SonarQube 9.4 釋出，程式碼品質管理平臺

開發者聯盟APP功能上線！ 體驗APP新功能，freelace耳機等你來拿！>>>>>

Sonar（SonarQube）是一個開源平臺，用於管理原始碼的品質。Sonar 不只是一個品質資料包告工具，更是程式碼品質管理平臺。支援的語言套件括：Java、PHP、C#、C、Cobol、PL/SQL、Flex 等

SonarQube 在 4 月份釋出了最新的 9.4 版本，包含一眾改進和 bug 修復：

Bug

• [] - External rules are not removed when no more provided by analyzer
• [] - Missing information about db migration in sonar.log in console mode when starting SonarQube with jar file
• [] - Tags defined on external rules are not propagated to external issues
• [] - Docker not detected in System Information when using AWS ECS
• [] - Escape special characters on Azure DevOps Platform Project onboarding
• [] - Restart should not fail if temp files can't be deleted
• [] - Embedded documentation shows placeholder content for superior edition languages
• [] - "Keep when inactive" button doesn't preserve changed state in UI
• [] - Security fix (SSF-230)
• [] - Issues not found on reference branch strategy after migrating from 9.2 to 9.3
• [] - Scanner fails with NPE if user doesn't have permission to analyze project
• [] - Filesystem tests fail with NPE
• [] - Analysis computation errror when a reference branch is used and a file is not under scm control
• [] - CWE titles and descriptions are missing in the security report
• [] - Some file names are wrongly displayed in the issue's page
• [] - Duplicated blocks assigned to the wrong lines of code
• [] - Security fix (SSF-235)
• [] - Multiselection of authors is broken in the issue page
• [] - Security fix (SSF-239)
• [] - SonarLint icon in PR decoration missing for some DevOps platforms
• [] - Security fix (SSF-241)
• [] - Security fix (SSF-240)
• [] - Security fix (SSF-227)
• [] - Security fix (SSF-217)

New Feature

• [] - Create a new web API endpoint to stream events to SonarLint
• [] - Display hotspots' secondary locations
• [] - Export project license usage from the license page
• [] - Add api endpoint that expose the list of projects with their license usage
• [] - Update Executive Report PDF to reflect Clean As You Code practice
• [] - Track Security Hotspots which represent real risks to fix later
• [] - Display OWASP Top 10 2021 in Security Report
• [] - Improve Terraform analysis: support GCP and detect Traceability problems on Azur
• [] - Improve Python analysis: 8 rules to help developers reduce the complexity of their regular expressions
• [] - Improve JS/TS analysis: support TypeScript 4.6 ; quick fixes support for 30 rules when SonarLint is used in Connected Mode with SQ
• [] - Improve Java analysis: enable Java 18 code parsing

Task

• [] - Drop unused db columns ISSUES.REPORTER, ACTION_PLAN_KEY and ISSUE_ATTRIBUTES
• [] - Put all ALM icons in a single location
• [] - Fix Bibucket typo to Bitbucket
• [] - Upgrade H2 database dependency
• [] - Xoo SCM should support relative dates
• [] - Introduce an appState context
• [] - Extract "languages" from redux
• [] - Extract "Metrics" from redux
• [] - Extract "Settings" from redux - part 1: SettingsApp
• [] - Extract "users" from redux
• [] - Clean up redux
• [] - Performance testing of new Server Push API
• [] - Improve code sharing with the license extension
• [] - Drop the "Suggest dependency upgrades" useless Github Action
• [] - Use Spring instead of Pico as dependency injection framework in the scanner-engine
• [] - Fix microsoft jdbc docstring in sonar.properties
• [] - Update frontend dependencies
• [] - Extract "Settings" from redux - part 2: global setting values
• [] - Migrate Sonarqube IOC framework from Pico to Spring
• [] - Remove appState from the Redux store
• [] - Don't start MyBatis in every test
• [] - Upgrade github-action_release to v4
• [] - Add integration test for Projects License Usage export
• [] - Update SelectLegacy component with Select component inside core-extension-governance
• [] - Update SelectLegacy component with Select component inside core-extension-developer-server
• [] - Update SelectLegacy component with Select component inside core-extension-securityreport
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/background-tasks
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/coding-rules
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/component-measures and /issues
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/permissions, /projectBaseline and /projectActivity
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/projectQualityGate and /projectQualityProfiles
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/quality-profiles
• [] - Update SelectLegacy component with Select component inside sonar-web/apps/security-hotspots, /settings and /users
• [] - Update SelectLegacy component with Select component inside sonar-web/app/ and sonar-web/components/
• [] - Expose Select component to extensions using exposeLibraries
• [] - Drop api/users/set_setting and related db table
• [] - Write IT to validate new OWASP Top 10 2021 edition
• [] - Migrate remaining modules from java 8 to java 11
• [] - Correct styling for input in multiselect and other places

