fix(deps): update analyzer dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.sonarsource.swift:sonar-swift-plugin	5.1.0.12421 → 5.2.0.12490
com.sonarsource.cpp:sonar-cfamily-plugin	6.78.0.96395 → 6.79.0.97291
org.sonarsource.html:sonar-html-plugin (source)	3.24.0.7341 → 3.25.0.7473
org.sonarsource.slang:sonar-scala-plugin (source)	1.21.0.1997 → 1.22.0.2217
org.sonarsource.python:sonar-python-plugin (source)	5.18.0.31561 → 5.19.0.32098
org.sonarsource.java:sonar-java-plugin (source)	8.25.0.42802 → 8.26.0.42915
org.sonarsource.sonarqube:sonar-scanner-protocol (source)	9.9.0.65466 → 9.9.9.104369
org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin (source)	1.23.0.740 → 1.25.1.3002
org.sonarsource.sonarqube:sonar-markdown (source)	25.3.0.104237 → 25.12.0.117093
org.sonarsource.api.plugin:sonar-plugin-api (source)	13.4.2.4284 → 13.5.0.4319
org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin (source)	1.17 → 1.25.1.3002
org.sonarsource.sonarqube:sonar-testing-harness (source)	9.9.0.65466 → 9.9.9.104369
org.sonarsource.api.plugin:sonar-plugin-api (source)	9.14.0.375 → 9.17.0.587
org.sonarsource.analyzer-commons:sonar-analyzer-commons (source)	2.1.0.1111 → 2.21.0.4626
org.sonarsource.java:sonar-java-plugin (source)	7.16.0.30901 → 7.35.0.36271

---

Release Notes

SonarSource/sonar-html (org.sonarsource.html:sonar-html-plugin)

v3.25.0.7473

Compare Source

Release notes - SonarHTML - 3.25

What's Changed

• SONARHTML-169 Fix UnclosedTagCheck false positives in Twig templates by @​zglicz in #​589
• SONARHTML-361 Restore release.yml with workflow_dispatch only by @​zglicz in #​592
• SONARHTML-169 Fix PHP directive closing on end token inside single-quoted strings by @​zglicz in #​591
• fix(deps): update sonar.plugin.api.version to v13.5.0.4319 by @​renovate[bot] in #​593
• chore(deps): update dependency org.mockito:mockito-core to v5.22.0 by @​renovate[bot] in #​594
• SONARHTML-251 fix(S1082): Recognize Vue @​keydown/@​keyup and Angular (keyup.enter) as valid keyboard handlers by @​zglicz in #​595
• fix(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-core-test-utils to v10.46.0.84435 by @​renovate[bot] in #​599
• chore(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-rpc-protocol to v10.46.0.84435 by @​renovate[bot] in #​598
• chore(deps): update dependency org.sonarsource.sonarlint.core:sonarlint-core to v10.46.0.84435 by @​renovate[bot] in #​597
• chore(deps): update jdx/mise-action action to v3.6.2 by @​renovate[bot] in #​596
• chore(deps): update sonarqube.api.impl.version to v26.3.0.120487 by @​renovate[bot] in #​601
• chore(deps): update dependency org.sonarsource.sonarqube:sonar-ws to v26.3.0.120487 by @​renovate[bot] in #​600
• chore(deps): update dependency org.apache.maven.plugins:maven-resources-plugin to v3.5.0 by @​renovate[bot] in #​603
• chore(deps): update jdx/mise-action action to v3.6.3 by @​renovate[bot] in #​604
• Prepare next development iteration by @​github-actions[bot] in #​602
• chore(deps): update dependency org.mockito:mockito-core to v5.23.0 by @​renovate[bot] in #​606
• Add RequiredAttributeTemplateCheck as a new template rule by @​zglicz in #​605
• chore(deps): update jdx/mise-action action to v4 by @​renovate[bot] in #​608
• fix(deps): update maven dependencies to v10.47.0.84936 by @​renovate[bot] in #​607

Full Changelog: SonarSource/sonar-html@3.24.0.7341...3.25.0.7473

SonarSource/sonar-scala (org.sonarsource.slang:sonar-scala-plugin)

v1.22.0.2217

Compare Source

Release notes - sonar-scala - 1.22

Maintenance

SONARSCALA-106 Prepare next development iteration for 1.22
SONARSCALA-109 Add its subproject to analysis
SONARSCALA-111 Add automated release workflow
SONARSCALA-113 Update dependencies
SONARSCALA-117 Create workflow "Update Rule Metadata"
SONARSCALA-119 Update rule metadata
SONARSCALA-120 Fix bump-version to always include patch number.
SONARSCALA-121 Use #squad-jvm-releases for notifications about releases
SONARSCALA-122 Licence packaging standard - Scala
SONARSCALA-123 Scala - Upgrade gradle wrapper to 9.3.1
SONARSCALA-124 Update automated release

