Release upgrade notes

Release 10.5 upgrade notes

End of support of Node.js 16 in the scanner environment

Node.js 16 is no longer supported as a scanner runtime environment. If you're using a custom Node.js installation, we recommend the latest LTS version, currently v20.

Updates to custom plugins required

For a faster analysis, SonarQube now optimizes the loading of analyzers by default. To avoid dependency errors, you’ll need to update the configuration of your custom plugins. See Plugin basics for more information. Also, if you use third-party plugins, make sure to use the latest ones compatible with this feature.

Full release notes 

Release 10.4 upgrade notes

Project overview update

Issue counts on the overall code of projects now reflect the Clean Code software qualities.

Make sure you re-analyze your projects after upgrading to compute and display these counts.

JavaScript/TypeScript/CSS configuration

A minimum of 4GB memory is now recommended, use sonar.javascript.node.maxspace configuration if you encounter memory issues. Also, file encoding errors will now cause an analysis failure, use sonar.sourceEncoding=UTF-8 if you encounter problems.

Node.js is no longer a requirement for analysis

In most cases, installing Node.js in the environment where you’re running analysis is no longer a requirement.

End of support of Node.js 14 in the scanner environment

Node.js 14 is no longer supported as a scanner runtime environment. Also, Node.js v16 will soon be unsupported. If you are using a custom Node.js installation, we recommend the latest LTS version, currently v20.

End of support of Java 11 as scanner environment

Java 11 is no longer supported as a scanner runtime environment. The minimum required version is Java 17. See the requirements for more information. (SONAR-21157)

SonarScanner for .NET compatibility

StartingSonarQube 10.4, analysis of .NET projects requires SonarScanner for .NET 5.14+. 

End of support of MSBuild 14 

MSBuild 14 is no longer supported for scanning .NET code. ​​MSBuild 15 is deprecated and support will be removed in a future version. We recommend using MSBuild 16 as a minimal version. (SONAR-21554)

Full release notes

Version 10.4.1 release notes
Version 10.4 release notes

Release 10.3 upgrade notes

Updated quality gate conditions for Clean as You Code

Clean as You Code conditions have evolved: The Sonar way quality gate now uses a 0 issues condition on new code. We recommend updating your custom quality gates after the upgrade. The ratings on the project overview page will stay unchanged while your quality gate may now fail. For details, see Quality gates.

The previous Sonar way quality gate is preserved as "Sonar way (legacy)" upon upgrading. You can keep using it if you’re not ready for the change. (SONAR-20604 & SONAR-20607)

Full release notes

Release 10.2 upgrade notes

Maximum new code definition value automatically adjusted in existing projects  

For existing projects, if the value of the Number of days option is set to a higher value than 90 before the upgrade, SonarQube automatically changes it to 90. As a consequence, some issues might move out of the new code. See Defining new code for more information. (SONAR-20155)

Updated GitHub automatic provisioning feature

Automatic user and group provisioning with GitHub now includes permission synchronization, which automatically synchronizes project visibility:

• To prevent unwanted updates to project permissions and project visibility, upgrading SonarQube will suspend automatic provisioning until you confirm the choice of provisioning method in the authentication settings.
• The GitHub app requires new permissions to be added and approved. 

For details, see the GitHub authentication page. (SONAR-20309)

Clean Code updates

The classification of issues and rules has evolved:

• Issue types are deprecated. Issues are now classified based on Clean Code attributes and software qualities.
• The severity of an issue is now tied to the issue's impact on the software qualities. 

Existing types and severities are preserved and are still used to evaluate the Quality Gate conditions. Type and severity can no longer be edited on issues and rules via the UI.

For details, see Issues and Clean Code. (SONAR-20023)

Full release notes

• Version 10.2.1 release notes
• Version 10.2 release notes

Release 10.1 upgrade notes

Dropping support for NET Framework < 4.6.2
The minimum supported .NET Framework version is 4.6.2. Support for earlier versions has been dropped. If you’re running an earlier version, you’ll need to upgrade your build environment wherever your analysis is run. See this release note for more information.

Updated options for new code definition
To make them more in line with the Clean as You Code methodology, the following options have been updated for projects:

• Specific analysis: This setup is now available only via the Web API. Automation is required to ensure the value is kept up to date.
• Number of days: The maximum value allowed when setting it up is now 90. It's recommended to update your existing projects accordingly.
  
  See Defining new code for more information. (SONAR-19294)

Full release notes

Release 10.0 upgrade notes

SCIM provisioning requires configuration
SCIM provisioning for SAML authentication evolves for a tightened synchronization of users and groups. To use the updated set of user and group SCIM provisioning features, see Authentication and provisioning. 

Without action on your part, upon upgrading, already assigned users are not deleted from SonarQube, but they are no longer bound to your IdP.  You'll need to enable SCIM again in SonarQube and adjust your IdP settings. (SONAR-18797).

Updated security policy for page extensions
To improve security, pages added to the UI by plugins can no longer include inline scripts. If you use this feature, you might need to update your plugins. See Adding pages to the webapp for more information. (SONAR-18809).

