What's Changed

• sonar-config:
  • Several improvements in applications export/import
  • Rule export format is modified, for the best
  • Handle SCA criteria in QG exports
  • A couple of bug fixes:
    • Rule custom params are exported
    • Import of instantiated rules is now working fine
    • Applications imports with project branches non existing
• sonar-finding-sync:
  • Projects can be selected through regexp, allowing to sync multiple (or all) projects are once
  • Incremental sync: findings are synced starting from the most recent change on the target finding
  • Sync separates changelog sync and comment sync for more accuracy
  • A tag can be added to all issues that were synchronized (not on hotspots, hotspots can't be tagged)
  • sonar-findings-sync is now compatible with Community Edition (as a source or target platform)
  • Fixed bug when synchronizing issues with no line nbr (file based issues)
• sonar-findings-export:
  • A couple of bug fixes when using complex export filters (was not working before)
• sonar-audit:
  • SonarQube Cloud audit improvements. The Members group on cloud is handled like the sonar-users group on Server
  • Fix a crash when auditing organizations
  • Added auditing that projects keys follow a given naming convention (match a given regexp)

Milestone:

See https://github.com/okorach/sonar-tools/milestone/51?closed=1

Pull Requests

• Bump-version-3.16 by @okorach in #1911
• Fix TD by @okorach in #1912
• Add-project-and-branch-info-in-report by @okorach in #1913
• Unified-exit by @okorach in #1914
• Improve-tests by @okorach in #1915
• Fixes #1916 by @okorach in #1917
• Add project and branch info in sync report by @okorach in #1919
• Filters on issue status by @okorach in #1921
• Issue-sync-compatible-with-cb by @okorach in #1922
• Update findings sync doc by @okorach in #1927
• Feature/improve-rule-export-import by @okorach in #1929
• fix/1930 by @okorach in #1931
• fix/1932 by @okorach in #1933
• Simplify rule export by @okorach in #1934
• Fix regression on extended rules export by @okorach in #1935
• export import of SCA QG conditions by @okorach in #1936
• Make sync tag configurable by @okorach in #1937
• Handle-sonarcloud--members-group by @okorach in #1938
• Change the way add_tag to hotspots is handled by @okorach in #1940
• Use-date-of-last-issue-change-to-resume-changelog by @okorach in #1941
• Improvements on application import by @okorach in #1943
• Export-custom-params-of-parameterized-rules by @okorach in #1947
• Improve error message on portfolios and apps expor on SQC by @okorach in #1950
• Sonar-config-yaml-export-improvements by @okorach in #1953
• Order-json-in-meaningful-order by @okorach in #1957
• Fixes #1956 by @okorach in #1958
• Allow to pass audit settings on md line by @okorach in #1959
• Handle set reset of sonar.autodetect.ai.code by @okorach in #1961
• Fixes #1960 by @okorach in #1962
• Fix-bugs-on-settings-import-export by @okorach in #1966
• Fix FIx trivy issues import by @okorach in #1968
• fix regression on settings value by @okorach in #1969
• Verify project key pattern in audit by @okorach in #1970
• Tests-for-key-pattern by @okorach in #1971
• Kill tech debt by @okorach in #1972
• Formatting by @okorach in #1975
• Fix-test-measures by @okorach in #1976
• Update whats new 3.16 by @okorach in #1977

Full Changelog: 3.15...3.16

What's Changed

• General performance (speed) improvements

• Allow to run tools with non admin tokens when possible (sonar-measures-export, sonar-findings-export, sonar-loc)

• Misc hardening

• sonar-findings-sync:

  • Fix #1871 - Sync may not happen when an issue has old transition data generated before MQR mode
  • Added precise doc about what issues are sync'ed
  • Fail fast with clear message if organization and/or project does not exists

• sonar-config:

  • /!\ Modification of export/import format for Quality Profiles
  • Export of rules custom severities
  • Export of prioritized rules
  • Export quality profiles permissions on SonarQube Cloud
  • Performance improvements
  • Fix on import of project visibility

• sonar-audit:

  • Fix to allow audit report in JSON format
  • Raise issue when duplicate quality gates or profiles
  • Raise issue when the new code period is too long (more than 90 days, configurable)
  • Raise issue when the sonar-users group has admin permission on QP, QG, App or Portfolio
  • Raise issue when an app or portfolio is Public
  • Raise issue when too many groups or users have permissions on anything
  • Raise issue when permissions on permission templates granted to users (instead of groups)
  • Make the project key comparison for duplicate less aggressive (was creating to many false positives)

