Hi all,
Thanks to everyone who registered and attended our LTS Webinar! Below you’ll find answers to the questions we received during the presentation.
SCANNER REQUIREMENTS
Q - What changes are required on the scanner side to setup the LTS 9.9 ?
A - Java 11 is now required to run analysis on the scanner-side (Java 17 also supported while Java 8 is not). Also, JavaScript, TypeScript, and CSS analysis requires Node.js 14.17+, and the incremental analysis of C# / VB.NET requires SonarScanner for .NET 5.11+. Read more in the documentation on Scanner Environment (Scanner environment). You’ll also find all these changes highlighted in the LTS to LTS upgrade notes available here: https://docs.sonarqube.org/latest/setup-and-upgrade/lts-to-lts-release-upgrade-notes/
—
Q - What are the jdk requirements on v9.9 to run scans?
A - The SonarQube server requires Java version 17. But SonarScanner can use 17 or 11.
—
Q - Do we need to upgrade our sonar-maven-plugin for java analysis ? (3.9.0.2155)
A - SonarScanner is on a different release cycle from SonarQube and generally, there is good back-compatibility. However, we always recommend upgrading the scanner to the latest version.
—
Q - Node.js version 18 is not supported, you might experience issues. Please use a supported version of Node.js [10, 12, 14, 15] wil LTS 9.9 fix this issue ?
A - NodeJS 18 is supported at the scanner-level by SonarQube 9.9 LTS.
—
Q - Are there any risks to scan projects which have older java versions → Java8/11 for example. With 9.8; since it requires JAVA11 at least; we applied some workarounds. Any requirement similar?
A - Using Java 8 to analyze projects is not supported. Analysis may continue to use the Java 11 if necessary. You’ll be able to find these information in the documentation: Prerequisites and overview
—
Q - I believe that previously a single SonarQube server was not able to support multiple projects on different versions of Java at the same time (e.g. Java 8, Java 17), is this possible with 9.9?
A - SonarQube was already supporting analyzing code targeting different versions of Java on the same instance. What changes is the version of Java used to run the scanner — Java 11 is requried in SonarQube 9.9 LTS, and you can learn more about this in the documentation on the scanner environment (Scanner environment).
—
Q - Why jdk8 is not compatible in 9.x versions for running sonarqube scanner?
A - We need to be able to innovate and let our developers take advantage of new language features which are only available in newer versions of Java. We try and make this as easy as possible and you can reference the documentation on Scanner Environment (Scanner environment)
—
Q - Do we need a new version of sonar-scanner and maven plugin for 9.9 LTS?
A - If you haven’t pinned an old version of the Maven scanner in your pom, you should automatically get the latest version when you analyze
—
SONARQUBE UPGRADE
Q - Can I upgrade to LTS and then change back to the non-LTS (e.g. 10.1) for some new feature we need but not in LTS?
A - Yes. You have the choice of staying on the LTS or upgrading to a future non-LTS version. If you adopt the latest version, we should upgrade regularly to benefit from the latest fixes and features. To help you choose between the LTS and the latest version of SonarQube, you’ll find more information here: SonarQube Long-Term Support Download | Sonar
—
Q - Is there any potential risk in database schema change due the LTS and non-LTS switching?
A - There is no specific risk to upgrade. You’ll find the information you should know before the upgrade in the Upgrade Guide: Upgrade guide and in the Upgrade Notes: Release upgrade notes
Of course, you should always test your migration beforehand and have a backup — like any software upgrade. And, the upgrade is thoroughly tested for performance and reliability.
—
Q - Are there any risks in terms of upgrade for dockerized deployments? From 9.8 to 9.9?
A - There is no specific risk to upgrade. There were a few changes made to our Docker image in 9.9. You can find the details you should know in the upgrade notes: Release upgrade notes. In case you face any issues during upgrade, please check out our Community Forum (https://community.sonarsource.com/) or contact our Support team. We are happy to help you there!
—
Q - Calling out. Upgrading to LTS you need to move to Java 17. Also if you haven’t upgraded to 9.8 you need postgres > 10
A - As per the prerequisites, to upgrade to the latest LTS, you need Java 17 to run the server and Postgres 11+ See the prerequisites here: Prerequisites and overview
—
Q - Does SonarQube Server require only java 17 or above java version also work ?
A - The SonarQube server requires Java version 17.
