Hello Security Community,
We are thrilled to announce a significant update to our security engine, enhancing its capabilities across the Java, JavaScript/TypeScript, Python, C#, and PHP ecosystems. Here’s a detailed look at what’s new:
Performance Enhancements
We have achieved our most substantial performance improvement in recent years, with an average decrease of 30%. 
By eliminating performance bottlenecks, your scans will now complete faster, giving you more time to address any detected vulnerabilities. Additionally, we have resolved the issue of slow scanning in certain Angular projects.
Improved Detection of Vulnerabilities
Previously, some vulnerabilities went undetected due to missing configurations, requiring manual input from users. We have addressed this by providing these configurations out of the box, ensuring all users benefit from them.
- Python
- Enhanced support for os.path functions as passthroughs.
- Added common Flask sources such as “request json”.
- Improved passthroughs from email.message.Message.
- PHP
- Added sinks for “MySQLi prepare” and “highlight_file”.
- Expanded support for other laminas-serializer adapters as sinks.
- Java
- Included common Quarkus annotations as sources.
- Corrected the signature for Jakarta HttpServletRequest#getCookies.
- C#
- Added Join as a common passthrough.
Additional Improvements
- Our engine now supports the missing piece of the latest modern Java features, including “constructor implicit calls”, “field initializers”, and “Optional in Spring/Micronaut annotated parameters”, allowing for more comprehensive code analysis.
- PHP 8 class constructor properties are now supported.
- The type inference for Python has been improved to better determine variable types.
We are excited for you to experience these improvements. This is available now in SonarQube Cloud and will be part of the upcoming SonarQube Server LTA.
Alex