• See milestone 3.15

• Audit duplicate QP by @okorach in #1878

• Audit duplicate QG by @okorach in #1880

• Fix-1823 by @okorach in #1881

• Multithread QP comparison for perf by @okorach in #1882

• Multithread rules collection by @okorach in #1883

• Fix-tests-2 by @okorach in #1884

• Allow-non-admin-tokens by @okorach in #1814

• Tests-non-reg by @okorach in #1888

• Fix performance problems on rule and QP profile export by @okorach in #1892

• fix export of QP permissions on SQC by @okorach in #1894

• Fix sonar-config import of project visibility by @okorach in #1898

• Document precisely what findings are synced by @okorach in #1903

• Fail fast if org does not exists, user is not member or project not in org by @okorach in #1904

• Update tests by @okorach in #1907

• Non-reg-9 by @okorach in #1908

• What-s-new-3-15 by @okorach in #1910

Full Changelog: 3.14...3.15

What's Changed

• Fix for #1871 and #1873

Full Changelog: 3.14...3.14.1

What's Changed

New features

• Most tools (sonar-loc, sonar-measures-export, sonar-findings-export, sonar-projects, sonar-config, sonar-audit) now select project keys and/or branches with regexp instead of comma separated list. This is more flexible. Old "key1,key2,key3" equivalent is "(key1|key2|key3)" but you can also use "key.*" or other flexible regexps
• sonar-audit: Added check that tokens max lifetime is bound (Add check on sonar.auth.token.max.allowed.lifetime is not confired as "no expiration")
• sonar-measures-export: Updated list of default "main" metrics in line with new SonarQube 2025.x release

Hardening:

• Bug fixes (#1752 #1764 #1789 #1786 #1798)
• Improved tests: Verify that export output is as per expectations

Details

See https://github.com/okorach/sonar-tools/milestone/48 for details

• Bump-version-3-14 by @okorach in #1741
• Use concurrent.futures for findings search by @okorach in #1742
• Concurrent.futures-in-issues-search by @okorach in #1744
• Audit token max lifetime setting by @okorach in #1746
• Regexp for branch selection by @okorach in #1748
• Findings export using regexp parameters by @okorach in #1751
• Refactor-test-loc by @okorach in #1753
• Use-fixtures-for-temp-files by @okorach in #1755
• More-test-fixtures by @okorach in #1756
• Fixes #1750 by @okorach in #1757
• Fix token passing in prep-sync by @okorach in #1758
• Fix-tests-june-2025 by @okorach in #1759
• More-test-fixes-v9.9-and-cb by @okorach in #1766
• Add tags to sonar-loc by @okorach in #1768
• Fix-application-branch-tags by @okorach in #1769
• Sort portfolios in sonar-loc by @okorach in #1770
• Fixes #1764 by @okorach in #1772
• Refactor-measures-export by @okorach in #1774
• Kill TD and Refactor tests by @okorach in #1777
• Remove get_tags() for branches by @okorach in #1778
• Kill-td-check by @okorach in #1779
• Upgrade Alpine by @okorach in #1780
• Fixes #1776 by @okorach in #1781
• Further tests improvements by @okorach in #1783
• Test-compat-9 by @okorach in #1787
• Fixes #1785 by @okorach in #1788
• Fixes #1789 by @okorach in #1790
• Fix-1786 by @okorach in #1792
• Update metrics exported by sonar-neasures by @okorach in #1794
• Improve-tests by @okorach in #1796
• Prep 3.14 by @okorach in #1797
• Update doc for 3.14 by @okorach in #1799

Full Changelog: 3.13...3.14

• sonar-projects improvements

  • Allow to export/import or not projects with 0 LoCs (projects that were only provisioned)
  • Detect conflicts in project keys that generate the same zip file
  • Add URL of source and target project in report
  • Mutithread sonar-projects import
  • Diagnose import error based on background tasks results rather than (impossible) pre-checks
    (eg version check for Commuity Builds vs Commercial Editions)
  • Averoll much more robust detection and reporting of export/import errors

• sonar-audit

  • Fix bug on checking proper value of boolean settings such as sonar.cpd.cross_project and sonar.forceAuthentication
    Provide more synthetic result of the export or import result
  • Don't raise issue when plugins that are registered on the update center are installed

