Key features of SonarQube 9.5

Significant Performance Improvements Across Languages

SonarQube 9.5 marks a major milestone in analysis speed, building on the faster Java analysis introduced in version 9.4. The new release brings substantial performance gains to C and C++ analysis by enabling multi-threading and analysis caching by default. Previously available but requiring manual configuration, these features now activate automatically, with multi-threading scaling to match the number of CPUs on the analysis machine. Analysis caching ensures that scan duration correlates directly to the number of affected files in a changeset. To demonstrate the impact, the team analyzed the Matomo project—containing approximately 710,000 lines of code—achieving a 60% speed improvement: first analysis time decreased from 11 minutes 23 seconds in version 9.4 to just 4 minutes 26 seconds in 9.5, accomplished through optimized blame data retrieval.

Enhanced Language Support and Runtime Error Detection

SonarQube 9.5 expands its analytical capabilities across multiple programming languages. For C# developers, support for the record struct concept has been added, enabling 31 previously incompatible rules to properly detect issues within record structs. A new deadlock detection rule helps identify locks that are only conditionally released, preventing potential runtime errors. Java users benefit from five new runtime error detection rules covering runtime exceptions, inappropriate collection operations, and infinite recursion scenarios. Additionally, security enhancements include a new rule to detect hardcoded secrets beyond passwords, recognizing pseudo-random values assigned to variables named "secret," "token," or "credential." For Python developers, four new security hotspots improve AWS CDK usage patterns for S3 bucket creation.

Improved Coverage Documentation and User Interface Updates

Recognizing that coverage configuration has historically challenged users, the 9.5 release includes overhauled documentation providing language-specific guidance for integrating coverage data. The issues interface has been redesigned to help users concentrate on individual issues while making rule descriptions more prominent and accessible, streamlining the debugging workflow across projects.

Token Security and Project Reporting Enhancements

A significant security improvement involves reworked token creation, introducing three distinct token types to replace the single approach used previously. Project-specific analysis tokens can now be scoped to individual projects, while global analysis tokens function across the entire instance. The legacy user token type maintains backward compatibility while preserving all user permissions. Each token type includes a unique prefix—project token, global analysis token, and user token—making token identification easier and improving security posture when tokens are inadvertently exposed.

The release introduces a new regulatory report available at the project level, providing comprehensive project status snapshots at specific moments in time. The report includes major metric values for both new and overall code, all failing quality gate conditions, complete issue listings organized by status, and full analysis context documentation encompassing analysis parameters, quality gate conditions, and all rules from applied quality profiles. This feature enables teams to maintain detailed compliance records and project audits for regulatory or internal governance requirements.

Key Takeaways

• Performance gains reach 60% through optimized blame data retrieval and default enablement of multi-threading and analysis caching for C/C++ projects
• Enhanced language support includes C# record structs, Java runtime error detection, Python AWS CDK security hotspots, and improved deadlock detection
• Three-tier token system improves security by enabling project-scoped analysis tokens with unique prefixes for easier identification and access control
• Comprehensive regulatory reporting provides detailed project status snapshots including metrics, quality gates, issues, and analysis context for compliance and auditing purposes
• Streamlined user interface and improved coverage documentation reduce configuration friction for users across all supported languages