Skip to content

1.20.0.2929

Choose a tag to compare

@github-actions github-actions released this 23 Jun 11:27
Immutable release. Only release title and notes can be modified.
63bff25

SonarQube MCP Server v1.20.0

⚠️ Important: New releases are published under sonarsource/sonarqube-mcp; switch from mcp/sonarqube to stay up to date.

This release restores branch support across relevant tools, improves code snippet analysis with broader language handling, fixes several silent failure scenarios, strengthens configuration behavior around CORS and Docker deployments, and upgrades to MCP Java SDK 2.0.0.

Features

  • Branch parameter restored — The branch parameter is back on relevant tools, with improved guidance on when to use it (long-lived branches only; short-lived branches are tied to pull requests)
  • New list_branches tool — Lists long-lived branches to discover valid branch values before calling other tools
  • Expanded language support in analyze_code_snippet — The tool now correctly handles additional language variants, including tsx and jsx, by creating temporary files with the appropriate extensions before analysis. This ensures language-specific parsers and rules are applied correctly, fixing the original TSX/JSX issue and enabling more accurate analysis across a wider range of languages and file types instead of silently reporting zero issues.
  • CORS decoupled from bind address — Setting SONARQUBE_HTTP_HOST=0.0.0.0 (required for Docker port mapping) no longer implicitly allows all browser origins. Use the now-documented SONARQUBE_HTTP_ALLOWED_ORIGINS variable to explicitly allow additional origins

Bug Fixes

  • Fixed analyze_code_snippet silently returning zero issues for .tsx/.jsx snippets when language was set to ts or js
  • Fixed blank optional string arguments (e.g. an empty pullRequest field) being forwarded as empty query parameters, causing SonarQube Server to reject the request
  • Fixed certificate installation scripts writing informational messages to stdout in Docker stdio mode, which could corrupt the MCP client handshake
  • Fixed incorrect Docker environment variable names in the GitHub Copilot coding agent README example, which caused authentication to silently fail

Improvements

  • Upgraded to MCP Java SDK 2.0.0, aligning with the 2025-11-25 MCP specification and enabling stricter tool input validation
  • Documented the SONARQUBE_HTTP_ALLOWED_ORIGINS environment variable and clarified that 0.0.0.0 controls the listen address only, not CORS policy
  • Documented the sonarsource/sonarqube-mcp Docker image for users who need versioned image pinning
  • Documented the standalone JAR download location at binaries.sonarsource.com for users who prefer to run without Docker

Breaking Changes

  • Tool arguments have been renamed and aligned: branchKey/pullRequestKey/pullRequestIdbranch/pullRequest