—
Q - Can you comment on the needed Java version for Linux? Seems that older Java is no longer sufficient. Is it sufficient to set the SONAR_JAVA_PATH to the new java?
A - Yes, Java 17 is required to run the SonarQube 9.9 LTS server! And as long as SONAR_JAVA_PATH points to a Java 17 installation, you should be good to go. This is applicable to all supported operating systems (Mac, Linux, Windows).
—
Q - May I know what version of linux/unix server should we have to install 9.9 LTS? Is there a minimum requirement for us to do the installation?
A - You need to be able to run Java 17.
—-
Q - Is it recommended to go to 8.9 then 9.8 then 9.9?
A - Please refer to the following examples for details.
Example 1 – From 8.1 > 9.8, the migration path is 8.1 > 8.9 LTS > 9.8
Example 2 – From 9.6 > 9.9 LTS, the migration path is 9.6 > 9.9 LTS
Example 3 – From 7.9 LTS > 9.9 LTS, the migration path is 7.9 LTS > 8.9 LTS > 9.9 LTS
Example 4 – From 8.9 LTS > 9.8, the migration path is 8.9 LTS > 9.8.
See more about it here: Before you upgrade
—
Q - We are using 9.4 So, my migration path should be 9.4 → 9.8 → 9.9 or can we upgrade directly 9.4 → 9.9 LTS
We are using Oracle 19.11.0.0.210420 hope it supports 9.9 LTS
A - You can directly upgrade from 9.4 → 9.9 with Oracle 19. Check out the prerequisites here: Prerequisites and overview
—
Q - Is it possible to upgrade directly from 8.7 to 9.9 or should I upgrade to 8.9 first?
A - You’ll need to upgrade to 8.9 first. Learn more about the migration paths here (Before you upgrade)
—
Q - Are old LTS plug-ins still compatible with the latest LTS ?
A - This is not a given. Each plugin developer/maintainer will need to verify whether they support the latest LTS and update the plugin if required.
—
Q - Which version of postgreSQL supports sonarqube 9.9?
A - You can find the exact requirements and supported PostgreSQL versions at Prerequisites and overview
—
Q - I am planning to upgrade from 8.9 to 9.9. My setup is running in kubernetes with some gitops practices.
Is there any risk of the license getting invalidated? I know there are several variables that could invalidate it, could a migration cause invalidation?
A - If you upgrade your existing database and keep the same DB connection (JDBC URL), your license will remain valid. You can refer to SonarQube documentation, it’s described there: License administration.
—
Q - Is in Kubernetes Helm (charts) support included? Or is Helm unsupported?
A - We provide official Helm charts for all SonarQube editions. You’ll find these charts on ArtifactHUB: Artifact Hub.
—
Q - How can I migrate my community version of sonarqube data to the enterprise version?
A - You just need to use the appropriate ZIP file or Docker image. You will find more information in our documentation, on the Upgrade guide page, in the “Changing your edition” section: Upgrade guide.
—
Q - Do we need to take care or anything else rather than Java, DB version while upgrading LTS 8.9 to 9.9 for DCE?
A - Make sure you read through the LTS to LTS Upgrade Notes (https://docs.sonarqube.org/latest/setup-and-upgrade/lts-to-lts-release-upgrade-notes/). and You should test your upgrade before upgrading production and have a backup.
—
Q - We are running 8.9 LTS and are failing vulnerability scans for Log4j and Apache commons Text, are they addressed in 9.9 LTS?
A - 8.9 is not vulnerable to the Log4J vulnerability. You should nonetheless upgrade to 9.9 at your earliest convenience.
—
NEW RULES
Q - What changes to expect for go-lang when upgrading from 8.9 to 9.9 LTS?
A - SonarQube now supports newer versions of the Go language (1.19) and language structures that were added, like generics.
—
Q - Which C# version is supported by the 9.9 LTS?
Is there somewhere an overview available?
A - Support for C# 10 and initial support for C#11 is available in 9.9 LTS.
—-
Q - Any plan for Dart language?
A - SonarQube 9.9 LTS doesn’t (yet) support it. The support for Dart is under consideration for the 10.x roadmap. You can find more about it here: https://portal.productboard.com/sonarsourchttps://docs.sonarqube.org/latest/e/3-sonarqube/c/123-dart-flutter-support
More generally, you can find what is under consideration for the roadmap and provide feedback about it on the following page: Roadmap | SonarQube | Sonar
—
Q - For which programming languages does SQ perform taint analysis?
