SonarQube 10.7发布：全新Sonar AI CodeFix功能让问题修复更加简便

SonarQube 10.7 latest release announcement  SonarQube 10.7最新发布公告

https://www.sonarsource.com/products/sonarqube/whats-new/sonarqube-10-7/#new-stig-and-casa-security-reports

Sonar introduces powerful AI-driven features, expanded support for new and existing languages and frameworks, deeper security, and two newly added compliance standards, all to elevate your code quality. These updates bring significant advancements for developers and teams, from improved integrations to deployment flexibility.

Sonar 引入了强大的 AI 驱动功能、对新语言和现有语言和框架的扩展支持、更深入的安全性以及两个新添加的合规性标准，所有这些都是为了提高您的代码质量。这些更新为开发人员和团队带来了重大进步，从改进的集成到部署灵活性。

更新功能汇总

New AI Capabilities 新的AI功能

1.1 Clean, Secure AI-generated Code 干净、安全的 AI 生成代码

New in SonarQube 10.7, Sonar AI Code Assurance is a robust and streamlined process for validating AI-generated code through a structured and comprehensive analysis. Developers can easily identify and tag projects containing AI-generated code, initiating the Sonar AI Code Assurance workflow. This ensures that every new piece of code meets the highest quality and security standards before it moves to production.

Sonar AI Code Assurance 是 SonarQube 10.7 中的新增功能，它是一个强大而简化的流程，用于通过结构化和全面的分析来验证 AI 生成的代码。开发人员可以轻松识别和标记包含 AI 生成代码的项目，从而启动 Sonar AI Code Assurance 工作流程。这可确保每段新代码在投入生产之前都符合最高的质量和安全标准。

Available in Developer Edition | Enterprise Edition | Data Center Edition

1.2 Quickly and Immediately Fix Found Issues 快速、立即地修复发现的问题

You will get free early access to Sonar AI CodeFix, a powerful new capability that suggests code fixes for issues discovered by SonarQube. With just one click, you can now receive suggestions on resolving a range of issues, streamlining the issue resolution process. By automating the resolution of common coding problems, Sonar AI CodeFix significantly boosts developer speed and productivity.

您将免费抢先体验 Sonar AI CodeFix，这是一项强大的新功能，可针对 SonarQube 发现的问题提供代码修复建议。现在，只需单击一下，您就可以收到有关解决一系列问题的建议，从而简化问题解决流程。通过自动解决常见的编码问题，Sonar AI CodeFix 显著提高了开发人员的速度和生产力。

Available in Enterprise Edition | Data Center Edition

Powerful Security Updates 强大的安全更新

New STIG and CASA Security Reports 新的 STIG 和 CASA 安全报告

IIn this release, we expand our support for catching security issues defined in common security standards and reporting on them. We have included coverage of the Defense Information Systems Agency’s Security Technical Implementation Guide (STIG) and The Defence Alliance’s Cloud Application Security Assessment (CASA). You can generate a STIG and a CASA security report for use in helping prove your company complies with the STIG and CASA standards.

在此版本中，我们扩展了对捕获常见安全标准中定义的安全问题并报告这些问题的支持。我们涵盖了美国国防信息系统局的《安全技术实施指南》（STIG） 和国防联盟的《云应用程序安全评估》（CASA）。您可以生成 STIG 和 CASA 安全报告，以帮助证明您的公司符合 STIG 和 CASA 标准。

Available in Enterprise Edition | Data Center Edition

Advanced Security for the Spring Framework Spring Framework 的高级安全性

To help better understand how well a static code analysis tool handles security for developer frameworks, Sonar has devised a system to evaluate and rate security coverage for a specific developer framework. This system consists of a set of 45 security KPIs and a method for evaluating the KPIs and ranking coverage of the framework at four distinct levels: minimal coverage, standard coverage, advanced coverage, and complete coverage. Sonar is very proud to announce that in the SonarQube 10.7 release, we’ve elevated our security coverage of the Spring Framework to 92%, earning a “complete coverage” score. Java developers leveraging the Spring Framework can rest assured that SonarQube is one of the most comprehensive and advanced static application security testing (SAST) tools with over 200 rules for the popular Java framework. SonarQube will help developers ensure that their Spring-based applications run smoothly and have few to no security vulnerabilities.

