Featured Post
Uncovering hidden security vulnerabilities with deeper SAST
Security vulnerabilities can be hidden in your third-party dependency code. Uncover them with deeper SAST.
Read more -->
Blog
Sonar's latest blog posts
Blog post
How security flaws in PHP's core can affect your application
Learn how memory corruption bugs in the PHP core itself can affect your PHP application.
Read Blog post >
Blog post
SonarCFamily Now Supports ARM Compilers
For those not familiar with ARM (Advanced RISC Machine), let's start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used architecture in mobile devices and the most popular 32-bit one in embedded systems (see). Moreover in 2013, 10 billion were produced (see) and "ARM-based chips are found in nearly 60 percent of the world’s mobile devices" (see).
Read Blog post >
Blog post
Why mail() is dangerous in PHP
Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() function. In this post, we have a look at the common ground of these vulnerabilities and how to use mail() securely.
Read Blog post >
Blog post
Breaking the SonarQube Analysis with Jenkins Pipelines
One of the most requested feature regarding SonarQube Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube server, without waiting for the aggregation to complete.
Read Blog post >
Blog post
osClass 3.6.1: Remote Code Execution via Image File
In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.
Read Blog post >
Blog post
Cognitive Complexity, Because Testability != Understandability
Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.
Read Blog post >
Blog post
Roundcube 1.2.2: Command Execution via Email
In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.
Read Blog post >
Blog post
We Are Adjusting Rules Severities
With the release of SonarQube 5.6, we introduced the SonarQube Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them the prominence they deserve. Now we're tackling the other half of the job: "sane-itizing" rule severities, because not every bug is Critical.
Read Blog post >
Blog post
SonarAnalyzer for C#: The Rule Engine You Want to Use
If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improved our integration with the build tool and at the same time added a lot of new rules. Also, we introduced SonarLint for Visual Studio, a new tool to analyze code inside the IDE. With these steps completed we are deprecating the SonarQube ReSharper plugin to be able to provide a consistent, high-level experience among our tools.
Read Blog post >
Blog post
Bugs and Vulnerabilities are 1st Class Citizens in SonarQube Quality Model along with Code Smells
In SonarQube 5.5 we adopted an evolved quality model, the SonarQube Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we've highlighted project risks while retaining technical debt.
Read Blog post >
Blog post
Why You Shouldn't Use Build Breaker
There have been some heated discussions recently about the Build Breaker plugin... SonarSource doesn't want to continue the feature. The community has come to see it as a must have... So I'd like to explain why at SonarSource we no longer think it should be used.
Read Blog post >
Blog post
Analysis of Visual Studio Solutions with the SonarQube Scanner for MSBuild
At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube integration with MSBuild and Team Build. Today, half a year later, we’re releasing the SonarQube Scanner for MSBuild 1.0.2. But what exactly is the SonarQube Scanner for MSBuild? Let’s find out!
Read Blog post >