In addition to security, read below for more on new support for Azure Functions, incremental Java PR analysis, new JS/TS React rules (and rule improvements), and significant Ops improvements.
Introducing: Security rules for Kubernetes, plus more for AWS
Can your code truly be secure if the environment it runs in isn't? Six new Security Hotspot rules for Kubernetes mean you don't have to wonder. They'll flag configurations that need double-checking and help you understand what the dangers could be.
If you're using AWS S3 buckets instead, JavaScript analysis adds five new Security Hotspot rules to help you avoid common CDK pitfalls, in order to help infrastructure designers provide their users with a cloud infrastructure based on a secure and stable infrastructure. And we've extended support for JavaScript Lambda analysis to also cover the ones defined in YAML files.
Java developers now have help coding for AWS as well. Seven new rules cover Lambda development, AWS Client best practices, use of the AWS SDK, and access key security.
Azure Function rules and C# deconstruction support
Speaking of Cloud development, we've added six new Code Smell rules to help C# developers avoid common pitfalls in Azure Function development. They cover resource management, error handling, and entity interface design. We've also updated 16 rules to support C#’s tuple deconstructor syntax
Incremental analysis for Java PRs
And now what you've all been waiting for… Faster PR analysis! With this version, we're introducing incremental analysis for Java PRs. The underlying mechanism is a new server-side analysis cache. It allows us to limit PR analysis to only the changed files, while still performing a thorough analysis. The numbers aren't really in yet, but on one test project, the Java portion of analysis dropped from 160 seconds to 20. Now that we've proved out the mechanisms, you can look for this in additional languages in future releases.
Developer Edition | Enterprise Edition | Data Center Edition
Issue UI improves focus, adds more help for taint analysis
You'll notice an updated Issues UI in this version. SonarQube Server 9.5 introduced a UI designed to help developers focus on the current issue and 9.6 further streamlines the presentation by moving all issue actions to the top of the issue interface.
In commercial editions, the changes go even further, with additional content in six taint analysis rules to help you better understand the issues, and patch instructions specifically tailored to the framework in use for some rules.
Taint analysis scope, accuracy grow
Very few have the luxury of working in new projects with best-practice use of modern frameworks. And even if you're one of the lucky few, you may still have a few home-grown input validators out there, making sure user data is clean and safe. That's why we've updated Taint Analysis to automatically recognize custom validators in order to reduce false positives and give you a better overall experience.
At the same time, we've also improved detection by extending coverage to the 100 most-used Java libraries. This better understanding of the underlying libraries, means more taint analysis true positives in your Java projects.
Developer Edition | Enterprise Edition | Data Center Edition
React: New rules, improved accuracy for JS/TS
Seven new React-specific Bug rules help you find infinite loops, dead code, state problems and more. In addition, 14 other rules have been updated for better accuracy in React, and JSX/TSX code.
PCI DSS reporting
The Payment Card Industry Data Security Standard is a list of 12 high-level requirements (with a total of 240 low-level requirements) that apply to all organizations that handle credit card data. SonarQube Server 9.6 adds reporting for versions 3.2 and 4.0 of the standard. Both versions are available in the UI, and the Security Report PDF includes version 4.0.
Enterprise Edition | Data Center Edition
Ops advances: SAML security, token expiry
As a followup to the addition of token types in SonarQube Server 9.5, this version further secures tokens by adding the ability to set token expiration. Token lifespan can be set by the user during token generation, or globally, by an admin who chooses maximum lifespan for new tokens.
Additionally, organizations using SAML authentication may want to update their configurations with request signing and assertion encryption, both newly supported in SonarQube Server 9.6.
And finally, with this version we've replaced the Java Service Wrapper with WinSW on Windows and `nohup` for MacOS and Linux.
Keeping up with new language versions
A lot of programming language updates have been released in the last few months, and SonarQube Server 9.6 catches up on parsing them. Analysis now understands these language versions:
- Scala 2.13.8 & 3.1.2
- Ruby 3.1
- Kotlin 1.7
- Apex 54.12 Enterprise Edition | Data Center Edition
In addition, SonarQube Server 9.6 correctly parses Go 1.18, and the Go rules have been updated to understand the Go 1.18 syntax additions, including generics.