A - Java, C#, Javascript, PHP, and Python.
—
Q - Can we scan Docker images now with this LTS?
A - SonarQube can now analyze Docker files (recent addition)., but Note that SonarQube does not scan images that are already built.
—
SPEED
Q - Does it also depend on the core? We are on 8.7 and occasionally see a spike in analysis time.
A - The analysis duration on a variety of factors - code language, complexity, platform - infrastructure, memory etc. So to asnwer your query, yes it has some dependancy on the machine you analyse.
—
Q - Does the PR analysis scan only the changed code (delta scan) or everything?
A - Yes, with Incremental Analysis and server-side caching, only the changed files in the PR are analyzed.
—
Q - Is this Faster PR analysis also available in the CE or only in DE / EE version?
A - Branch and pull requests analyses are available starting from the Developer Edition.
—
Q - In the current speed benchmark , what is the size of the PR in LoC ? The speed is on the analysis task during the build pipeline or during background task on sonarqube instance?
A - These speed improvements were validated against pull requests ranging from extra small (a few lines) to large (thousands of lines of code changed). The performance improvement will always depend on how many files were unchanged in the project, compared to how many files were changed. In 9.x, we focused on the speed scanner-side, after big improvements in 8.x on the Compute Engine side.
—
Q - Does the first time analysis speedup apply to non-Git projects? Was there any improvement there?
A - The improvement of speed for the first time analysis applies to Git projects only. In parallel, we improved the speed of analysis in some other areas you may benefit from.
—
Q - With speed improvements, I’m hoping there are fixes applied to the time out issues in run code analysis and publish report steps in Azure pipelines
A - We would need more details about your specific case as in general these are related to network, proxy etc. We suggest creating a community thread or opening a support ticket.
—
Q - Is there any improvement on Code Scanner performance?
A - Yes! PR analysis got significantly faster, as did basic Java analysis and first analysis of Git projects
—
DEVOPS
Q - What we don’t have build breaker issue for monolith type project front-end resolved ? As still there is an issue with monoliths type projects sonar report generation?
A - We have in general the possibility to break the build for pipelines in various CIs. If it is anything specific to your environment, I suggest raising a support case / a community post to look into further.
—
Q - What version can I use for gitlab ?
A - You can analyze the main branch of your GitLab projects with every SonarQube edition. Branch and Pull Request analysis start with the Developer Edition.
—
Q - How does the Quality Gate integrate with gitlab ?
A - The Quality Gate can be used to validate builds and prevent the merging of merge requests if Quality Gate fails. For more info, refer to the documentation at GitLab integration
—
Q - How can we use Github actions for SonarQube Community Edition deployed on-premises ?
A - Yes, but note that the Community Edition does not support the analysis of multiple branches, so you can only analyze your main branch.
—
Q - Does security findings require GitHub Advanced Security ?
A - SonarQube findings don’t depend on GitHub features. Displaying issues and security hotpots in GitHub Advanced Security is an additional integration, but it is not required. You can find more details in the documentation here: GitHub integration.
—
Q - Are all features that were developed for Github also available for gitlab? Or is there specific documentation for the improvements done for gitlab?
A - The integration with GitHub code scanning (part of GitHub Advanced Security) is available for GitHub only. In addition to that, we’ve made several improvements regarding the integration with the various DevOps platforms. You can find more details about what was improved and tell us more about your needs here: Roadmap | SonarQube | Sonar.
—
Q - Question about the “deeper github integration”, does this only work with Github actions? Or does it also work if you have a CI/CD pipeline of lets say Github → Azure Devops → SonarQube … and so then have SonarQube still report back to Github?
A - While support for GitHub Actions is exciting — it’s not the only change we made! We now push Quality Gate status on commits at the branch level, including when analysis is run with Azure DevOps.
—
Q - Is segregation available to find the difference between github code scanning findings and sonarqube findings on Github security tab?
A - SonarQube doesn’t support that. Please free free to express your interest and share your need for the topic on the Community forum (Product Manager for a Day - Sonar Community) or directly submit your idea on the Roadmap page (Roadmap | SonarQube | Sonar).
—
Q - Did you have any enhanced integration with AzureDevOps?
A - We’ve made several improvements regarding the integration with the various DevOps platforms. You can find more details about what was improved here: Roadmap | SonarQube | Sonar.
—
Q - Devops platform integration —> Import repositories from your DevOps Platform
This feature is disabled because you have 2 or more integration instances configured.
