Key features of SonarQube 9.4

Enhanced Infrastructure-as-Code Security

SonarQube 9.4 continues the platform's commitment to cloud security by introducing 17 new Terraform rules for Google Cloud Platform (GCP), complementing the AWS and Azure infrastructure-as-code rules added in previous versions. The majority of these rules are classified as security hotspots—code locations where potential vulnerabilities may exist but require human review to confirm. This approach acknowledges that automated analysis alone cannot definitively determine whether certain configurations pose genuine security risks.

Improved Security Hotspot Analysis and Management

To enhance the security hotspot review process, SonarQube 9.4 introduces secondary locations within the security hotspots interface. This feature provides reviewers with additional context by showing where flagged code is being used in the application, enabling more informed vulnerability assessments. Additionally, a new "acknowledged" status allows developers to mark security hotspots as confirmed problems that require future remediation without blocking current code deployments, streamlining the path to releasable code while maintaining security awareness.

Java Language Enhancements

The 9.4 release delivers significant improvements to Java analysis. Four new XML processing rules address less obvious vulnerabilities in the Java XML Digital Signature API and similar libraries. In commercial editions, enhanced taint analysis now tracks user-provided data through additional vulnerability patterns, including reflection with untrusted input. The platform has also analyzed 10 major popular libraries and integrated this intelligence into the analysis engine, enabling detection of vulnerabilities that flow through dependencies. Most notably, Java analysis performance has been optimized by up to 67 percent on larger projects through intelligent file processing grouping, with an average 30 percent improvement across all projects.

C/C++ Compiler Support and Header Analysis

C/C++ analysis capabilities have expanded with improved compiler support across MSVC, GCC, ARM compiler, Texas Instruments, G-lang, and IAR platforms. The platform now includes enhanced flag support and precision improvements. A critical improvement involves the handling of user-provided headers, which were previously treated as system headers with minimal analysis. By segregating and fully analyzing user-provided headers, SonarQube 9.4 eliminates false negatives and improves overall code quality assessment.

Reporting and Compliance Updates

Enterprise edition and above now includes support for the OWASP Top 10 2021 report, enabling organizations to assess their code against the latest security vulnerability standards. This report is available both in the web interface and in security report PDFs. Additionally, the portfolio PDF reporting has been updated to prominently display new code metrics alongside overall code metrics, bringing consistency across all reporting surfaces and emphasizing code quality improvements in newly written or modified code.

Key Takeaways

• SonarQube 9.4 adds 17 Terraform rules for GCP and improves security hotspot review with secondary locations and acknowledgment status
• Java analysis performance increases by up to 67% on large projects, with enhanced taint analysis through analyzed dependencies
• C/C++ compiler support expands with improved header analysis, eliminating false negatives in user-provided code
• OWASP Top 10 2021 reporting is now available in enterprise editions
• Portfolio PDF reporting now includes new code metrics, providing comprehensive visibility across all reporting channels