SonarSource/sonar-java (org.sonarsource.java:sonar-java-plugin)

v8.26.0.42915

Compare Source

Release notes - SonarJava - 8.26

False Positive

SONARJAVA-4960 FP S1854 wrongly report issues when the semantic is not complete
SONARJAVA-5975 FP on S6856 when the ModelAttribute is a class / record
SONARJAVA-5985 S6207 should only raise if it has no side effects or only before assignments to components
SONARJAVA-6003 FP on S2055 when superclass has a generated no args constructor
SONARJAVA-6070 Fix FP on S1133: Public APIs with documented deprecation plans flagged
SONARJAVA-6179 FP in S6810: CompletableFuture is not treated as a subtype of Future when T is unknown
SONARJAVA-6180 FP on rule S5853: consecutive calls to "assertThat" chained with calls to "element" should not raise an issue
SONARJAVA-6184 FP for S4605 when having SpringBootApplication followed by ComponentScan annotation
SONARJAVA-6186 S6207 should not raise on non-trivial getter methods

False Negative

SONARJAVA-5980 S3749: false negative when Lombok RequiredArgsConstructor is used
SONARJAVA-6122 FN Rule S3078 : VolatileVariablesOperationsCheck implementation seems to be wrong

Bug

SONARJAVA-5657 S6541, Incorrect NOAV Metric Calculation
SONARJAVA-6152 S1612 incorrect quickfix

Maintenance

SONARJAVA-5981 S5194: Compliant and non compliant code exmples are too different
SONARJAVA-6155 Use shared update rule metadata worflow
SONARJAVA-6176 Update Rspec quickfix property for ["S7629", "S7467", "S7466", "S7475", "S7477"]
SONARJAVA-6185 Prepare Next Iteration: adjust for automated release
SONARJAVA-6188 Use plugin-artifacts to fix SQS and SQC integrations
SONARJAVA-6190 Update automated release workflow
SONARJAVA-6194 Update rule metadata

SonarSource/sonarqube (org.sonarsource.sonarqube:sonar-scanner-protocol)

v9.9.8.100196

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.7.96285

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.6.92038

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.5.90363

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.4.87374

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.3.79811

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.2.77730

Compare Source

See details in the community announcement, and more in the release notes.

v9.9.1.69595

Compare Source

See details in the community announcement, and more in the release notes.

SonarSource/sonar-packaging-maven-plugin (org.sonarsource.sonar-packaging-maven-plugin:sonar-packaging-maven-plugin)

v1.25.1.3002

Compare Source

What's Changed

• PACKMP-38 Prepare for next development iteration by @​claire-villard-sonarsource in #​78
• PACKMP-39 Upgrade parent POM and change version to patch by @​claire-villard-sonarsource in #​79

Full Changelog: SonarSource/sonar-packaging-maven-plugin@1.25.0.11...1.25.1.3002

v1.25.0.11

What's Changed

• Bump org.codehaus.plexus:plexus-utils from 1.5.6 to 3.0.24 in /src/it/packageDepsExcludedFromApi by @​dependabot[bot] in #​46
• PACKMP-20 Migrate away from FGC promote function by @​7PH in #​50
• BUILD-4249 update cirrus config with JDK17 by @​pierre-guillot-gh in #​51
• NO-JIRA Update license headers for 2024 by @​7PH in #​52
• This repository is owned by the Analysis Experience squad by @​claire-villard-sonarsource in #​53
• BUILD-4839 Update the release workflow to the latest version by @​matemoln in #​54
• BUILD-6088 Create Security.md by @​SamirM-BE in #​56
• Remove Burgr integration by @​henryju in #​57
• PACKMP-23 Migrating cirrus-modules v2 to v3 by @​henryju in #​58
• SC-17118 Rebranding effort by @​lucas-paulger-sonarsource in #​59
• Bump org.apache.commons:commons-email from 1.2 to 1.5 in /src/it/packageDependenciesFailsIfSonarLint by @​dependabot[bot] in #​60
• Bump org.apache.commons:commons-email from 1.2 to 1.5 in /src/it/packageDependencies by @​dependabot[bot] in #​61
• PACKMP-25 Add Jira integration by @​pavel-mikula-sonarsource in #​62
• PACKMP-26 Update license headers for 2025 by @​antoine-vinot-sonarsource in #​64
• PACKMP-27 Update CODEOWNERS by @​pierre-guillot-gh in #​65
• PACKMP-28 Autoclose issues created by Jira integration by @​pavel-mikula-sonarsource in #​66
• BUILD-8073 Migrate public repositories workflows to large runners by @​SamirM-BE in #​67
• BUILD-8875: Migrate to standardized GitHub runner names by @​SonarTech in #​68
• PACKMP-31 Update the release action by @​claire-villard-sonarsource in #​69
• PACKPM-32 Update license header from Sonarsource SA to SonarSource Sàrl by @​pierre-guillot-gh in #​71
• PACKMP-34 Update 5 dependencies to address severity risks by @​alexandre-odoux-sonarsource in #​73
• PACKMP-35 prepare 1.24 by @​pierre-guillot-gh in #​74
• PACKMP-36 prepare 1.25 by @​pierre-guillot-gh in #​75
• PACKMP-30 Migrates CI from Cirrus CI to GitHub Actions by @​alexandre-odoux-sonarsource in #​76
• PACKMP-37 Update the parent POM to 85.0 by @​claire-villard-sonarsource in #​77

