It's been some years since we first looked at Qodana, the solid SAST tool from JetBrains. Let's find out what's new in its latest release, Qodana 2025.2.

Back in 2021 we discovered that Qadana was much more than just a Linter - it's a complete Code Quality Platform:

While Qodana's job is to identify and suggest fixes for bugs, security vulnerabilities, duplications, imperfections, anomalous code, probable bugs, dead code, etc, it is also a complete Code Quality Platform with the aim of improving the overall code structure of a project by applying the best coding practices.

At the time Qodana was available under an Early Access Program (EAP), but since then the versions and availability have been stepped up. Case in point, in 2022 and in JetBrains Qodana Moves To The Cloud we reported on Qadana's move from a locally-hosted development environment onto the cloud. This meant that the tool now could also focus:

on team work and performance across an organization. With no need for spinning up Docker images, it has the advantage that it collects data from all the different linters spread across the organization in a single repo.

As such running the analysis on the concentrated data provides a holistic view on the wider code quality and deeper insights on a team performance scale. It goes without saying that this functionality is especially helpful for managers that supervise large teams of developers.

In March 2023, in JetBrains Qodana Adds Taint Analysis For PHP,  we explored a new feature - that of the taint mode, beginning with PHP. (Note that initially Qodana supported just Kotlin and Java, but now covers many more including a wide range of dynamically typed languages):

With this functionality, developers can defend programs against taints, malicious inputs from external users and hackers who can use the taints in code to destroy the system, hijack credentials and other data, as well as change the system’s behavior.

Manually doing taint analysis is not effective enough. As such Qodana automated this process. The new taint analysis minimized the attack surface by leveraging inspections that scan the code and highlight the potential vulnerabilities.

2025 finds Qodana sporting amongst others:

• A redesigned taint trace explorer
  
  
• Faster and more accurate taint analysis
  
  
• Qodana CLI
  
  
• Enhanced coverage for OWASP Top 10 for Java and Kotlin
  
  
• Running directly on local or CI machines without the need of Docker containers

And of course with yet another very important feature, that of The Vulnerable API. It goes without saying, that a tool scanning for vulnerable code wouldn't be complete without constant CVE tracking. So Jetbrains in partnership with Mend.io enriched Qodana's Package Checker plugin to be able to continuously scan code and checking your third-party project dependencies for known vulnerabilities, based on Mend's real time data vulnerability reports.

This October sees another new innovation; Qodana’s Public API. The API lets you create teams, projects, and obtain lists of Qodana Cloud and Self-hosted organization users using your build pipelines, something that allows for seamless integration with your workflow.

For instance in order to create and manage teams and projects directly via the API, you send a POST request to the https://{qodana_cloud_url}/api/v1/public/organizations/projects
endpoint and provide the team and project names:

qodana_token=$(curl -X POST https://{qodana_cloud_url}/api/v1/public/organizations/projects \ -H "Authorization: Bearer $permanent_organization_token" \
-d '{
"projectName": "My project name",
"teamName": "My team name"
}')

Note however that this functionality is only available under the Ultimate Plus license.

In conclusion, performing static analysis in this age of AI producing code is a must. Everybody is aware of the reports of AI tools shipping vulnerable code by default. As such quality linting, static analysis, code coveraga as well as organization wide insight and over-watching the likes Qodana enables, are nowadays quintessential.

More Information

New Quarter, New Qodana 2025.2 Release Highlights

Related Articles

JetBrain's Qodana - More Than Just A Linter

JetBrains Qodana Moves To The Cloud

JetBrains Releases Qodana

JetBrains Releases Qodana Self-Hosted 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info