What's Changed

• Improve-project-import-robustness by @okorach in #1706
• Multithread import and provide feedback on import results by @okorach in #1709
• Bump version to 3.13 by @okorach in #1713
• Record project import result and date by @okorach in #1714
• Import-export-source-and-target-sonar-platform-details by @okorach in #1716
• Detect conflict in zip file names during export by @okorach in #1718
• Fix test for 3.13 by @okorach in #1722
• Avoid using setup as CLI (deprecated) by @okorach in #1724
• Rename SonarCloud in SonarQube Cloud by @okorach in #1725
• Get project key even when import/export has an exception by @okorach in #1726
• Fix audit check on boolean settings by @okorach in #1728
• Determine project import failures based on background tasks errors by @okorach in #1731
• sonar-audit whitelist of update center registered plugins by @okorach in #1732
• Compatibility with export JSON version 3.12 by @okorach in #1735
• Configurable export/import of empty projects by @okorach in #1737
• Update what's new in 3.12 and 3.13 by @okorach in #1738
• Adjust-tests by @okorach in #1739
• Improve update_center tests by @okorach in #1740

Full Changelog: 3.12...3.13

Summary:

• sonar-findings-sync improvements:

  • Improved finding matching algorithm to match more fidnings
  • Increased robustness to unexpected errors
  • Adjust to SonarQube Cloud API and capabilities (eg Acknowledge hotspots is not possible)

• sonar-projects export honors the --threads option when searching project list

What's Changed

• Fixes #1667 by @okorach in #1670
• Fix-1123 by @okorach in #1671
• Add comment with SQC transition is not possible by @okorach in #1678
• Small refactoring for TO_REVIEW by @okorach in #1679
• Editions as constant strings by @okorach in #1680
• MQR intro version, Accept intro version and API_V2 intro version as constants by @okorach in #1681
• Remove sync login in tests by @okorach in #1683
• Increase http timeout with SonarQube Cloud by @okorach in #1684
• Improve findings sync match algorithm by @okorach in #1686
• Fix sqc api calls without organization by @okorach in #1693
• Synthetic errors in projects export by @okorach in #1694
• Improve-findings-sync-docs by @okorach in #1695
• Update LTA and LATEST in audits by @okorach in #1696
• Multithread based on concurrent.futures by @okorach in #1697
• Fix sync tests by @okorach in #1698
• Changelog collection robust to HTTP errors by @okorach in #1699
• Last cleanup by @okorach in #1700
• Honor threads in projects zip export (search part) by @okorach in #1704
• Sonar-config-shouldnt-collect-ai-settings-on-old-versions by @okorach in #1703

Full Changelog: 3.11...3.12

Version 3.11 - sonar-findings-sync improvements and general hardening

• sonar-findings-sync
  • Fixed major sync regression
  • Added sync multithreading to significantly accelerate sync of large projects with many findings to sync
  • Covered support for several additional corner cases to increase number of issues that can be matched, and sync them
• Several bug fixes and hardening across the board

(Version 3.10 - Intermediate release, don't use)

• sonar-findings-sync hardening
  • Allow -O option for target organization
  • Compatibility with MQR mode (credit @lukas-frystak-sonarsource)
  • Misc bug fixes
• sonar-config:
  • Fix bug about not exporting all projects when more than 1000 projects
  • Fix bug about not exporting groups that have no description
• sonar-audit:
  • New audit check to avoid using Scanner for .Net 9.2 that has a vulnerability
  • Fix incorrect warning when running 2025.1 with JRE 21 (this is supported)
  • Fix incorrect warning when SQS is run with JRE 17 (this is supported)
• sonar-rules:
  • Allow to only export rules of a given quality profile
• sonar-findings-sync hardening

What's Changed

• Audit usage of Scanner for .NET 9,.2.x that has a vuln by @okorach in #1606
• Fixes #1604 by @okorach in #1607
• Disallow-set-type-on-mqr by @okorach in #1611
• CB tests by @okorach in #1612
• Fix-1617 by @okorach in #1619
• Sonar-rules-improvements by @okorach in #1622
• Support issue synchronization in MQR mode by @lukas-frystak-sonarsource in #1620
• Simplify issue sync by @okorach in #1625
• Filter-irrelevant-transitions-in-findings-sync by @okorach in #1631
• Allo target org option by @okorach in #1632
• Issue-sync-fixes by @okorach in #1633
• Issue-sync-fixes by @okorach in #1634
• Regression-testing by @okorach in #1637
• Update 3.10 scope by @okorach in #1639
• Fix groups not exported if they have empty description by @okorach in #1641
• Bump sonar-tools release for docker image by @okorach in #1642
• Add last bug fix info by @okorach in #1643
• Bump version by @okorach in #1644
• Fix-too-many-issues by @okorach in #1648
• Cache-platform-settings by @okorach in #1649
• Multithread-sync by @okorach in #1651
• Support unassign of issues and hotspots by @okorach in #1653
• Control-nbr-of-sync-threads by @okorach in #1652
• Fix-branch-of-hotspots-search by @okorach in #1657
• Further improve tests by @okorach in #1660
• Fixes-sarif-format by @okorach in #1656
• Fixes #1662 by @okorach in #1663
• More-robust-sync-tests by @okorach in #1664
• Fix-1665 by @okorach in #1666