Full Changelog: SonarSource/sonar-packaging-maven-plugin@1.23.0.740...1.25.0.11

SonarSource/sonar-plugin-api (org.sonarsource.api.plugin:sonar-plugin-api)

v13.5.0.4319

What's Changed

• PLUGINAPI-178 Move the plugin manifest tooling to the sonar-plugin-api repo by @​henryju in #​274
• PLUGINAPI-180 New API for issue resolution by @​ericg138 in #​276
• PLUGINAPI-181 Update publishing info by @​ericg138 in #​278

Full Changelog: SonarSource/sonar-plugin-api@13.4.3.4290...13.5.0.4319

v13.4.3.4290

Compare Source

What's Changed

• PLUGINAPI-174 Revert upgrade of logback by @​ericg138 in #​270

Full Changelog: SonarSource/sonar-plugin-api@13.4.2.4284...13.4.3.4290

SonarSource/sonar-analyzer-commons (org.sonarsource.analyzer-commons:sonar-analyzer-commons)

v2.21.0.4626

Compare Source

Rotations of binary signing keys

v2.20.0.4607

Compare Source

Release notes - Sonar Analyzer Commons - 2.20

Task

ACOMMONS-36 Prepare next development iteration

Improvement

ACOMMONS-40 Improve internal xml parser to support long attributes

v2.19.0.3575

Compare Source

What's Changed

• Prepare next development iteration by @​Godin in #​369
• BUILD-8875: Migrate to standardized GitHub runner names by @​SonarTech in #​368
• ACOMMONS-34 Expose Standards OWASP LLM Top 10 2025, OWASP Top 10 2025, ASVS 5.0, STIG ASD_V6, MASVS 2 metadata by @​nicolas-gauthier-sonarsource in #​370
• ACOMMONS-35 Remove commons-lang dependency by @​nicolas-gauthier-sonarsource in #​371

New Contributors

• @​SonarTech made their first contribution in #​368
• @​nicolas-gauthier-sonarsource made their first contribution in #​370

Full Changelog: SonarSource/sonar-analyzer-commons@2.18.0.3393...2.19.0.3575

v2.18.0.3393

Compare Source

v2.17.0.3322

Compare Source

What's Changed

Extend the RuleMetadataLoader API (#​361)

• Prepare the next development iteration by @​mstachniuk in #​354
• Update cirrus-modules to v3 by @​johann-beleites-sonarsource in #​355
• ACOMMONS-20 Add Jira integration by @​pavel-mikula-sonarsource in #​358
• ACOMMONS-21 Update CODEOWNERS after reorg by @​edward-gonzales-sonarsource in #​359
• ACOMMONS-23 Autoclose issues created by Jira integration by @​pavel-mikula-sonarsource in #​360
• ACOMMONS-24 - Add a way to execute RuleMetadataLoader with structured data instead of file paths by @​ericmorand-sonarsource in #​361
• ACOMMONS-26 Add missing package-info.java for quality gate by @​romainbrenguier in #​362
• ACOMMONS-28 Update parent pom by @​kebetsi in #​363

New Contributors

• @​pavel-mikula-sonarsource made their first contribution in #​358
• @​edward-gonzales-sonarsource made their first contribution in #​359
• @​ericmorand-sonarsource made their first contribution in #​361
• @​romainbrenguier made their first contribution in #​362
• @​kebetsi made their first contribution in #​363

