Key Features of SonarQube 10.2

SonarQube 10.2 introduces significant enhancements to code quality analysis, with particular focus on expanding language support and implementing stricter rule standards. Ann Campbell, presenting the key features of this release, highlights 43 new strict implementations of MISRA C++ 2023 rules—a departure from the platform's previous approach of creating derived rules. These strict implementations are easily identifiable through the MISRA C++ 2023 tag and follow a consistent naming convention with rule IDs prefixed by "M23_" followed by the corresponding MISRA rule number, enabling seamless correlation with official MISRA documentation.

The release substantially expands secrets detection capabilities, growing from a single rule to 30 comprehensive rules that identify 67 different secret patterns. Beyond security enhancements, SonarQube 10.2 demonstrates broad language support improvements: JavaScript receives 11 new rules, Python gains 9 new rules alongside improved coverage report imports (Ruff reports), and .NET benefits from 9 new datetime rules. The platform also introduces parsing support for Kotlin DSL and Azure Resource Manager and Bicep templates, with 19 accompanying rules to ensure optimal usage patterns.

Technical improvements extend across multiple platforms, with C++ now supporting Cobertura coverage report imports and PHP featuring advanced super global array support. Most notably, SonarQube 10.2 completes the replacement of the C# symbolic execution engine, resulting in marginal speed improvements and significantly enhanced analysis accuracy. This improvement led to the discovery of a critical issue in the .NET runtime itself—an always-true condition in sqlmoney.cs that caused incorrect rounding for negative numbers.

The release introduces a fundamental shift in how code quality is conceptualized through the new Clean Code Taxonomy. Rather than the traditional categorization of bugs, vulnerabilities, and code smells, SonarQube 10.2 analyzes issues based on underlying code attributes: consistency, intentionality, adaptability, and responsibility. This approach recognizes that a single code problem can have multiple impacts on software reliability and security, allowing for more nuanced classification of issues. Every rule and issue now displays relevant clean code attributes alongside the software qualities that may be impacted by violations.

SonarQube 10.2 refines the quality gate experience by eliminating false warnings about extra conditions that extend beyond clean code criteria. Additionally, SonarQube improved its integration with SonarLint, allowing developers to mark issues as false positives or won't-fix directly within their IDE before new code is even analyzed by the server. When that code reaches SonarQube, these markings are already applied, streamlining the development workflow. The release also completes visual updates across the project interface, including the activity page, security reports, and project information tabs, while expanding project permission synchronization capabilities.

Key Takeaways

• SonarQube 10.2 implements 43 strict MISRA C++ 2023 rules and expands secrets detection to 30 rules identifying 67 different patterns
• The completed C# symbolic execution engine replacement improves analysis accuracy, uncovering previously missed issues including a critical .NET runtime bug
• The new Clean Code Taxonomy replaces traditional bug/vulnerability/code smell categories with attribute-based analysis (consistency, intentionality, adaptability, responsibility)
• Enhanced SonarLint integration enables developers to mark issues as false positives or won't-fix before code analysis on the server
• Broad language support expansion includes parsing for Kotlin DSL, Azure Resource Manager, and Bicep templates with accompanying rules