Update analyzer dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.sonarsource.java:sonar-java-symbolic-execution-plugin (source)	8.19.0.1586 → 8.20.0.1864
com.sonarsource.swift:sonar-swift-plugin	5.1.0.12421 → 5.2.0.12490
com.sonarsource.cpp:sonar-cfamily-plugin	6.78.0.96395 → 6.80.0.98490
com.sonarsource.rpg:sonar-rpg-plugin (source)	3.13.0.7515 → 3.15.0.8032
org.sonarsource.kotlin:sonar-kotlin-plugin (source)	3.4.0.8957 → 3.5.0.9240
org.sonarsource.text:sonar-text-plugin (source)	2.41.0.10709 → 2.42.0.10784
org.sonarsource.html:sonar-html-plugin (source)	3.24.0.7341 → 3.25.0.7473
org.sonarsource.slang:sonar-scala-plugin (source)	1.21.0.1997 → 1.22.0.2217
org.sonarsource.python:sonar-python-plugin (source)	5.18.0.31561 → 5.21.0.32726
org.sonarsource.php:sonar-php-plugin (source)	3.55.0.15704 → 3.56.0.15870
org.sonarsource.java:sonar-java-plugin (source)	8.25.0.42802 → 8.28.0.43176
org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin (source)	1.23.0.740 → 1.25.1.3002
org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin (source)	1.17 → 1.25.1.3002
org.sonarsource.sonarqube:sonar-scanner-protocol (source)	9.9.0.65466 → 9.9.9.104369
org.sonarsource.sonarqube:sonar-markdown (source)	25.3.0.104237 → 25.12.0.117093
org.sonarsource.api.plugin:sonar-plugin-api (source)	13.4.2.4284 → 13.5.0.4319
org.sonarsource.sonarqube:sonar-testing-harness (source)	9.9.0.65466 → 9.9.9.104369
org.sonarsource.api.plugin:sonar-plugin-api (source)	9.14.0.375 → 9.17.0.587
org.sonarsource.analyzer-commons:sonar-analyzer-commons (source)	2.1.0.1111 → 2.21.0.4626
org.sonarsource.java:sonar-java-plugin (source)	7.16.0.30901 → 7.35.0.36271

---

Release Notes

SonarSource/sonar-java-symbolic-execution (org.sonarsource.java:sonar-java-symbolic-execution-plugin)

v8.20.0.1864

Compare Source

Release notes - JavaSE - 8.20

Feature

JAVASE-187 Agentic AI Quality Profiles for Java

Maintenance

JAVASE-161 Prepare next development iteration 8.20.0
JAVASE-173 Use shared workflow in UpdateRuleMetadata.yml
JAVASE-189 Upgrade parent pom to version 87.0.0.3057

SonarSource/sonar-kotlin (org.sonarsource.kotlin:sonar-kotlin-plugin)

v3.5.0.9240

Compare Source

Release notes - SonarKotlin - 3.5

Feature

SONARKT-724 Upgrade Kotlin compiler to 2.3.20

False Positive

SONARKT-248 S1192 should not raise when a string literal is used in TODO
SONARKT-264 S2175 should not raise on collections initialized with lazy
SONARKT-310 S108 should not raise on an empty block in when->else statement
SONARKT-386 S6518 should not raise on classes not supporting the indexed access operator
SONARKT-681 S1862 should not raise when guard conditions are used in "when" statements
SONARKT-702 S100 should allow test method names with spaces
SONARKT-703 S6508 should not raise on functions that are implementing parent class/interface
SONARKT-719 S6518 should not raise when get or set is called with named parameters
SONARKT-739 S6518 Add class exceptions for common user errors where operator is provided via java interop

Bug

SONARKT-718 ZipHandler leaks file handles on Windows, locking Maven .m2 JARs after SonarLint analysis
SONARKT-728 Should not throw UnsupportedOperationException in a mixed Java+Kotlin project