Improvement

• [] - Add clear start/stop logs in the different log files
• [] - Add pagination in WS api/ce/activity
• [] - Address display of issues reported above file level
• [] - Increase the number of returned tags in web service
• [] - Add Server base URL to 'Test Configuration' email
• [] - Displaying all SonarSource standards in Security Category facets
• [] - Fix wording in scanner success message log
• [] - Use new issue icons in pull request decoration
• [] - Activity of a project is not updated when quality gate is back to green after an update on an issue
• [] - Do not follow redirects when interacting with GitHub API
• [] - Do not follow redirects when interacting with Azure DevOps API
• [] - Do not follow redirects when interacting with Bitbucket Server API
• [] - Project import from GitHub, Bitbucket and Azure can clash with existing project key
• [] - Update the Permissions text for Quality Profiles
• [] - Better selection behavior for QG admin delegation
• [] - Measure page should support ascending and descending sorting for rating and quality gate
• [] - Add RuleSetChanged event to events streamed to SonarLint
• [] - Add SonarlintClient connected count to system info file, to telemetry and to prometheus monitoring
• [] - Improve responsiveness of the portfolio page
• [] - Change Portfolio overview wording to be more precise
• [] - Make Rating charts in Portfolio Overview Clickable
• [] - Validate user's permission and deactivated/active status before pushing an event
• [] - Fix typo in archived docs warning
• [] - Remove ability to see list of projects as bubble charts
• [] - Improve the hotspot page UX
• [] - Reorganize the license page to better explain how license is being used
• [] - Retry lock on cached analyzers to run multiple scans on the same machine
• [] - Replace parameter 'sinceLeakPeriod' with 'inNewCodePeriod' for 'api/issues/search'
• [] - Add the "Permission" security category
• [] - Add a new API in SensorContext to indicate possibility to skip unchanged files
• [] - Improve executive PDF report
• [] - Scroll to primary location when clicking on the hotspot primary location
• [] - Hotspots UI improvements
• [] - Tag 「Removed」 displayed on issue is misleading
• [] - Improve the layout of the "Why is this an issue" button
• [] - Create webservices to get and clear scanner plugin cache
• [] - Add plugin cache to the Sensor API
• [] - Improve SonarC# analysis - minor bug fix
• [] - Improve SonarVB analysis - minor bug fix
• [] - Improve Java analysis: minor fix of FPs
• [] - Store plugin's scanner cache in SonarQube
• [] - Enable documentation page for the IaC analyzer
• [] - Add OWASP Top 10 2021 categories to standards.json
• [] - Add CWE Top 25 2021 data to Security Report PDF
• [] - Update the "Authentication" security category
• [] - Update Security Report PDF with OWASP Top 10 2021 data
• [] - Create new facet in Issues search 'OWASP Top 10 - 2021'
• [] - Create new facet in Rules search 'OWASP Top 10 - 2021'
• [] - Security hotspots status and confirmation modal related improvements
• [] - Allow users to assign acknowledged security hotspot
• [] - Do not follow redirects when interacting with Bitbucket Cloud API
• [] - Bitbucket Cloud integration should support custom connection timeout and read timeout
• [] - Allow Security Hotspots to be filtered by OWASP Top 10 2021
• [] - Improve CFamily analysis
• [] - Enable New Code based on "reference branch" with a scanner parameter
• [] - Process reference branch set by the scanner in the CE
• [] - API should validate email address for portfolio reports
• [] - Analysis cache gets cache from different branch when needed
• [] - Deprecate Common Rules and deactivate them for a set of languages
• [] - Improve PHP analysis: improve S1808 and S6328 regexp rules
• [] - Drop SHA1 legacy hash method
• [] - Improve Java Security analysis: better display messages of vulnerabilities involving dependencies

Documentation

• [] - Document how to use SQ Docker image with self-signed certificates
• [] - Add reference to required Java version in docs
• [] - Update note on Linux file ownership
• [] - Document the behavior of users/search
• [] - Mention Microsoft JDBC driver update in the Release notes of 9.3
• [] - Explain License Usage in relation to Lines Of Code
• [] - Update Security Reports page to mention support for OWASP Top 10 2021
• [] - Add Oracle database requirement for max_string_size
• [] - Fix incorrect explanation about VS xml coverage file format for CFamily
• [] - Document new scanner parameter 'sonar.newCode.referenceBranch'
• [] - Add Oracle SQL query for resetting admin password
• [] - Mention Java 17 support in documentation
• [] - Add instruction to verify which branches to keep before exporting project in Project Move

同時釋出的還有 SonarQube LTS 版本 8.9.8 ，詳細資訊請看。