Projects displaying modules are no longer supported
The concept of modules was removed in v7.6. SonarQube no longer migrates the structure of projects still displaying modules. Make sure you re-analyze these projects before upgrading to SonarQube 10.0. (SONAR-17706).
Deprecated pull request configuration properties removed
DevOps Platform Integration settings are no longer inferred from scanner-level analysis parameters, which were deprecated in SonarQube 8.1. To prevent pull request decoration from failing, make sure you have configured each project with the settings found under the project-level Project Settings > DevOps Platform Integration.

This particularly affects users integrating with Azure DevOps who formerly relied on the Extension for Azure DevOps to pass these properties. (SONAR-17711).

Deprecated web services and parameters removed
The web services and parameters that were deprecated in versions 8.x and 9.x have been removed. For more information, see the corresponding list and read the API deprecation policy.

Microsoft SQL Server and Integrated Authentication
If you use Microsoft SQL Server with Integrated Authentication, note that the minimum supported version of the Microsoft SQL JDBC Driver package has been updated to 11.2.3. See Installing the database for more information.

seccomp filter required on kernel

The version of Elasticsearch has been updated and now requires a kernel with seccomp enabled. Make sure that seccomp is available on your kernel. See Pre-installation steps on Linux for more information. (SONAR-17714)

Full release notes

Release 9.9 upgrade notes

Database support updated

• SonarQube no longer supports Oracle version 12C and 18C.
• Oracle version 21C is now supported.
• SQL Server 2022 is now supported.

SonarQube server requires Java 17 
Java 17 is required for SonarQube server. Use of Java 11 is no longer supported. See the documentation on prerequisites for more information. (SONAR-17566).

SonarScanner for .NET compatibility
Incremental analysis of C# / VB.NET in SonarQube requires SonarScanner for .NET 5.11+.

Single Helm chart for Community, Developer, and Enterprise Edition 
The sonarqube-lts Helm chart is no longer maintained. Please use the sonarqube Helm chart to install SonarQube 9.9 LTA Community, Developer, or Enterprise Edition. The Data Center Edition is available with the sonarqube-dce Helm chart. Refer to the upgrade guide for more information.

Docker images updated

• Recommended Docker Engine version is 20.10 and later.
• If you use self-signed certificates, you may need to adjust your Docker configuration: the path of the Java installation has changed to /opt/java/openjdk/. See Troubleshooting the installation for more information. 
• The deprecated SONARQUBE_JDBC_USERNAME, SONARQUBE_JDBC_PASSWORD, and SONARQUBE_JDBC_URL variables have been removed. See Environment variables for up-to-date configuration variables.
• The lts tag on Docker images is replaced with the new LTA release. If you want to avoid any automatic major upgrades, we recommend using the corresponding 9.9-<edition> tag instead of lts-<edition>.

Full release notes

• Version 9.9.4 release notes
• Version 9.9.3 release notes
• Version 9.9.2 release notes
• Version 9.9.1 release notes
• Version 9.9 LTS release notes

Release 9.8 upgrade notes

New main branch names default to “main”
In the past, newly created projects and applications would have a main branch called “master”. This has now been changed to “main”. The default value for a newly created main branch name can be changed under Administration > General > Default main branch name. See the branch analysis documentation for more information. (SONAR-17524)

Database support updated

• PostgreSQL versions <11 are no longer supported.
• Supported versions are now from 11 to 15.

SonarQube server supports Java 17
SonarQube server now supports Java 17. See the documentation on prerequisites for more information. (SONAR-17565)

Full release notes

Release 9.7 upgrade notes

Change in the database connection pool
The database connection pool has been replaced for better performance. The sonar.jdbc.maxIdle, sonar.jdbc.minEvictableIdleTimeMillis and sonar.jdbc.timeBetweenEvictionRunsMillis properties no longer have any effect and should be removed from the configuration. Also, the JMX information that is provided to monitor the connection pool has evolved. See the Monitoring documentation for more information. (SONAR-17200).

JavaScript, TypeScript, and CSS analysis now requires Node.js 14.17+
In order to analyze Javascript, Typescript, and CSS code, Node.js 14.17+ must be installed on the machine running the scan. We recommend that you use the latest Node.js LTA, which is currently Node.js 18.

Full release notes

Release 9.6 upgrade notes

Microsoft SQL Server changes in configuration and Integrated Authentication

• If your Microsoft SQL Server doesn't support encryption, you will need to add encrypt=false to the JDBC URL connection string. (SONAR-16249).
• If your Microsoft SQL Server requires encryption but you don't want SonarQube to validate the certificate, you will need to add trustServerCertificate=true to the JDBC URL connection string.
• If you are using Microsoft SQL Server with Integrated Authentication, you will need to replace the mssql-jdbc_auth dll file on your PATH with mssql-jdbc_auth-10.2.1.x64.dll from the Microsoft SQL JDBC Auth 10.2.1 package. See Install the server for more information.

Token expiry
New tokens can now have an optional expiration date. Expired tokens cannot be used and must be updated. With Enterprise edition and above, system administrators can set a maximum lifetime for new tokens. See Security documentation for more information. (SONAR-16565, SONAR-16566).

