Vulnerabilities reported in GitHub Security, plus OWASP ASVS reports
You shouldn't have to go looking for important messages; they should come to you. That's why we've added Vulnerability reporting to GitHub Security. So you get the important security reporting where you're already working.
And on the topic of reporting, in Enterprise Edition we've added a report for the OWASP Application Security Verification Standard, so you can measure your compliance against the requirements of this important standard. This new report will be available both in the UI and as part of the Security Reports PDF.
Python adds test rules, path-sensitive bug detection
You know your code is right if your tests pass, but how do you know your tests are right? We've added eight new rules for test correctness, including five that are unique to the Sonar ecosystem. These unique new rules cover test skipping, making sure tests are executed, and that their assertions are reachable.
And in commercial editions, there are three new path-sensitive bug detection rules to help you detect even more tricky Python bugs.
More AWS support with Python CDK & JS/TS Lambdas
For those using Python in the cloud, we've added 16 new rules to help you use the AWS CDK securely. There are nine new rules on the topic of encryption at rest and in transit; four rules around public access, network, and firewalls; and three rules covering permission and access control.
Rules more helpful, understandable than ever
The effort to improve the user experience continued in 9.7. In the rules UI, we've added the ability to highlight the differences between the compliant and noncompliant code samples to make the changes clearer. Most Java and C# taint analysis rules take advantage of this change, with more rules to be updated in future versions. In addition, we've significantly expanded the educational content of these taint analysis rules for Java and C#. The new content goes even further toward not just helping developers write clean code, but helping them truly understand how and why.
Easier SAML configuration, PII deletion, user messages
Setting up SAML integration will be easier from now on. SonarQube 9.7 adds field validation and configuration testing, as well as significantly enhanced documentation that covers integration with Azure AD, Keycloak and Okta.
For admins seeking GDPR compliance, we've added the ability to remove personally identifiable information from a user record. Doing so will retain the user record, for referential integrity reasons, but fully anonymize its data.
Starting in Enterprise Edition, administrators now have the ability to display a message to all users. The yellow message banner will appear at the top of the window, above the main menu.
And finally, telemetry has been updated in all editions to increase the frequency and the granularity of the data send. Starting in 9.7, a daily payload will include individual, anonymized records for each user and project.
- Java 18 parsing, and S1943 updated to avoid False positives
- New rule: S2068 Find hard-coded passwords in API calls that take passwords
- Extend C# 10 support with rule updates for remaining features
C and C++
- Handle asserts in path-sensitive issues for both Debug and Release builds
- TypeScript 4.8 parsing and rule updates
- React/JSX False Positive fixes