SonarSource/sonar-html (org.sonarsource.html:sonar-html-plugin)

v3.25.0.7473

Compare Source

Release notes - SonarHTML - 3.25

What's Changed

• SONARHTML-169 Fix UnclosedTagCheck false positives in Twig templates by @​zglicz in #​589
• SONARHTML-361 Restore release.yml with workflow_dispatch only by @​zglicz in #​592
• SONARHTML-169 Fix PHP directive closing on end token inside single-quoted strings by @​zglicz in #​591
• fix(deps): update sonar.plugin.api.version to v13.5.0.4319 by @​renovate[bot] in #​593
• chore(deps): update dependency org.mockito:mockito-core to v5.22.0 by @​renovate[bot] in #​594
• SONARHTML-251 fix(S1082): Recognize Vue @​keydown/@​keyup and Angular (keyup.enter) as valid keyboard handlers by @​zglicz in #​595
• fix(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-core-test-utils to v10.46.0.84435 by @​renovate[bot] in #​599
• chore(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-rpc-protocol to v10.46.0.84435 by @​renovate[bot] in #​598
• chore(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-core to v10.46.0.84435 by @​renovate[bot] in #​597
• chore(deps): update jdx/mise-action action to v3.6.2 by @​renovate[bot] in #​596
• chore(deps): update sonarqube.api.impl.version to v26.3.0.120487 by @​renovate[bot] in #​601
• chore(deps): update dependency org.sonarsource.sonarqube:sonar-ws to v26.3.0.120487 by @​renovate[bot] in #​600
• chore(deps): update dependency org.apache.maven.plugins:maven-resources-plugin to v3.5.0 by @​renovate[bot] in #​603
• chore(deps): update jdx/mise-action action to v3.6.3 by @​renovate[bot] in #​604
• Prepare next development iteration by @​github-actions[bot] in #​602
• chore(deps): update dependency org.mockito:mockito-core to v5.23.0 by @​renovate[bot] in #​606
• Add RequiredAttributeTemplateCheck as a new template rule by @​zglicz in #​605
• chore(deps): update jdx/mise-action action to v4 by @​renovate[bot] in #​608
• fix(deps): update maven dependencies to v10.47.0.84936 by @​renovate[bot] in #​607

Full Changelog: SonarSource/sonar-html@3.24.0.7341...3.25.0.7473

SonarSource/sonar-scala (org.sonarsource.slang:sonar-scala-plugin)

v1.22.0.2217

Compare Source

Release notes - sonar-scala - 1.22

Maintenance

SONARSCALA-106 Prepare next development iteration for 1.22
SONARSCALA-109 Add its subproject to analysis
SONARSCALA-111 Add automated release workflow
SONARSCALA-113 Update dependencies
SONARSCALA-117 Create workflow "Update Rule Metadata"
SONARSCALA-119 Update rule metadata
SONARSCALA-120 Fix bump-version to always include patch number.
SONARSCALA-121 Use #squad-jvm-releases for notifications about releases
SONARSCALA-122 Licence packaging standard - Scala
SONARSCALA-123 Scala - Upgrade gradle wrapper to 9.3.1
SONARSCALA-124 Update automated release

SonarSource/sonar-php (org.sonarsource.php:sonar-php-plugin)

v3.56.0.15870

Compare Source

Release notes - SonarPHP - 3.56

Bug

SONARPHP-1801 Add "type" field to Psalm rules and fix PsalmReportTest
SONARPHP-1806 S117 false positive and S116 false negative on PHP 8 constructor property promotion

SonarSource/sonar-java (org.sonarsource.java:sonar-java-plugin)

v8.28.0.43176

Compare Source

Release notes - SonarJava - 8.28

No issues found for this release.

v8.27.0.43088

Compare Source

Release notes - SonarJava - 8.27

Feature

SONARJAVA-5472 Dangling Javadoc comments should be removed
SONARJAVA-6205 Agentic AI Quality Profiles for Java
SONARJAVA-6212 Rename rules property for ruling test to enable checking only specific set of Sonar rules
SONARJAVA-6218 Prepare a basic project in sonar-java to use for running ruling samples