为了帮助更好地了解静态代码分析工具处理开发人员框架安全性的能力，Sonar 设计了一个系统来评估和评估特定开发人员框架的安全覆盖率。该系统由一组 45 个安全 KPI 和一种方法组成，用于评估框架的 KPI 并在四个不同级别对覆盖率进行排名：最小覆盖率、标准覆盖率、高级覆盖率和完全覆盖率。Sonar 非常自豪地宣布，在 SonarQube 10.7 版本中，我们已将 Spring 框架的安全覆盖率提高到 92%，获得了“完全覆盖”分数。利用 Spring 框架的 Java 开发人员可以放心，SonarQube 是最全面、最先进的静态应用程序安全测试 （SAST） 工具之一，为流行的 Java 框架提供了 200 多条规则。SonarQube 将帮助开发人员确保其基于 Spring 的应用程序平稳运行，并且几乎没有安全漏洞。

Available in Developer Edition | Enterprise Edition | Data Center Edition

Secrets Detection Includes More Patterns and Cloud Services 密钥检测包括更多模式和云服务

Now, with 90 RegEx rules covering 146 secrets patterns, SonarQube’s secrets detection solution is more powerful than ever. This addition adds over 30 new secrets patterns, resulting in the detection of secrets/tokens generated by 81 cloud services and over 1000 APIs with password or token arguments.

现在，凭借涵盖 146 种密钥模式的 90 条 RegEx 规则，SonarQube 的密钥检测解决方案比以往任何时候都更加强大。此新增功能添加了 30 多种新的密钥模式，从而可以检测由 81 个云服务和 1000 多个具有密码或令牌参数的 API 生成的密钥/令牌。

Available in Community Edition |Developer Edition | Enterprise Edition | Data Center Edition

Newly Supported Languages and Libraries  新支持的语言和库

Analyze Dart/Flutter Apps 分析 Dart/Flutter 应用

Our developer community spoke, and we listened! Dart has been the most requested new language to include, and now it’s finally here. This early access is just the beginning. With 76 new rules for Dart and much more to come in future releases, SonarQube detects a dozen bugs and over 60 issues that lead to technical debt. Get started analyzing Dart code and avoid the most common issues that plague Flutter apps. Learn more about Sonar’s coverage of Dart/Flutter.

我们的开发人员社区发声，我们倾听！Dart 一直是最需要包含的新语言，现在它终于来了。抢先体验只是一个开始。凭借 Dart 的 76 条新规则以及未来版本中的更多规则，SonarQube 可以检测到十几个错误和 60 多个导致技术债务的问题。开始分析 Dart 代码并避免困扰 Flutter 应用的最常见问题。详细了解 Sonar 对 Dart/Flutter 的报道。

Available in Developer Edition | Enterprise Edition | Data Center Edition

Analyze Jupyter Notebooks and PyTorch Code  分析 Jupyter 笔记本和 PyTorch 代码

PyTorch is one of the most widely used machine-learning libraries for Python. With new rules for PyTorch, SonarQube covers the leading AI and ML Python libraries, including TensorFlow, Scikit-learn, NumPy, and Pandas. Many AI and ML developers struggle with Jupyter Notebooks because few tools analyze the code embedded in a notebook. But now Sonar leaps forward with a unique and powerful set of rules to detect issues in Python code embedded in a Jupyter Notebook to help protect AI/ML practitioners against common coding pitfalls in their Jupyter Notebooks.

