Released: Aug 14, 2025

2025.2 での更新項目

機能

Native mode is now available for Go and Python linters:

• This release has expanded Native mode to three more linters:
  • qodana-go.
  • qodana-python.
  • qodana-python-community.

Security analysis has a new look with a redesigned Taint Trace Explorer:

• Version 2025.2 brings enhancements to the Taint Trace Explorer interface in the Security Analysis by Qodana plugin for IntelliJ IDEA. The updates are designed to improve trace readability, make navigation more efficient, and provide more information about traces.
• Each step in a taint trace now includes a contextual description explaining its role in the data propagation chain. The description clarifies the semantics of each transition, like variable assignments, method calls, and the propagation of tainted data through parameters. This simplifies understanding how tainted data moves through the application.
• Additionally, taint traces now feature summary-level descriptions that provide quick overviews of the flow from source to sink. These summaries help show the significance of each trace at a glance, making it easier to assess the impact of a vulnerability and prioritize which issues to fix during large-scale reviews.
• Each step of a taint trace is now directly highlighted in the code editor. As you navigate through the trace, the corresponding step in the source code is highlighted. This allows you to easily context switch between trace and code, improving your understanding of the code as you go.

Taint analysis is faster and more accurate:

• Taint analysis has become much faster thanks to the ability to pre-filter. A lightweight interprocedural finite distributive subset analysis (IFDS) now runs as a preprocessing step. It checks whether there are any potential paths from sources to sinks within the current scope. IFDS also makes the reported paths linear and unambiguous.

OWASP Top 10 coverage for Java and Kotlin has been enhanced:

• This release brings key improvements to Java and Kotlin support, with stronger detection across critical OWASP Top 10 categories. These updates help you dive deeper into your code, catch more issues, and work more reliably with large codebases.
• Expanded taint modeling for Java collections: Added support for all standard Java collections, so taint information now flows more accurately through the data structures you use every day.
• Coverage for Kotlin collection APIs: With support for Kotlin's standard collection APIs, you and your team can now surface more issues related to data flow and security in your Kotlin code.
• Kotlin string taint propagation: Added tracking for Kotlin string APIs to help you catch injection risks and data exposure problems in string operations.
• Improved field-sensitive data flow in Java: Taint tracking now follows data through class fields more effectively, giving you better visibility into complex object graphs and helping reduce missed issues.

CMake preset support in qodana-cpp:

• Qodana for C++ (EAP) now supports CMake presets, giving you greater control over compilers and environments.

CLI parameter updates for smoother setup

• In this release, the parameters available for configuring linter behavior have been reorganized. It's introduced two new parameters (--image and --within-docker), changed the available values for the --linter parameter, and deprecated the -ide parameter.