False Positive

SONARJAVA-5730 S1301 Should not raise issues when a switch expression is used for an exhaustive match on 2-valued enum
SONARJAVA-6070 Fix FP on S1133: Public APIs with documented deprecation plans flagged

False Negative

SONARJAVA-6139 S5042 should raise when invoking sensitive methods over tar archives

Maintenance

SONARJAVA-6193 Bump version using automated release and Maven
SONARJAVA-6195 Add the Java 25 tag to rules S8465 and S8469
SONARJAVA-6211 Upload artifacts if ruling-qa or autoscan ITs fail
SONARJAVA-6219 Make build and qa jobs emit download logs
SONARJAVA-6220 Do not run nightly builds on the weekends
SONARJAVA-6229 Upgrade parent pom to version 87.0.0.3057
SONARJAVA-6230 Delete duplicated agentic profile

v8.26.0.42915

Compare Source

Release notes - SonarJava - 8.26

False Positive

SONARJAVA-4960 FP S1854 wrongly report issues when the semantic is not complete
SONARJAVA-5975 FP on S6856 when the ModelAttribute is a class / record
SONARJAVA-5985 S6207 should only raise if it has no side effects or only before assignments to components
SONARJAVA-6003 FP on S2055 when superclass has a generated no args constructor
SONARJAVA-6070 Fix FP on S1133: Public APIs with documented deprecation plans flagged
SONARJAVA-6179 FP in S6810: CompletableFuture is not treated as a subtype of Future when T is unknown
SONARJAVA-6180 FP on rule S5853: consecutive calls to "assertThat" chained with calls to "element" should not raise an issue
SONARJAVA-6184 FP for S4605 when having SpringBootApplication followed by ComponentScan annotation
SONARJAVA-6186 S6207 should not raise on non-trivial getter methods

False Negative

SONARJAVA-5980 S3749: false negative when Lombok RequiredArgsConstructor is used
SONARJAVA-6122 FN Rule S3078 : VolatileVariablesOperationsCheck implementation seems to be wrong

Bug

SONARJAVA-5657 S6541, Incorrect NOAV Metric Calculation
SONARJAVA-6152 S1612 incorrect quickfix

Maintenance

SONARJAVA-5981 S5194: Compliant and non compliant code exmples are too different
SONARJAVA-6155 Use shared update rule metadata worflow
SONARJAVA-6176 Update Rspec quickfix property for ["S7629", "S7467", "S7466", "S7475", "S7477"]
SONARJAVA-6185 Prepare Next Iteration: adjust for automated release
SONARJAVA-6188 Use plugin-artifacts to fix SQS and SQC integrations
SONARJAVA-6190 Update automated release workflow
SONARJAVA-6194 Update rule metadata

SonarSource/sonar-packaging-maven-plugin (org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin)

v1.25.1.3002

Compare Source

What's Changed

• PACKMP-38 Prepare for next development iteration by @​claire-villard-sonarsource in #​78
• PACKMP-39 Upgrade parent POM and change version to patch by @​claire-villard-sonarsource in #​79