PyTorch 是使用最广泛的 Python 机器学习库之一。借助 PyTorch 的新规则，SonarQube 涵盖了领先的 AI 和 ML Python 库，包括 TensorFlow、Scikit-learn、NumPy 和 Pandas。许多 AI 和 ML 开发人员都在努力使用 Jupyter Notebook，因为很少有工具可以分析嵌入在 Notebook 中的代码。但现在，Sonar 通过一组独特而强大的规则向前发展，以检测嵌入在 Jupyter Notebook 中的 Python 代码中的问题，以帮助保护 AI/ML 从业者免受 Jupyter Notebook 中的常见编码陷阱的影响。

Available in Community Edition |Developer Edition | Enterprise Edition | Data Center Edition

Developer Productivity 开发人员工作效率

Detect Dataflow Bugs in IntelliJ and Eclipse 检测 IntelliJ 和 Eclipse 中的 Dataflow 错误

When SonarLint for IntelliJ or Eclipse IDEs is connected with SonarQube Developer Edition or higher, it can detect advanced dataflow bugs. This allows developers to see and fix those discovered issues immediately as they code in their IDE.

当 SonarLint for IntelliJ 或 Eclipse IDE 与 SonarQube Developer Edition 或更高版本连接时，它可以检测高级数据流错误。这使开发人员可以在 IDE 中编码时立即查看并修复这些发现的问题。

Available in Developer Edition | Enterprise Edition | Data Center Edition

Operational Improvements 运营改进

Autosync Permissions and Roles with GitLab 使用 GitLab 自动同步权限和角色

When an administrator sets up automatic provisioning of users and groups with GitLab, project permissions and groups will be automatically synchronized with GitLab. This ensures that permissions and roles stay in synch between SonarQube and GitLab, with GitLab acting as the master of permissions and groups.

当管理员使用 GitLab 设置用户和组的自动配置时，项目权限和组将自动与 GitLab 同步。这确保了权限和角色在 SonarQube 和 GitLab 之间保持同步，而 GitLab 充当权限和组的主控。

Available in Developer Edition | Enterprise Edition | Data Center Edition

Deploy SonarQube on OpenShift 在 OpenShift 上部署 SonarQube

For customers operating their Kubernetes-based infrastructure using Red Hat OpenShift, we officially support running the SonarQube server on Red Hat OpenShift. Now you can safely orchestrate all your applications and services together, including SonarQube.

对于使用 Red Hat OpenShift 运行基于 Kubernetes 的基础架构的客户，我们正式支持在 Red Hat OpenShift 上运行 SonarQube 服务器。现在，您可以安全地将所有应用程序和服务编排在一起，包括 SonarQube。

Available in Developer Edition | Enterprise Edition | Data Center Edition

Modern Authentication for Microsoft SMTP Server Microsoft SMTP 服务器的现代身份验证

Prior to this release, SonarQube used basic authentication with the Microsoft SMTP Server. Because many companies no longer support this authentication method, we were not in compliance with their security policies. With this change, SonarQube is using modern authentication with the Microsoft SMTP Server, bringing back support for integrating with companies’ email servers.

在此版本之前，SonarQube 对 Microsoft SMTP 服务器使用基本身份验证。由于许多公司不再支持这种身份验证方法，因此我们没有遵守他们的安全策略。通过此更改，SonarQube 将新式身份验证与 Microsoft SMTP 服务器结合使用，从而恢复了对与公司电子邮件服务器集成的支持。

Available in Community Edition |Developer Edition | Enterprise Edition | Data Center Edition

Strict Password Policy Rules 严格的密码策略规则

Local accounts in SonarQube now have strict password policy rules, bringing passwords into compliance with the more stringent security policies that most companies require. This change impacts passwords used by local accounts in SonarQube. The rules for passwords in remote accounts, such as via identity providers or other authentication means like LDAP are managed by those services.

SonarQube 中的本地帐户现在具有严格的密码策略规则，使密码符合大多数公司要求的更严格的安全策略。此更改会影响 SonarQube 中本地帐户使用的密码。远程帐户中的密码规则（例如通过身份提供商或其他身份验证方式（如 LDAP））由这些服务管理。

Available in Community Edition |Developer Edition | Enterprise Edition | Data Center Edition

The details of these and many more 10.7 features are in the SonarQube release notes.

有关这些功能以及更多 10.7 功能的详细信息，请参阅 SonarQube 发行说明。

https://docs.sonarsource.com/sonarqube/10.7/server-upgrade-and-maintenance/release-notes-and-notices/release-notes