Support for OS and language releases

The version of SonarQube:
Can you please list if SonarQube supports the following:

  • Does it support the latest long term service version of languages within 2 months of language release or at least within 6 months of language release
  • Is MSBuild 14 supported
  • Once there is a release of new versions of MacOS, Windows, and Oracle Enterprise Linux, when does SonarQube starts supporting the new versions

(post deleted by author)

Other set of queries:
Can you please list if/how SonarQube supports the following:

  • Is it scalable to handle thousands of scan requests per day.
  • Does it function and be responsive at scale with 50k+ projects.
  • Are there any configurable protections against abusive requests (rate-limiting, query cost, timeouts). Couldn’t find anything on the API documents.
  • Is it tolerant of temporary network connectivity failures between the app and persistence layers.
  • What happens in case of sudden and improper shutdown. Will there be a chance of data corruption or anything
  • Are all the configuration settings retained during an upgrade.
  • Is there any reason the detection rules and signatures to update are dependent on the system version.
  • How frequently are detection rules updated.


This question set looks like an initial due-diligence, so it’s worth mentioning that the latest SonarQube version is 9.3 (with 9.4 expected in early April).

Ehm… sometimes. We support 29 languages and we don’t have infinite bandwidth. If you’d like to narrow this down to specific languages, I can maybe find a better answer.

Well according to the docs,

  • MSBuild versions older than 14 are not supported.

So I would assume that MSBuild 14 is supported.

SonarQube runs on Java, meaning it’s largely OS-independent.

Again, probably.
For web requests, it’s going to be a question of the resources you give it.
For analysis “requests”, i.e. if you’re running thousands of analyses per day, that’s going to be a question of edition (you’ll want Enterprise Edition($$) or Data Center Edition($$$$) details) and resources.


No. You’ll want to put something in front of it. To be clear, we don’t expect your SonarQube instance to be exposed to the Internet and subject to non-accidental abusive requests.

During UI browsing? Sure. During analysis report processing? Probably not. I don’t think this is something we’ve tested.

Everything’s stored in the DB. At worst, you’ll have to wait for your Elasticsearch indices to rebuild.

Yes, although you’ll have to transfer some very basic settings stored in a config file by hand to the new version/instance.


Again, you’ll need to provide some details to get a good answer.


@ganncamp Thank you for the response! Regarding the detection rules: What’s the update policy on the rules. The security rules will be changing from time-to-time to catch the vulnerabilities. How does sonarqube accommodate the rule update?


As I mentioned, you’ll need to provide some details before I can respond on the rules. As I stated at the beginning, we have 29 languages and non-infinite resources.