Full Changelog: SonarSource/sonar-analyzer-commons@2.16.0.3141...2.17.0.3322

v2.16.0.3141

Compare Source

v2.15.0.3128

Compare Source

Task

SONARPHP-1555 Move helper classes for hard-coded secrets to analyzer commons

v2.14.0.3087

Compare Source

Release notes - Sonar Analyzer Commons - 2.14

Task

ACOMMONS-18 Support Multi-Quality Rule (MQR) mode
SONARXML-146 Allow checks to access SensorContext to read the configuration
BUILD-6088 Create SECURITY.md

v2.13.0.3004

Compare Source

Release notes - Sonar Analyzer Commons - 2.13

Bug

ACOMMONS-16 AVLTree iteration does not look through buckets

Task

ACOMMONS-17 Move ShannonEntropy to analyzer commons

v2.12.0.2964

Compare Source

Release notes - Sonar Analyzer Commons - 2.12

New Feature

ACOMMONS-11 Expose STIG metadata in analyzer-commons

Improvement

ACOMMONS-15 Add convenience factory methods for small collections

v2.11.0.2861

Compare Source

What's Changed

• Prepare next development iteration 2.11 by @​leonardo-pilastri-sonarsource in #​329
• Override addQuickFix in IssueBuilders to get more specific issue type by @​leonardo-pilastri-sonarsource in #​330

Full Changelog: SonarSource/sonar-analyzer-commons@2.10.0.2849...2.11.0.2861

v2.10.0.2849

Compare Source

Release notes - Sonar Analyzer Commons - 2.10

New Feature

ACOMMONS-8 Add quickfix verification API

ACOMMONS-9 Add "assertNoIssuesRaised" to SingleFileVerifier

v2.9.0.2753

Compare Source

What's Changed

• Prepare next development iteration 2.9 by @​johann-beleites-sonarsource in #​316
• Fix failing build: add ARTIFACTORY_ACCESS_TOKEN variable by @​petertrr in #​318
• SONARPHP-1383 Add \0 as an allowed PHP regex element by @​petertrr in #​317

New Contributors

• @​petertrr made their first contribution in #​318

Full Changelog: SonarSource/sonar-analyzer-commons@2.8.0.2699...2.9.0.2753

v2.8.0.2699

Compare Source

What's Changed

• Remove noisy logs when rule section is emtpy by @​Wohops in #​309
• SONAR-21157 Fix CI error due to SQ 10.4 new requirement: ERROR EnvironmentInformation compiled 61 only recognizes up to 55 by @​alban-auzeill in #​311
• Add simple Map and List length prefix serializer by @​karim-ouerghemmi-sonarsource in #​313
• Update parent and license headers by @​johann-beleites-sonarsource in #​315

New Contributors

• @​michael-jabbour-sonarsource made their first contribution in #​310

Full Changelog: SonarSource/sonar-analyzer-commons@2.7.0.1482...2.8.0.2699

v2.7.0.1482

Compare Source

What's Changed

• Prevent ExternalRuleLoader to manipulate code attribute and impact fields when runtime API < 10.1 by @​alban-auzeill in #​305
• Remove usage of @​Beta cleanCodeAttribute and addImpact of NewExternal Issue that could be removed in a near future by @​alban-auzeill in #​306

Full Changelog: SonarSource/sonar-analyzer-commons@2.6.0.1473...2.7.0.1482

v2.6.0.1473

Compare Source

What's Changed

• Avoid calling 'scan' two times in code recognizers by @​Wohops in #​297
• Add keySet method on PMap and stream method on PSet and PStack by @​Swalkyn in #​298
• Update sonar-plugin-api to 10.0 and use slf4j Logger by @​alban-auzeill in #​300
• Support Clean Code Taxonomy data by @​irina-batinic-sonarsource in #​303

Full Changelog: SonarSource/sonar-analyzer-commons@2.5.0.1358...2.6.0.1473

v2.5.0.1358

Compare Source

Update rule loader to allow education rules to not have a "How to fix it?" section.

v2.4.0.1317

Compare Source

Support Python 3.11 regex features (Atomic grouping and possessive quantifiers) and add a new regex finder for S5852 (RedosCheck)

v2.3.0.1263

Compare Source

Update support for the newest education format rule descriptions.

v2.2.0.1251

Compare Source

Add support for education format rule descriptions.

---

Configuration

📅 Schedule: Branch creation - "after 7am every weekday,before 7pm every weekday" in timezone CET, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonar-review-alpha]

Summary

Generated a PR comment for #1911 that complements the author's detailed dependency update table by providing high-level context about the scope and systematic nature of the changes across multiple pom.xml files.

What reviewers should know

The comment briefly characterizes the PR as a systematic update of SonarSource analyzer plugins and dependencies across the project's build configuration. It notes the files affected (root pom.xml, analysis engine, test plugins) and key version changes, then suggests verifying integration tests and plugin builds work correctly after the analyzer plugin updates.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SLCORE-2232