Full Changelog: SonarSource/sonar-packaging-maven-plugin@1.25.0.11...1.25.1.3002

v1.25.0.11

What's Changed

• Bump org.codehaus.plexus:plexus-utils from 1.5.6 to 3.0.24 in /src/it/packageDepsExcludedFromApi by @​dependabot[bot] in #​46
• PACKMP-20 Migrate away from FGC promote function by @​7PH in #​50
• BUILD-4249 update cirrus config with JDK17 by @​pierre-guillot-gh in #​51
• NO-JIRA Update license headers for 2024 by @​7PH in #​52
• This repository is owned by the Analysis Experience squad by @​claire-villard-sonarsource in #​53
• BUILD-4839 Update the release workflow to the latest version by @​matemoln in #​54
• BUILD-6088 Create Security.md by @​SamirM-BE in #​56
• Remove Burgr integration by @​henryju in #​57
• PACKMP-23 Migrating cirrus-modules v2 to v3 by @​henryju in #​58
• SC-17118 Rebranding effort by @​lucas-paulger-sonarsource in #​59
• Bump org.apache.commons:commons-email from 1.2 to 1.5 in /src/it/packageDependenciesFailsIfSonarLint by @​dependabot[bot] in #​60
• Bump org.apache.commons:commons-email from 1.2 to 1.5 in /src/it/packageDependencies by @​dependabot[bot] in #​61
• PACKMP-25 Add Jira integration by @​pavel-mikula-sonarsource in #​62
• PACKMP-26 Update license headers for 2025 by @​antoine-vinot-sonarsource in #​64
• PACKMP-27 Update CODEOWNERS by @​pierre-guillot-gh in #​65
• PACKMP-28 Autoclose issues created by Jira integration by @​pavel-mikula-sonarsource in #​66
• BUILD-8073 Migrate public repositories workflows to large runners by @​SamirM-BE in #​67
• BUILD-8875: Migrate to standardized GitHub runner names by @​SonarTech in #​68
• PACKMP-31 Update the release action by @​claire-villard-sonarsource in #​69
• PACKPM-32 Update license header from Sonarsource SA to SonarSource Sàrl by @​pierre-guillot-gh in #​71
• PACKMP-34 Update 5 dependencies to address severity risks by @​alexandre-odoux-sonarsource in #​73
• PACKMP-35 prepare 1.24 by @​pierre-guillot-gh in #​74
• PACKMP-36 prepare 1.25 by @​pierre-guillot-gh in #​75
• PACKMP-30 Migrates CI from Cirrus CI to GitHub Actions by @​alexandre-odoux-sonarsource in #​76
• PACKMP-37 Update the parent POM to 85.0 by @​claire-villard-sonarsource in #​77

Full Changelog: SonarSource/sonar-packaging-maven-plugin@1.23.0.740...1.25.0.11

SonarSource/sonarqube (org.sonarsource.sonarqube:sonar-scanner-protocol)

v9.9.8.100196

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.7.96285

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.6.92038

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.5.90363

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.4.87374

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.3.79811

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.2.77730

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.1.69595

Compare Source

See details in the community announcement, and more in the release notes.

SonarSource/sonar-plugin-api (org.sonarsource.api.plugin:sonar-plugin-api)

v13.5.0.4319

What's Changed

• PLUGINAPI-178 Move the plugin manifest tooling to the sonar-plugin-api repo by @​henryju in #​274
• PLUGINAPI-180 New API for issue resolution by @​ericg138 in #​276
• PLUGINAPI-181 Update publishing info by @​ericg138 in #​278

Full Changelog: SonarSource/sonar-plugin-api@13.4.3.4290...13.5.0.4319

v13.4.3.4290

Compare Source

What's Changed

• PLUGINAPI-174 Revert upgrade of logback by @​ericg138 in #​270

Full Changelog: SonarSource/sonar-plugin-api@13.4.2.4284...13.4.3.4290

SonarSource/sonar-analyzer-commons (org.sonarsource.analyzer-commons:sonar-analyzer-commons)

v2.21.0.4626

Compare Source

Rotations of binary signing keys

v2.20.0.4607

Compare Source

Release notes - Sonar Analyzer Commons - 2.20

Task

ACOMMONS-36 Prepare next development iteration

Improvement

ACOMMONS-40 Improve internal xml parser to support long attributes

v2.19.0.3575

Compare Source

What's Changed

• Prepare next development iteration by @​Godin in #​369
• BUILD-8875: Migrate to standardized GitHub runner names by @​SonarTech in #​368
• ACOMMONS-34 Expose Standards OWASP LLM Top 10 2025, OWASP Top 10 2025, ASVS 5.0, STIG ASD_V6, MASVS 2 metadata by @​nicolas-gauthier-sonarsource in #​370
• ACOMMONS-35 Remove commons-lang dependency by @​nicolas-gauthier-sonarsource in #​371

