SonarQube 9.3 - Terraform for Azure Cloud, BIDI detection, Android taint analysis and more | Sonar



Start Free Trial

SonarQube 9.3

SonarQube 9.3: Security in the cloud & out

IaC support expands to include Terraform files for Azure Cloud to help even more developers secure not just their code, but also their deployments. In commercial editions, we have expanded taint analysis of AWS Python Lambdas to recognize AWS-specific database sinks.

Cloud security: Terraform for Azure Cloud + AWS Python DB injection

With 9.3, IaC support expands to include Terraform files for Azure Cloud in order to help even more developers secure not just their code, but also their deployments. The domains for Azure Cloud Terraform analysis include security at rest and at transit, Azure Active Directory, Azure Resource Manager and public network access.

And in commercial editions, taint analysis of AWS Python Lambdas expands to recognize AWS-specific database sinks. That means AthenaDB, RDS-Data, DynamoDB, SimpleDB, and RedShift interactions are now correctly recognized by the taint analysis engine as database interactions for both Python and JavaScript Lambdas.

Bidirectional character detection sees what you can't

The presence of bidirectional (Bidi) characters in your files can change what you thought was an innocuous comment into potentially malicious code. Since these Bidi characters aren't visible to the eye, it's especially important that analysis detect them for you. So we've added a cross-language rule to detect these characters in all analyzed files.

Taint analysis comes to Android

Helping Android developers write cleaner, safer code is a top goal for the 9-series. Already, we've introduced Android-specific rules for security-sensitive configurations, MASVS requirements, and coroutines. Now, in commercial editions, we've added Android taint analysis for catching XSS, remote code execution, command injection, SQL injection, and path injection in Java code.

Developer Edition | Enterprise Edition | Data Center Edition

SalesForce analysis starts with Lightning Components

SalesForce Lightning Components are now fully analyzed by default. JavaScript analysis has been updated to understand the Aura Controller's special syntax, and .cmp files are now automatically recognized as HTML files. While analysis of Salesforce's object-oriented Apex language starts in Enterprise Edition, Lightning Component analysis is available for free starting in Community Edition.

New rules help you master C++20 coroutines

One of C++20's most exciting new features is coroutines, which are especially useful for low-latency programming. To help developers use them well and avoid common pitfalls, we've added ten new coroutine-specific rules, and updated 13 existing rules to avoid false positives and provide the best experience.

Developer Edition | Enterprise Edition | Data Center Edition

Keeping up with new language versions

A lot of programming language updates have been released in the last few months, and SonarQube 9.3 catches up on parsing them. Analysis now understands these language versions:

  • Java 17 parsing wraps up with switch pattern matching
  • Go 1.17
  • Ruby 3.0.3
  • Scala 3
  • PHP 8.1
  • Kotlin 1.6
  • Swift 5.5 DE EE DCE
  • Apex 1.53 EE DCE

Clean as You Code comes to Portfolios

The Clean as You Code methodology has come to Portfolios. Now the Portfolio homepage reflects the same values developers see in Project homepages: measures on New Code. This means managers and developers will share a united understanding of their projects' health and enjoy richer collaboration.

Enterprise Edition | Data Center Edition

Portfolios continue branching out

In 9.2 Portfolio editing was expanded to allow selection of project branches. With 9.3 branch support is complete with the addition of support for Application branches for your portfolio. Portfolio editing was also updated to make selection of Applications more intuitive. Additionally, Application administration has been moved out of the Portfolio administration UI for greater clarity.

Enterprise Edition | Data Center Edition

GA: Data Center Edition supports Kubernetes

Running Data Center Edition on Kubernetes is now officially supported. A few months ago we announced this support in beta. Now it's GA with the addition of support for Prometheus monitoring for all editions.

Data Center Edition

Language Updates


  • 1 new rule for Java 17's sealed classes
  • 9 rules updated for consistent support of Nullability annotations


  • Update of 26 rules to support C# 9 Top-level statements


  • Copy-paste detection considers free-form tokens


  • Analysis was expanded to include project files not referenced in tsconfig


  • Use precomputed Typeshed symbols
Background image of bits of code connecting to each other

download the latest SonarQube edition now!

download now -->
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2023, SonarSource S.A, Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE and SONARCLOUD are trademarks of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.