop uses multiple standard versions, managing your Quality Profile gets easy, too: enable the rules for all the versions you use, and we'll activate them based on the standard version the project compiles to. In addition, we've made several improvements to analysis performance and added support for a broad range of additional compilers.

That's in addition to a significant expansion of security-focused rules, including the detection of buffer overflows in POSIX functions.

Clean as You Code, best practices move to the front 

As part of our ongoing mission to help every developer write better code every day, we've given some love to elements often overlooked by the industry. First, you'll find a rewritten project homepage. The new interface puts the quality and security of New Code front and center to help you better focus on Cleaning as You Code. Second, we've added rules in Java, PHP, and C# to help you write tests correctly. And finally, we've made Applications available to all commercial versions, so that more teams can monitor the quality of projects that ship together in one aggregated, synthetic project.

The most secure LTA yet! 

We don't just care about the security of your code, we also care about the security of your overall SonarQube environment. That's why we've:

  • Applied additional hardening to the build of SonarQube  itself and to our internal build pipeline
  • Limited library loading in SonarQube to only those libraries provided by SonarSource
  • Limited plugins' access to core functionality to only what's available through APIs
  • Added additional controls to the plugin Marketplace


You will also find simple but effective new safeguards such as forcing SonarQube administrators to change the default admin credentials.


The abiding value of an LTA

Last but not least, this is the new Long-Term Active version! That means support and patches for blocker bugs and vulnerabilities for at least the next 18 months - until the next LTA is released. If you're looking for the stability of a hardened, fully-supported version, the LTA is what you're after.


So what are you waiting for?

Why LTA
Image shows results of a pull request

Get started SonarQube 8.9 LTA

  • Legal documentation
  • Trust center
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.