Note: SonarQube 9.9 LTA is the latest LTA version. If you require the 8.9 LTA version, it can be downloaded here.
Enhanced code security in SonarQube 8.9 LTA
Unparalleled SAST precision - now including JavaScript & more
Security Vulnerability detection has vastly expanded with new languages, new rules, and an improved detection engine to bring unparalleled precision and performance in security analysis of Java, C#, PHP, Python, JavaScript, TypeScript, C and C++. In addition to a vastly expanded breadth and depth of analysis, we've also expanded developer access to these findings. Issues are raised in-IDE, with SonarLint, in SonarQube itself, and in PR decoration in commercial editions.
Among the improvements:
- SAST analysis added for Python, JavaScript, TypeScript, C and C++
- Full OWASP Top 10 coverage for Java and C# with significant coverage for the other languages
- Buffer overflow detection in POSIX functions for C and C++
Commercial editions add taint analysis rules to find: injection flaws, broken access control, XSS, and insecure deserialization, with the ability to sync those taint analysis issues into SonarLint in connected mode.
Security Hotspot review arms developers to write safer code
Security Hotspots help developers write safer code by bringing attention to security-sensitive pieces of code and arming developers with the tools to diagnose the potential impact. We've expanded the range of Security Hotspot languages to include TypeScript, C and C++. And now you have a specialized interface for triaging Security Hotspots, and a single click to open them in your IDE via SonarLint.
Reporting and configuration increase clarity & precision
Security reporting includes both CWE Top 25 2019 and CWE Top 25 2020, with a PDF download of the top reports. And if you use home-grown frameworks, taint analysis configuration gives you a UI to set your home-grown sources, sinks, and sanitizers for better overall precision and, in the end, higher Code Security.
In-cloud? On-prem? Your platform is covered!
Whether your code lives in-cloud or on-prem, SaaS or self-managed, code repository platform integrations help you write better code, faster. From initial project import to failing the pipeline for a failed Quality Gate, we've got just about everyone covered.
Streamlined project setup
Streamlined project setup gives you an easy interface to import your projects whatever your code repository platform: GitHub, GitLab, Azure DevOps, and Bitbucket; both on-prem and in-cloud. Yes, all eight!
Once your projects are imported, tutorials will walk you through setting up analysis in GitHub Actions, Jenkins, GitLab CI, or Azure DevOps Pipelines; with language-specific tutorials for .NET, C, C++ and Objective-C projects.
And now, regardless of which CI you use, you can fail the pipeline for a failing analysis.
PR analysis on steroids
Code Repository Platform integration doesn't stop at onboarding. We support pull request decoration for GitHub, Bitbucket, Azure DevOps and GitLab; both on-prem and in-cloud. Yes, all eight! And Enterprise Edition adds PR decoration in monorepos.
And it's not just decoration; Developer Edition also brings automagic branch and PR configuration for most workflows: Jenkins, GitHub Actions, Gitlab CI, Azure Pipelines and Bitbucket Pipelines.