Any plans to remove this limitation as we have both Bitbucket On-prem and Cloud instances and the automatic import of repos has been disabled.
A - As a matter of fact, this limitation was removed in SonarQube 9.9 LTS!
—
Q - What integrations are not supported, Bitbucket Data Center vs Bitbucket Cloud?
A - Both are supported. If you have specific questions, check out the documentation (SonarQube 9.9) or drop a line in the community forum: https://community.sonarsource.com/
—
TOKEN
Q - Do you plan to add project tokens instead of personal tokens ?
A - We’ve actually already added project tokens! You’ll find more information about here: Generating and using tokens
—
Q - What about our previous tokens validity expiration?
A - Existing tokens are unchanged. You may want to revoke them and issue new, specialized tokens
—
PORTFOLIO
Q - Will the portfolios evolve in this version?
A - They evolved a great deal! There’s an entirely new portfolio overview, the support of New Code, and the ability to add specific branches of a project.
—
Q - If you have multiple long-lived branches in a project, can you have the results of analysis for each of these visible in the portfolio view, and overall portfolios list?
A - You can now create a portfolio of project branches, so you can choose that aggregation.
—
Q - Is a sonar-scanner for MacOS M1 (arm64) available in 9.9?
A - We don’t have a docker image for the scanner for Apple Silicon yet — but you can still use the scanner Docker image outside that context.
—
Q - If I use Terraform modules, will Sonarqube scan the code of those imported modules as well?
A - The analysis doesn’t do any ‘downloading’. It assumes you’ve already checked out everything relevant and that it’s being started from the root directory of your project. Please check out our Community Forum (https://community.sonarsource.com/) for more information.
—
Q - Will the install experience be more streamlined, such as a MSI installer or single installation script?
A - We’ve done a lot of work on our Docker image and worked to support Kubernetes for all editions in the 9-series.
—
Q - Does 9.9 now support multiple versions of COBOL scanning ?
A - We’ve supported multiple COBOL standards for quite some time.
—
Q - Does SonarSource support using AWS Fargate to run SonarQube in a container?
A - SonarQube is provider agnostic because it can be configured to work in many environments (on-prem, cloud providers, containers, etc), however it is not tested specifically on Fargate, so we don’t have specific recommendations.
—
Q - Is it possible to add new / edit rules in specific programming langugae ?
A - For some languages, it’s possible to create custom rules. You can also extend some other languages or support an additional language by creating a custom plugin. You can refer to the following documentation pages: Adding coding rules and Plugin basics.
—
Q - One of the issues we find is that rules get forced on developers in an upgrade. Which is great for getting teams to date, but horrible when you’re trying to release. Is there an easy way to disable new rules? at least till after release
A - This is indeed expected if you are using the built-in Quality Profile so as to enforce the improvements. If you still want a solution, then you could define a custom Quality Profile and use it for your projects.
—
Q - Are there plans to add a SonarLint integration to XCode and Android Studio?
A - SonarLint is already available for Android Studio. Please feel free to express any need you would have on the Community forum (Product Manager for a Day - Sonar Community) or directly submit your idea on the Roadmap page (SonarLint Roadmap Features & Enhancements | Sonar | Sonar).
—
Q - Are the reporting features available only in Enterprise or Development and Community versions too?
A - Reporting features are primarily available for Enterprise and DataCenter Edition users.
—
Q - Can we have (say email) notifications from SonarQube? Like expiration of tokens etc.? If not, do you have any plans or ideas how to achieve this?
A - SonarQube does have email notifications! These send an email in various scenarios - expiry of license and tokens, etc.
—
Q - Does the 9.9 LTS version support scanning of project with mixed Objective-C and Swift code?
A - Yes, but this isn’t new! And, the analysis will have to take place on a macOS machine which supports Objective-C.
—
Q - Is there going to be a way to show in the PR branch analysis if you have removed issues that were previously found on the main branch i.e. you have a PR that fixes issues in legacy as opposed to adding new features and you want to see how much you have fixed
A - Not yet, but it’s planned for SonarQube 10.x: https://portal.productboard.com/sonarsource/3-sonarqube/c/171-prs-show-issues-that-will-be-fixed-by-the-merge
—
Q - Do you have a complete overview of available plugins?
A - Most functionality is baked into SonarQube these days and not supplied via plugins. Check out the plugin version matrix (Plugin version matrix) for a list of plugins available in the marketplace.
