We have just released version 10.2 of our analyzers for .NET. It’s been a long time coming, and it comes with a few enhancements!
Support for .NET 9 & C#13
We have updated our analyzers and our rules to take advantage of the new version of .NET right away.
We reviewed and updated our rules to make sure we can find issues in all new features of C# 13.
Performance rules S6603 & S6605 have been removed from the SonarWay Quality Profile because they were no longer applicable in all circumstances due to the runtime’s performance improvements in .NET 9.
All rules have been reviewed and adapted to prevent false positives due to changes in the runtime and BCL.
Finally, we upgraded automatic analysis to support .NET 9 projects, so you can analyze your projects without problems.
Availability:
SonarQube Community Build: Available
SonarQube Server: All editions
SonarQube Cloud: All plans
New secrets detection rule
We have added the new S6418 rule to detect hardcoded secrets in code. This rule scans for hardcoded strings in your code that are most likely secrets or sensitive information and raises a security hotspot for your review.
Availability:
SonarQube Community Build: Available
SonarQube Server: All editions
SonarQube Cloud: All plans
New advanced rules
We have added 3 new advanced rules:
S7130: detect usage of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty
Flow of code leading to Null dereferencing issues
We have added what we call an “execution flow” to issues arising from S2259, which guides you through the code on the path leading to such an issue.
This feature will help you understand and then replicate the issue in your tests, making it easier than ever to tackle such issues.
Availability:
SonarQube Community Build: Not available
SonarQube Server: All editions
SonarQube Cloud: All plans
The features are available on SonarQube Cloud (formerly SonarCloud) today and will be in the next releases of SonarQube Community Build and SonarQube Server.
They will be available in SonarQube for IDE (formerly SonarLint) soon.
As always, please send us your feedback on each of those features so we can improve them!
It is not about the new license. Previously, the (Roslyn based) rules for (the now called) SonarQube IDE, where available as NuGet package. That is apparently not longer the case. For 'NET users such as myself, that makes the product less convenient.
Previously, I not only had the advanced reports at (now called) SonarQube Cloud, but also, out-of-the-box on every build output, because it was part of the (Roslyn) build. With this change, I can not longer do that.
We will continue to ship the open part of our analyzers as a nuget package.
We have not yet synchronized the public repository, but this will be effective next week. This will allow you to see what happens on the public part of the analyzer and submit contributions.
We are still committed to shipping the non-commercial rules as a nugget analyzer because it supports the workflow of many users and remains an important use case. This will also return soon after the public repository is up and running again.
I hope this answers your questions about this change.
In SonarQube Server, the analyzers are bundled and only updated when you update your version.
Generally speaking, a patch version of SonarQube server (10.7.1, 10.7.2… for example) does not update the analyzers (unless it is for security reasons).
The updated analyzers will be available with SonarQube Server 10.8 and Community Build 24.12.
If you want to use the latest and greatest as soon as possible, I suggest you look at one of SonarQube Cloud plans.
The SonarCloud Free plan offers unlimited LOCs for public projects, and up to 50K LOCs of private projects for 5 users for free, for example.