Running SonarQube as a Service and Java version selection

• To install, uninstall, start or stop SonarQube as a service on Windows, now you should use %SONAR_HOME%\bin\windows-x86-64\SonarService.bat install. See Configuring and operating the server and Upgrade guide for more information.
• If there are multiple versions of Java installed on your server, to select specific Java version to be used, set the environment variable SONAR_JAVA_PATH. Read more here.

Full release notes

Release 9.5 upgrade notes

Project analysis token
You can now generate tokens of different types and can create a different analysis token for every specific project. The new tokens will include a prefix to help you quickly identify SonarQube tokens and their type. The usage of project analysis tokens is encouraged to limit the access this token has. See Generating and using tokens documentation for more information. (SONAR-16260).

Full release notes

Release 9.4 upgrade notes

Password of old inactive account needs reset
The support for SHA1 hashed password has been removed. This algorithm was replaced by a stronger hashing algorithm since version 7.2. As a result, local accounts that did not log in since 7.2 will be forced to have their password reset by a SonarQube administrator. Accounts using external authentication such as SAML, LDAP, GitHub authentication, etc., are not impacted. Information about the possibly impacted accounts will appear in the logs during the upgrade. (SONAR-16204).

Full release notes

Release 9.3 upgrade notes

Portfolio overview now shows ratings on both New Code and Overall Code
The Portfolio overview and project breakdown have been redesigned to provide a high-level view on project health according to your New Code definition as well as Overall Code. New Code ratings are shown for Reliability, Security Vulnerabilities, Security Review, and Maintainability. To see these ratings on New Code, Portfolios need to be recomputed after upgrading to 9.3.

Along with this redesign, Portfolios and Applications no longer show users information on projects they don't have access to, and Application administration has been moved out of the Portfolio administration UI.

Microsoft SQL Server and Integrated Authentication
If you are using Microsoft SQL Server with Integrated Authentication, you will need to replace the mssql-jdbc_auth-9.2.0.x64.dll file on your PATH with mssql-jdbc_auth-9.4.1.x64.dll from the Microsoft SQL JDBC Driver 9.4.1 package. See Install the server for more information.

Full release notes

Release 9.2 upgrade notes

Bitbucket Cloud authentication now built-in
Support for Bitbucket Cloud authentication is now built-in. If you were using the Bitbucket Cloud authentication plugin before, you need to remove it from SonarQube before upgrading.

SonarQube uses the same settings as the plugin, so you do not need to update them. The Teams restriction has been replaced with the Workspaces restriction and is migrated accordingly.

Full release notes

Release 9.1 upgrade notes

Secured settings no longer available in web services and on the scanner side
This change especially affects the analysis of SVN projects but also, possibly, the use of some 3rd-party plugins. Secured settings required to perform the analysis now need to be passed to the scanner as parameters.

Custom measures feature has been dropped
The custom measures feature, which was previously deprecated, has been removed. (SONAR-10762).

Deprecated WebAPI endpoints and parameters removed
The WebAPI endpoints and parameters deprecated during the 7.X release cycle have been removed. For a complete list of removed endpoints and parameters see SONAR-15313.

Full release notes

Release 9.0 upgrade notes

Scanners require Java 11
Java 11 is required for SonarQube scanners. Java 8 is no longer supported. See Scanner environment for more information.

Support for Internet Explorer 11 dropped
Support for Internet Explorer 11 and other legacy browsers has been dropped. (SONAR-14387).

Reporting Quality Gate status on GitHub branches requires an additional permission
When working in private GitHub repositories, you need to grant read-only access to the Contents permission on the GitHub application that you're using for SonarQube integration. See GitHub integration for more information.

JavaScript custom rule API removed
The JavaScript custom rule API, which was previously deprecated, has been removed. Plugins can no longer use this API to implement custom rules. See the JavaScript documentation for more information. (SONAR-14928).

Deprecated Plugin Java API dropped
Parts of the Java API for plugins that were deprecated before SonarQube 7.0 have been dropped. You should compile plugins against SonarQube 9.0 to ensure they're compatible and to check if they're using a deprecated API that has been dropped. (SONAR-14925, SONAR-14885).

Full release notes

Release 8.9 upgrade notes

GitHub Enterprise compatibility
SonarQube 8.9 only supports GitHub Enterprise 2.21+ for pull request decoration (the previous minimum version was 2.15).

Plugins require risk consent
When upgrading, if you're using plugins, a SonarQube administrator needs to acknowledge the risk involved with plugin installation when prompted in SonarQube.

Database support updated
SonarQube 8.9 supports the following database versions:

• PostgreSQL versions 9.6 to 13. PostgreSQL versions <9.6 are no longer supported.
• MSSQL Server 2014, 2016, 2017, and 2019.
• Oracle XE, 12C, 18C, and 19C. Oracle 11G is no longer supported.

Webhooks aren't allowed to target the instance
To improve security, webhooks, by default, aren't allowed to point to the SonarQube server. You can change this behavior in the configuration. (SONAR-14682).

Full release notes