—
Q - When is the planned support for Java 20? Java 19 is end-of-life in March
A - Java 20 is not yet released. We can’t support Java 20 until the Eclipse Compiler for Java does (which we use to parse Java).
—
Q - How does SonarQube relate to SonarCloud in terms of upgrades? Can we expect the same features in SonarCloud?
A - In terms of analysis, SonarQube and SonarCloud share language analyzers and analysis concepts. So improvements in this area are applicable to SonarCloud too. Beyond that, SonarQube and SonarCloud features are a bit different.
—-
Q - Build wrapper process continued for C and C++ in 9.9.X LTS version ?
A - We have two possibilities to execute C and C++ analysis: build wrapper and compilation database. Please refer to the documentation for more details: C/C++/Objective-C.
—
Q - Is there any improvement in SonarLint as well ?
A - SonarLint has a different lifecycle than SonarQube. Indeed a lot has been improved recently. I urge you to go through the release notes for SonarLint. If you wish for something I suggest create an insight for the same.
—
Q - Does Sonar has / plan for Solidity support?
A - If you are looking for the support for the Solidity programming language, SonarQube doesn’t support it. Please feel free to express your interest and share your need for the language on the Community forum (Product Manager for a Day - Sonar Community) or directly submit your idea on the Roadmap page (Roadmap | SonarQube | Sonar).
—
Q - Is it possible to copy SonarQube false positive to a newly created branch? and also will it auto migrate to a newly created branch?
A - With the first analysis of a new branch, issues are synchronized from the main branch. Refer to the documentation here: Branch analysis
—
Q - Does 9.9 LTS have a developer edition?
A - Indeed we have one. Please visit Download | SonarQube | Sonar for details
—
Q - Is there any progress that can be discussed on buildwrapper for embedded compilations
A - Work on improving support for embedded compilations is ongoing, but there are no updates related to the LTS release.
—
Q - How many patches will be released for the 9.9 LTS version?
A - We can’t anticipate the number of patch releases the LTS will have since patches are released only for blocker bugs and vulnerabilities.
—
Q - Can we get the Sonar analysis in a chart based format?
A - It is not possible to customize the UI in SonarQube but you could extract the details using the APIs to customize the format to your needs
—
Q - Will we have the api support for report?
A - Yes, we invite you to check the details in the API documentation on your instance.
—
Q - Can we download all the Sonar administration reports in one consolidated format?
A - Administration-related reports can be downloaded from the administration page. Project and portfolio-related reports can be downloaded from their respective dashboards.
—
Q - Do we have the API to find out LOC consumption ?
A - LOC consumption can be viewed on the Administration page → Configuration → License manager. There is a corresponding API call and we suggest reviewing the API documentation.
—
Q - Is there any official place where we can learn about the SonarQube, from basic to advanced level of features?
A - The starting point is https://www.sonarsource.com/ where you will get all the details.
—
Q - Can you tell us about customization of reports ?
A - PDF reports are not customizable. They are intended for providing a top-level overview of the projects/portfolios. To dig deeper into results and trends, you can look at the SonarQube UI.
—
Q - In LTS 9.9 is there consolidation of permissions management into one place rather than having them split across Permissions Template and Global Permissions ?
A - The permissions model hasn’t changed in SonarQube 9.9.
—-
Q - Is the SonarQube badge accessible by anonymous? Ie, can we embed it into README.md files in repo or similar?
A - Badges can be embedded into README files even for private SonarQube projects! The badges now embed a dedicated authentication token to make it possible. The token can be revoked at any time.
—
Q - Any time to remove search from nodes so we can use as managed service from cloud providers?
A - We don’t support removing search nodes from the cluster. Please feel free to express your interest and share your need for the topic on the Community forum (Product Manager for a Day - Sonar Community) or directly submit your idea on the Roadmap page (Roadmap | SonarQube | Sonar).
—
Q - Is PR analysis faster by design or only after activating via property sonar.ce.parallelProjectTasks (default false) ?
A - Both. Pull Request Analysis is faster for all languages (scanner-side) since we only analyze changed files, and that’s on top of the performance improvements in the analyzer itself. Additionally, if you enable parallel processing of project tasks (avaialable in Enterprise+ Edition), allow the Compute Engine to process pull request analysis tasks in parallel with other pull request or branch analysis tasks of the same project. It’s performance gains all over!