New Contributors

• @lukas-frystak-sonarsource made their first contribution in #1620

Full Changelog: 3.9...3.11

What's new:

• Compatibility with SonarQube 2025.1 release
• Fixed sonar-projects import pre-check to be less strict (follow new SonarQube criterias for project import)
• A few new things audited by sonar-audit (Excessive project history data points and Excessive proportion of accepted or FP issues)
• Bug fixes
• More unit tests

What's Changed

• Update what's new for 3.8 by @okorach in #1559
• Bump Alpine version by @okorach in #1562
• Bump version to 3.9 after release of 3.8 by @okorach in #1563
• Improve Scan by @okorach in #1568
• Change IT tools color scheme by @okorach in #1571
• Fixes #1570 by @okorach in #1572
• Fixes #1561 by @okorach in #1573
• sonar-audit avoid excessive history retention by @okorach in #1575
• QG tests by @okorach in #1565
• Fix trivy unknown severities by @okorach in #1577
• Compatibility SonarQube Server 2025.1 by @okorach in #1578
• Adapt tests for 2025.1 by @okorach in #1581
• Clean-up-audit-history by @okorach in #1582
• Upgrade alpine by @okorach in #1583
• Audit accepted and FP issues by @okorach in #1584
• Fixes #1579 by @okorach in #1585
• Replace Accepted by WF on 9.9 by @okorach in #1586

Full Changelog: 3.8...3.9

Version 3.10

• sonar-findings-sync hardening
  • Allow -O option for target organization
  • Compatibility with MQR mode (credit @lukas-frystak-sonarsource)
  • Misc bug fixes
• sonar-config:
  • Fix bug about not exporting all projects when more than 1000 projects
  • Fix bug about not exporting groups that have no description
• sonar-audit:
  • New audit check to avoid using Scanner for .Net 9.2 that has a vulnerability
  • Fix incorrect warning when running 2025.1 with JRE 21 (this is supported)
  • Fix incorrect warning when SQS is run with JRE 17 (this is supported)
• sonar-rules:
  • Allow to only export rules of a given quality profile
• sonar-findings-sync hardening

What's Changed

• Update what's new for 3.8 by @okorach in #1559
• Bump Alpine version by @okorach in #1562
• Bump version to 3.9 after release of 3.8 by @okorach in #1563
• Improve Scan by @okorach in #1568
• Change IT tools color scheme by @okorach in #1571
• Fixes #1570 by @okorach in #1572
• Fixes #1561 by @okorach in #1573
• sonar-audit avoid excessive history retention by @okorach in #1575
• QG tests by @okorach in #1565
• Fix trivy unknown severities by @okorach in #1577
• Compatibility SonarQube Server 2025.1 by @okorach in #1578
• Adapt tests for 2025.1 by @okorach in #1581
• Clean-up-audit-history by @okorach in #1582
• Upgrade alpine by @okorach in #1583
• Audit accepted and FP issues by @okorach in #1584
• Fixes #1579 by @okorach in #1585
• Replace Accepted by WF on 9.9 by @okorach in #1586

Full Changelog: 3.8...3.10

What's Changed

• Adjustments to SonarQube 10.8 (AI related features)

• Adjustments for better LTS (9.9) compatibility, Community Build and Developer Edition compatibility

• Bump version to 3.8 by @okorach in #1526

• fix: application update key typo #1528 by @gimiki in #1529

• Tests-for-issue-1528 by @okorach in #1530

• Update_for_10-8 by @okorach in #1532

• Add condition coverage by @okorach in #1534

• Generalize class APIs by @okorach in #1535

• Simplify delete of objects by @okorach in #1536

• Fix pageSize and page parameter depending on PAI version by @okorach in #1538

• User-and-group-management-for-sc by @okorach in #1540

• Fix double logging for IT tests by @okorach in #1541

• Compatibility LTS by @okorach in #1543

• Fix QG copy by @okorach in #1544

• Fixes #1542 by @okorach in #1546

• Performance-for-ai-code-fix by @okorach in #1547

• Improve groups coverage by @okorach in #1548

• Improve-users-coverage by @okorach in #1549

• Fix-lts by @okorach in #1550

• More tests by @okorach in #1551

• Update copyright to 2025 by @okorach in #1553

• projects_cli tests by @okorach in #1554

• CE and DE better support by @okorach in #1556

• Hide tokens from all logs by @okorach in #1558

New Contributors

• @gimiki made their first contribution in #1529

Full Changelog: 3.7...3.8