Key Features of SonarQube 9.8

Performance Improvements for Continuous Integration

SonarQube 9.8 continues the version 9 series' focus on faster analysis with significant improvements to pull request (PR) processing. The release introduces server-side analysis caching for Kotlin, preventing unchanged files from being unnecessarily reanalyzed during PR reviews. Additionally, Enterprise Edition users benefit from enhanced parallel analysis report processing capabilities. While different projects could previously be processed in parallel, SonarQube 9.8 now enables PRs and branches from the same project to be processed simultaneously, eliminating bottlenecks that previously forced sequential processing.

Intelligent File Move Detection in Pull Requests

A notable usability improvement addresses a common pain point in code reviews: file renaming. In version 9.7, when developers renamed files in a PR, SonarQube would re-raise all historical issues from those files as new issues, cluttering the analysis report. SonarQube 9.8 implements file move detection that intelligently recognizes renamed files and preserves their issue history, displaying only genuinely new issues introduced in the PR. This enhancement significantly reduces noise in PR analysis and improves the developer experience.

Comprehensive Expansion of Security and Language Rules

The 9.8 release delivers substantial additions to SonarQube's rule library across multiple programming languages. JavaScript and TypeScript developers now have access to 16 new AWS CDK security rules previously available only to Python developers, covering encryption, public access controls, and permission management. Java and Kotlin receive two new rules addressing block cipher modes, expanding OWASP ASVS v4 Access Control coverage, while 17 rules have been ported from Java to Kotlin. For C++ 20 users, six new rules assist with proper implementation of the Concepts feature. Additionally, security rule descriptions for PHP, Python, JavaScript, and TypeScript have been significantly expanded with contextual guidance and framework-specific recommendations.

Enhanced Project Creation and Administration Features

SonarQube 9.8 introduces improvements to project management and administrative controls. During manual project creation, administrators can now explicitly specify the main branch name alongside project key and display name, addressing cases where automatic detection fails. At the instance level, global administrators can set a default main branch name for automatically created projects. A long-requested feature—login messages—has been implemented, allowing administrators to display context-specific instructions on the login screen, helping users identify which credentials to use when multiple authentication systems are available.

Security and Infrastructure Updates

The release strengthens user management capabilities with SCIM-based user provisioning and deprovisioning for SAML and OKTA integrations. When users are removed from these identity providers, SonarQube automatically deactivates their accounts and invalidates all associated tokens. Finally, SonarQube 9.8 now officially supports Java 17, the current long-term support (LTS) release, ensuring compatibility with modern Java environments.

Key Takeaways

• Performance gains in PR analysis through improved caching and parallel processing capabilities for Enterprise Edition customers
• File move detection eliminates false positives in code reviews by recognizing renamed files and preserving issue history
• Security rule expansion brings AWS CDK security rules to JavaScript/TypeScript and adds specialized C++ 20 Concepts guidance across multiple languages
• Administrative flexibility through customizable main branch names, login messages, and enhanced SCIM user provisioning for identity management
• Modern Java support with official Java 17 LTS compatibility for improved deployment options