SonarQube Server 2025 Release 3

Hi all,

Sonar is excited to announce the release of the SonarQube Server 2025 Release 3.

This version makes generally available AI CodeFix (starting in Enterprise Edition) and SonarQube Advanced Security (available as a new purchasable license starting from the Enterprise Edition). It also adds new security rules for Kotlin and for mobile, as well as the analysis of Rust. Enjoy these and many other exciting features in this release.

Note that, to use Go security rules in your VSCode or IntelliJ IDEs, you will need to upgrade to the latest version of SonarQube for IDE.

Details are in the official announcement and the Release Notes (and full release notes in Jira). For upgrade instructions, refer to the upgrade notes.

As usual, downloads are available at sonarsource.com. Docker images are also available on Docker Hub.

Elena

Hello,

We are using SQS 2025.1 and wanting to upgrade to 2025.3.

We are using the plugin sonar-findbugs, which is used to detect some additional issues in java files (latest version 4.4.2 as of writing this): GitHub - spotbugs/sonar-findbugs: SpotBugs plugin for SonarQube

When deploying 2025.3, we have the following error:

java.lang.IllegalStateException: Fail to load plugin Findbugs [findbugs]                                    
    at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:81)
    at org.sonar.server.platform.platformlevel.PlatformLevel4.configureLevel(PlatformLevel4.java:765)       
    at org.sonar.server.platform.platformlevel.PlatformLevel.configure(PlatformLevel.java:70)               
    at org.sonar.server.platform.PlatformImpl.start(PlatformImpl.java:214)                                  
    at org.sonar.server.platform.PlatformImpl.startLevel34Containers(PlatformImpl.java:197)                 
    at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:365)    
    at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:116)                                
    at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:349)                
    at java.base/java.lang.Thread.run(Unknown Source)                                                       
Caused by: java.lang.NoClassDefFoundError: org/sonar/api/profiles/ProfileExporter                           
    at java.base/java.lang.ClassLoader.defineClass1(Native Method)                                          
    at java.base/java.lang.ClassLoader.defineClass(Unknown Source)                                          
    at java.base/java.security.SecureClassLoader.defineClass(Unknown Source)                                
    at java.base/java.net.URLClassLoader.defineClass(Unknown Source)                                        
    at java.base/java.net.URLClassLoader$1.run(Unknown Source)                                              
    at java.base/java.net.URLClassLoader$1.run(Unknown Source)                                              
    at java.base/java.security.AccessController.doPrivileged(Unknown Source)                                
    at java.base/java.net.URLClassLoader.findClass(Unknown Source)                                          
    at org.sonar.classloader.ClassRealm.loadClassFromSelf(ClassRealm.java:135)                              
    at org.sonar.classloader.ParentFirstStrategy.loadClass(ParentFirstStrategy.java:37)                     
    at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:97)                                       
    at org.sonar.classloader.ClassRealm.loadClass(ClassRealm.java:86)                                       
    at org.sonar.plugins.findbugs.FindbugsPlugin.define(FindbugsPlugin.java:73)                             
    at org.sonar.server.plugins.ServerExtensionInstaller.installExtensions(ServerExtensionInstaller.java:71)
    ... 8 common frames omitted                                                                             

Would this be linked to SONAR-24623 ?

Thanks,
BR

Hi @Mikaciu

Indeed it’s due to SONAR-24623. FindBugs does not seem compatible anymore with latest SonarQube versions, you can approach its maintainers.

This is already discussed in What is the maven version for SonarQube 2025.3? and https://github.com/spotbugs/sonar-findbugs/issues/1271.

You may test sonar-findbugs 4.5.0; for me sonar didn’t start anyway - see The findbugs plugin fails to load on SQ Developer Edition v2025.3 (108892) · Issue #1271 · spotbugs/sonar-findbugs · GitHub

@Lena do you have any hint what may be wrong?

I’ll try with the latest sonar-findbugs (once I unmess my first staging environment) 4.5.0, as suggested by @janosvitok

Hey @Mikaciu

I believe that specific problem is solved by 4.5 of the Findbugs plugin, but there’s another one being discussed over here:

What is the compatible sonar-plugin-api version for sonarqube-3.0-enterprise version? Or any version of sonar-plugin-api after 11.0.0.2664 is OK? We need the right sonar-plugin-api version for our customized java-plugin. Thanks

Hey @Colin, unfortunately 4.5. does not solve the issue ; I added a comment regarding this.
I’ll keep our first staging environment in 2025.3 with the plugin disabled waiting for a fix. I’ll check if I can help debugging this

For those who have the issue, 4.5.1 solves the issue

BTW @Colin shouldn’t have those two classes been added to the 2025.3 deprecation and removals ?

HTH, BR

We’ll ping our docs folks and see if we missed something. Thanks @Mikaciu.

They are mentioned in the 2025.2 removals

We did adjust the formatting so hopefully this makes it easier to find the deprecations and removals