New Contributors

• @​SonarTech made their first contribution in #​368
• @​nicolas-gauthier-sonarsource made their first contribution in #​370

Full Changelog: SonarSource/sonar-analyzer-commons@2.18.0.3393...2.19.0.3575

v2.18.0.3393

Compare Source

v2.17.0.3322

Compare Source

What's Changed

Extend the RuleMetadataLoader API (#​361)

• Prepare the next development iteration by @​mstachniuk in #​354
• Update cirrus-modules to v3 by @​johann-beleites-sonarsource in #​355
• ACOMMONS-20 Add Jira integration by @​pavel-mikula-sonarsource in #​358
• ACOMMONS-21 Update CODEOWNERS after reorg by @​edward-gonzales-sonarsource in #​359
• ACOMMONS-23 Autoclose issues created by Jira integration by @​pavel-mikula-sonarsource in #​360
• ACOMMONS-24 - Add a way to execute RuleMetadataLoader with structured data instead of file paths by @​ericmorand-sonarsource in #​361
• ACOMMONS-26 Add missing package-info.java for quality gate by @​romainbrenguier in #​362
• ACOMMONS-28 Update parent pom by @​kebetsi in #​363

New Contributors

• @​pavel-mikula-sonarsource made their first contribution in #​358
• @​edward-gonzales-sonarsource made their first contribution in #​359
• @​ericmorand-sonarsource made their first contribution in #​361
• @​romainbrenguier made their first contribution in #​362
• @​kebetsi made their first contribution in #​363

Full Changelog: SonarSource/sonar-analyzer-commons@2.16.0.3141...2.17.0.3322

v2.16.0.3141

Compare Source

v2.15.0.3128

Compare Source

Task

SONARPHP-1555 Move helper classes for hard-coded secrets to analyzer commons

v2.14.0.3087

Compare Source

Release notes - Sonar Analyzer Commons - 2.14

Task

ACOMMONS-18 Support Multi-Quality Rule (MQR) mode
SONARXML-146 Allow checks to access SensorContext to read the configuration
BUILD-6088 Create SECURITY.md

v2.13.0.3004

Compare Source

Release notes - Sonar Analyzer Commons - 2.13

Bug

ACOMMONS-16 AVLTree iteration does not look through buckets

Task

ACOMMONS-17 Move ShannonEntropy to analyzer commons

v2.12.0.2964

Compare Source

Release notes - Sonar Analyzer Commons - 2.12

New Feature

ACOMMONS-11 Expose STIG metadata in analyzer-commons

Improvement

ACOMMONS-15 Add convenience factory methods for small collections

v2.11.0.2861

Compare Source

What's Changed

• Prepare next development iteration 2.11 by @​leonardo-pilastri-sonarsource in #​329
• Override addQuickFix in IssueBuilders to get more specific issue type by @​leonardo-pilastri-sonarsource in #​330

Full Changelog: SonarSource/sonar-analyzer-commons@2.10.0.2849...2.11.0.2861

v2.10.0.2849

Compare Source

Release notes - Sonar Analyzer Commons - 2.10

New Feature

ACOMMONS-8 Add quickfix verification API

ACOMMONS-9 Add "assertNoIssuesRaised" to SingleFileVerifier

v2.9.0.2753

Compare Source

What's Changed

• Prepare next development iteration 2.9 by @​johann-beleites-sonarsource in #​316
• Fix failing build: add ARTIFACTORY_ACCESS_TOKEN variable by @​petertrr in #​318
• SONARPHP-1383 Add \0 as an allowed PHP regex element by @​petertrr in #​317

New Contributors

• @​petertrr made their first contribution in #​318

Full Changelog: SonarSource/sonar-analyzer-commons@2.8.0.2699...2.9.0.2753

v2.8.0.2699

Compare Source

What's Changed

• Remove noisy logs when rule section is emtpy by @​Wohops in #​309
• SONAR-21157 Fix CI error due to SQ 10.4 new requirement: ERROR EnvironmentInformation compiled 61 only recognizes up to 55 by @​alban-auzeill in #​311
• Add simple Map and List length prefix serializer by @​karim-ouerghemmi-sonarsource in #​313
• Update parent and license headers by @​johann-beleites-sonarsource in #​315

