SonarQube 9.3 released

Hi all,

SonarSource is proud to announce the release of SonarQube 9.3, which includes detection of security issues in Terraform Azure Cloud files, taint security analysis for Android and much more. Details in the official announcement.

In addition, there are a few other items to note in the release:

  • Along with the redesign of the Portfolios overview, we’ve removed from Portfolios and Applications information on projects you don’t have access to. (SONAR-15821).
  • New Code detection in your branches that compare to a reference branch now better takes into account rebase and merge. (SONAR-15697, SONAR-14929).
  • We’ve sped up the analysis of Pull Requests by analyzing only changed files for XML, Flex, VB6, PL-SQL, T-SQL, RPG, ABAP. We intend this as a first step. Watch this space. :smiley:
  • Elasticsearch is updated to avoid false-positive from vulnerability scanning tools in regards to CVE-2021-44832.

The documentation should be updated soon. Normally, we would send you the upgrade notes for more details but there’s not much this time. You can get the full details in the release notes. Please open new threads for any questions you have about these or other features.

As usual, download is available at sonarqube.org. Docker images are also available on Docker Hub.

 

Chris

1 Like

Please make sure to include in the release notes a mention about update MSSQL JDBC driver to latest version if using Integrated Authentication. Found that buried in the sonar.properties file.

Thanks!

Thanks for everyone’s hard work on this! I appreciate the BIDI character recognition - that was a quick turnaround on Highlight Unicode BIDI characters as Security Hotspot

The date parser on the announcement page may need a small update though:
image

1 Like

Hi @jtbatzer,

I think you are referring to an explanation which was added with SonarQube 8.7. There’s a note for that in the previous Upgrade Notes: Release Upgrade Notes | SonarQube Docs

Hi @cba,

Thanks for your kind words!
And good catch. I reported the glitch internally.

Hi,

it’s part of the release notes, see
https://jira.sonarsource.com/ReleaseNote.jspa?projectId=10930&version=17060

but it has only [SONAR-15679] - Upgrade jdbc drivers so you need to have a look into
the ticket itself [SONAR-15679] Upgrade jdbc drivers - SonarSource to see that MSSQL is also affected.
But that said, the ticket doesn’t mention the concrete version = sqljdbc_9.4.1.0, has been 9.2.0 before.

So yes it’s a gotcha, as SonarQube Documentation | SonarQube Docs still points to Sonarqube 9.2

edit = right now the doc latest points to 9.3 finally, but there are errors in the doc.

Hi @Chris ,

the problem is, that the release notes doesn’t mention the concrete version of the mssql jdbc driver.
Also the release of Sonarqube version and the docs SonarQube 10.3 should be synchronous.
And the docs for 9.3 have an error related to the mssql driver (you need to expand the Microsoft SQL Server section),
https://docs.sonarqube.org/latest/setup/install-server/ has

Integrated Security

To use integrated security:

  1. Download the Microsoft SQL JDBC Driver 9.2.0 package and copy mssql-jdbc_auth-9.2.0.x64.dll to any folder in your path.

should be
Download the Microsoft SQL JDBC Driver 9.4.1 package and copy
mssql-jdbc_auth-9.4.1.x64.dll to any folder in your path

this is wrong

this is right

Gilbert

1 Like

Thanks for clarifying @Rebse .
We overlooked this part of the documentation. We’ll clarify the requirement.

Chris

Thanks for the response. I fell into the trap since I already had SQ 9.2 installed with mssql-jdbc 9.2. I did a quick file compare between the working 9.2 property file with the new 9.3 and didn’t see any major changes. After upgrading SQ to 9.3, the web server wouldn’t start and found sql related errors in the web.log. That’s when I went back to the properties file and found the jdbc comment about mssql-jdbc 9.4 requirement for integrated authentication.

Thanks!

Great stuff! :slight_smile:
Will 9.3 require a newer sonar-maven plugin, than 3.9.1.2184 ?

/Anders

Hi Anders,

As long as you haven’t pinned the Scanner version in your pom file, the latest & correct version should be used automatically.

 
Ann

Hello,
ok, yes.
so my question is will sonar-maven plugin 3.9.1.2184, work with 9.3 ?
We will install 9.3 in the lab asap, and start testing, so good to know.

/Anders

Can i upgrade from 8.9.6 to 9.3 directly ?

Hi @andgru,

Yes! You can always upgrade directly from the current LTS to the Latest version.

 
Ann

Thanks! :slight_smile: