SonarQube 9.4 发布，代码质量管理平台

Sonar（SonarQube）是一个开源平台，用于管理源代码的质量。Sonar 不只是一个质量数据报告工具，更是代码质量管理平台。支持的语言包括：Java、PHP、C#、C、Cobol、PL/SQL、Flex 等

SonarQube 在 4 月份发布了最新的 9.4 版本，包含一众改进和 bug 修复：

Bug

• [SONAR-12592] - External rules are not removed when no more provided by analyzer
• [SONAR-13125] - Missing information about db migration in sonar.log in console mode when starting SonarQube with jar file
• [SONAR-13588] - Tags defined on external rules are not propagated to external issues
• [SONAR-14011] - Docker not detected in System Information when using AWS ECS
• [SONAR-15974] - Escape special characters on Azure DevOps Platform Project onboarding
• [SONAR-15987] - Restart should not fail if temp files can't be deleted
• [SONAR-16001] - Embedded documentation shows placeholder content for superior edition languages
• [SONAR-16006] - "Keep when inactive" button doesn't preserve changed state in UI
• [SONAR-16031] - Security fix (SSF-230)
• [SONAR-16039] - Issues not found on reference branch strategy after migrating from 9.2 to 9.3
• [SONAR-16050] - Scanner fails with NPE if user doesn't have permission to analyze project
• [SONAR-16057] - Filesystem tests fail with NPE
• [SONAR-16100] - Analysis computation errror when a reference branch is used and a file is not under scm control
• [SONAR-16131] - CWE titles and descriptions are missing in the security report
• [SONAR-16151] - Some file names are wrongly displayed in the issue's page
• [SONAR-16158] - Duplicated blocks assigned to the wrong lines of code
• [SONAR-16159] - Security fix (SSF-235)
• [SONAR-16165] - Multiselection of authors is broken in the issue page
• [SONAR-16167] - Security fix (SSF-239)
• [SONAR-16174] - SonarLint icon in PR decoration missing for some DevOps platforms
• [SONAR-16178] - Security fix (SSF-241)
• [SONAR-16179] - Security fix (SSF-240)
• [SONAR-16181] - Security fix (SSF-227)
• [SONAR-16189] - Security fix (SSF-217)

New Feature

• [SONAR-15918] - Create a new web API endpoint to stream events to SonarLint
• [SONAR-16007] - Display hotspots' secondary locations
• [SONAR-16012] - Export project license usage from the license page
• [SONAR-16013] - Add api endpoint that expose the list of projects with their license usage
• [SONAR-16032] - Update Executive Report PDF to reflect Clean As You Code practice
• [SONAR-16101] - Track Security Hotspots which represent real risks to fix later
• [SONAR-16123] - Display OWASP Top 10 2021 in Security Report
• [SONAR-16192] - Improve Terraform analysis: support GCP and detect Traceability problems on Azur
• [SONAR-16208] - Improve Python analysis: 8 rules to help developers reduce the complexity of their regular expressions
• [SONAR-16209] - Improve JS/TS analysis: support TypeScript 4.6 ; quick fixes support for 30 rules when SonarLint is used in Connected Mode with SQ
• [SONAR-16213] - Improve Java analysis: enable Java 18 code parsing

Task

• [SONAR-7496] - Drop unused db columns ISSUES.REPORTER, ACTION_PLAN_KEY and ISSUE_ATTRIBUTES
• [SONAR-12807] - Put all ALM icons in a single location
• [SONAR-13672] - Fix Bibucket typo to Bitbucket
• [SONAR-15845] - Upgrade H2 database dependency
• [SONAR-15870] - Xoo SCM should support relative dates
• [SONAR-15909] - Introduce an appState context
• [SONAR-15910] - Extract "languages" from redux
• [SONAR-15911] - Extract "Metrics" from redux
• [SONAR-15912] - Extract "Settings" from redux - part 1: SettingsApp
• [SONAR-15913] - Extract "users" from redux
• [SONAR-15914] - Clean up redux
• [SONAR-15926] - Performance testing of new Server Push API
• [SONAR-15938] - Improve code sharing with the license extension
• [SONAR-15962] - Drop the "Suggest dependency upgrades" useless Github Action
• [SONAR-15966] - Use Spring instead of Pico as dependency injection framework in the scanner-engine
• [SONAR-15977] - Fix microsoft jdbc docstring in sonar.properties
• [SONAR-15991] - Update frontend dependencies
• [SONAR-15992] - Extract "Settings" from redux - part 2: global setting values
• [SONAR-15994] - Migrate Sonarqube IOC framework from Pico to Spring
• [SONAR-16005] - Remove appState from the Redux store
• [SONAR-16047] - Don't start MyBatis in every test
• [SONAR-16055] - Upgrade github-action_release to v4
• [SONAR-16073] - Add integration test for Projects License Usage export
• [SONAR-16081] - Update SelectLegacy component with Select component inside core-extension-governance
• [SONAR-16082] - Update SelectLegacy component with Select component inside core-extension-developer-server
• [SONAR-16083] - Update SelectLegacy component with Select component inside core-extension-securityreport
• [SONAR-16084] - Update SelectLegacy component with Select component inside sonar-web/apps/background-tasks
• [SONAR-16085] - Update SelectLegacy component with Select component inside sonar-web/apps/coding-rules
• [SONAR-16086] - Update SelectLegacy component with Select component inside sonar-web/apps/component-measures and /issues
• [SONAR-16087] - Update SelectLegacy component with Select component inside sonar-web/apps/permissions, /projectBaseline and /projectActivity
• [SONAR-16088] - Update SelectLegacy component with Select component inside sonar-web/apps/projectQualityGate and /projectQualityProfiles
• [SONAR-16090] - Update SelectLegacy component with Select component inside sonar-web/apps/quality-profiles
• [SONAR-16091] - Update SelectLegacy component with Select component inside sonar-web/apps/security-hotspots, /settings and /users
• [SONAR-16092] - Update SelectLegacy component with Select component inside sonar-web/app/ and sonar-web/components/
• [SONAR-16113] - Expose Select component to extensions using exposeLibraries
• [SONAR-16139] - Drop api/users/set_setting and related db table
• [SONAR-16156] - Write IT to validate new OWASP Top 10 2021 edition
• [SONAR-16182] - Migrate remaining modules from java 8 to java 11
• [SONAR-16199] - Correct styling for input in multiselect and other places

Improvement

• [SONAR-10179] - Add clear start/stop logs in the different log files
• [SONAR-10930] - Add pagination in WS api/ce/activity
• [SONAR-11672] - Address display of issues reported above file level
• [SONAR-11718] - Increase the number of returned tags in web service
• [SONAR-11767] - Add Server base URL to 'Test Configuration' email
• [SONAR-12499] - Displaying all SonarSource standards in Security Category facets
• [SONAR-12693] - Fix wording in scanner success message log
• [SONAR-12859] - Use new issue icons in pull request decoration
• [SONAR-13704] - Activity of a project is not updated when quality gate is back to green after an update on an issue
• [SONAR-14721] - Do not follow redirects when interacting with GitHub API
• [SONAR-14722] - Do not follow redirects when interacting with Azure DevOps API
• [SONAR-14723] - Do not follow redirects when interacting with Bitbucket Server API
• [SONAR-14742] - Project import from GitHub, Bitbucket and Azure can clash with existing project key
• [SONAR-15554] - Update the Permissions text for Quality Profiles
• [SONAR-15695] - Better selection behavior for QG admin delegation
• [SONAR-15857] - Measure page should support ascending and descending sorting for rating and quality gate
• [SONAR-15919] - Add RuleSetChanged event to events streamed to SonarLint
• [SONAR-15921] - Add SonarlintClient connected count to system info file, to telemetry and to prometheus monitoring
• [SONAR-15972] - Improve responsiveness of the portfolio page
• [SONAR-15975] - Change Portfolio overview wording to be more precise
• [SONAR-15979] - Make Rating charts in Portfolio Overview Clickable
• [SONAR-15985] - Validate user's permission and deactivated/active status before pushing an event
• [SONAR-15989] - Fix typo in archived docs warning
• [SONAR-15999] - Remove ability to see list of projects as bubble charts
• [SONAR-16008] - Improve the hotspot page UX
• [SONAR-16015] - Reorganize the license page to better explain how license is being used
• [SONAR-16026] - Retry lock on cached analyzers to run multiple scans on the same machine
• [SONAR-16058] - Replace parameter 'sinceLeakPeriod' with 'inNewCodePeriod' for 'api/issues/search'
• [SONAR-16059] - Add the "Permission" security category
• [SONAR-16064] - Add a new API in SensorContext to indicate possibility to skip unchanged files
• [SONAR-16066] - Improve executive PDF report
• [SONAR-16069] - Scroll to primary location when clicking on the hotspot primary location
• [SONAR-16071] - Hotspots UI improvements
• [SONAR-16078] - Tag “Removed” displayed on issue is misleading
• [SONAR-16095] - Improve the layout of the "Why is this an issue" button
• [SONAR-16096] - Create webservices to get and clear scanner plugin cache
• [SONAR-16097] - Add plugin cache to the Sensor API
• [SONAR-16098] - Improve SonarC# analysis - minor bug fix
• [SONAR-16099] - Improve SonarVB analysis - minor bug fix
• [SONAR-16112] - Improve Java analysis: minor fix of FPs
• [SONAR-16115] - Store plugin's scanner cache in SonarQube
• [SONAR-16119] - Enable documentation page for the IaC analyzer
• [SONAR-16124] - Add OWASP Top 10 2021 categories to standards.json
• [SONAR-16126] - Add CWE Top 25 2021 data to Security Report PDF
• [SONAR-16127] - Update the "Authentication" security category
• [SONAR-16128] - Update Security Report PDF with OWASP Top 10 2021 data
• [SONAR-16129] - Create new facet in Issues search 'OWASP Top 10 - 2021'
• [SONAR-16130] - Create new facet in Rules search 'OWASP Top 10 - 2021'
• [SONAR-16141] - Security hotspots status and confirmation modal related improvements
• [SONAR-16147] - Allow users to assign acknowledged security hotspot
• [SONAR-16152] - Do not follow redirects when interacting with Bitbucket Cloud API
• [SONAR-16153] - Bitbucket Cloud integration should support custom connection timeout and read timeout
• [SONAR-16155] - Allow Security Hotspots to be filtered by OWASP Top 10 2021
• [SONAR-16160] - Improve CFamily analysis
• [SONAR-16162] - Enable New Code based on "reference branch" with a scanner parameter
• [SONAR-16163] - Process reference branch set by the scanner in the CE
• [SONAR-16180] - API should validate email address for portfolio reports
• [SONAR-16187] - Analysis cache gets cache from different branch when needed
• [SONAR-16188] - Deprecate Common Rules and deactivate them for a set of languages
• [SONAR-16196] - Improve PHP analysis: improve S1808 and S6328 regexp rules
• [SONAR-16204] - Drop SHA1 legacy hash method
• [SONAR-16224] - Improve Java Security analysis: better display messages of vulnerabilities involving dependencies

Documentation

• [SONAR-13505] - Document how to use SQ Docker image with self-signed certificates
• [SONAR-13574] - Add reference to required Java version in docs
• [SONAR-14331] - Update note on Linux file ownership
• [SONAR-15892] - Document the behavior of users/search
• [SONAR-15976] - Mention Microsoft JDBC driver update in the Release notes of 9.3
• [SONAR-16072] - Explain License Usage in relation to Lines Of Code
• [SONAR-16125] - Update Security Reports page to mention support for OWASP Top 10 2021
• [SONAR-16142] - Add Oracle database requirement for max_string_size
• [SONAR-16154] - Fix incorrect explanation about VS xml coverage file format for CFamily
• [SONAR-16164] - Document new scanner parameter 'sonar.newCode.referenceBranch'
• [SONAR-16186] - Add Oracle SQL query for resetting admin password
• [SONAR-16203] - Mention Java 17 support in documentation
• [SONAR-16210] - Add instruction to verify which branches to keep before exporting project in Project Move

同时发布的还有 SonarQube LTS 版本 8.9.8 ，详细信息请看这里。