New Contributors

• @​michael-jabbour-sonarsource made their first contribution in #​310

Full Changelog: SonarSource/sonar-analyzer-commons@2.7.0.1482...2.8.0.2699

v2.7.0.1482

Compare Source

What's Changed

• Prevent ExternalRuleLoader to manipulate code attribute and impact fields when runtime API < 10.1 by @​alban-auzeill in #​305
• Remove usage of @​Beta cleanCodeAttribute and addImpact of NewExternal Issue that could be removed in a near future by @​alban-auzeill in #​306

Full Changelog: SonarSource/sonar-analyzer-commons@2.6.0.1473...2.7.0.1482

v2.6.0.1473

Compare Source

What's Changed

• Avoid calling 'scan' two times in code recognizers by @​Wohops in #​297
• Add keySet method on PMap and stream method on PSet and PStack by @​Swalkyn in #​298
• Update sonar-plugin-api to 10.0 and use slf4j Logger by @​alban-auzeill in #​300
• Support Clean Code Taxonomy data by @​irina-batinic-sonarsource in #​303

Full Changelog: SonarSource/sonar-analyzer-commons@2.5.0.1358...2.6.0.1473

v2.5.0.1358

Compare Source

Update rule loader to allow education rules to not have a "How to fix it?" section.

v2.4.0.1317

Compare Source

Support Python 3.11 regex features (Atomic grouping and possessive quantifiers) and add a new regex finder for S5852 (RedosCheck)

v2.3.0.1263

Compare Source

Update support for the newest education format rule descriptions.

v2.2.0.1251

Compare Source

Add support for education format rule descriptions.

---

Configuration

📅 Schedule: (in timezone CET)

• Branch creation
  • "after 7am every weekday,before 7pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonar-review-alpha]

Summary

Generated a PR comment for #1911 that complements the author's detailed dependency update table by providing high-level context about the scope and systematic nature of the changes across multiple pom.xml files.

What reviewers should know

The comment briefly characterizes the PR as a systematic update of SonarSource analyzer plugins and dependencies across the project's build configuration. It notes the files affected (root pom.xml, analysis engine, test plugins) and key version changes, then suggests verifying integration tests and plugin builds work correctly after the analyzer plugin updates.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SLCORE-2232

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR updates analyzer plugin dependencies and related SonarQube APIs across the project's pom.xml files. The updates include major version bumps for multiple language plugins (Java, Python, PHP, Kotlin, Scala, HTML, C++, etc.), plugin APIs, and build tools.

⚠️ Note for reviewers: The actual version numbers in the code differ from those listed in the author's description table. For example, the Python plugin updates to 5.21.0.32726 (not 5.19.0.32098), Java to 8.28.0.43176 (not 8.26.0.42915), and C++ to 6.80.0.98490 (not 6.79.0.97291). The diff also includes several plugins not mentioned in the description table (PHP, Kotlin, Text, RPG, Java symbolic execution) and SonarQube API versions. The description should be considered a partial reference.

What reviewers should know

Where to look:

• Root pom.xml – core dependency versions (sonar-plugin-api, sonar-markdown, sonar-scanner-protocol)
• backend/analysis-engine/pom.xml – production analysis engine dependencies
• backend/rule-extractor/pom.xml – rule extraction dependencies (largest set of plugin updates)
• Test pom.xml files (medium-tests/, its/plugins/) – test and integration setup dependencies

What to verify:

• All version bumps are for published, legitimate releases
• No version conflicts between the root pom and module-level pom files
• The plugin version updates are compatible with the SonarQube API versions being used (9.17.0.587)
• Test fixtures and ITs continue to work with the newer plugin versions

Note: This is a straightforward dependency update with no code logic changes — focus on the version transitions and their compatibility.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback