Blog
Sonar's latest blog posts
What Code Issues Caused the CrowdStrike Outage?
This blog post takes a look at the potential code issues behind the recent global CrowdStrike outage.
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7b69d1cd-74f7-4610-a793-6bd3e35737fa/crowdstrike_blog_featured_2x.webp](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7b69d1cd-74f7-4610-a793-6bd3e35737fa/crowdstrike_blog_featured_2x.webp?w=1201&h=1201&auto=format&fit=crop)
![We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/5b8b7bc5-dca3-4b5a-841b-31218facecad/cover-fb92427d-4a4d-46f3-ab2a-863a66e82201_GOcd_blogpost_opt%25402x.png?w=325&h=200&auto=format&fit=crop)
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD
We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers
Read Blog post >
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/e289de40-8bea-42be-b6e4-7171f08e246d/Meet%20the%20New%20Project%20Experience_blog%20header.png](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/e289de40-8bea-42be-b6e4-7171f08e246d/Meet%20the%20New%20Project%20Experience_blog%20header.png?w=325&h=200&auto=format&fit=crop)
Meet the new project experience for SonarCloud
We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvements the next time you open SonarCloud.
Read Blog post >
![We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox.](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/139ce316-054f-4653-a633-6922b96939b6/cover-dc12e72c-0d4d-4ff6-b18a-dcd06decc32b_SquirrelLang%2BBlogpost%25402x.png?w=325&h=200&auto=format&fit=crop)
Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services
We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox.
Read Blog post >
![This article talks about the powerful capabilities of the C++ analyzer with SonarLint and highlights some unique and interesting quality and security rules you might find useful. Through ...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/146d4d35-6d86-431a-ac38-3c6d288eb4b2/cover-a2b38076-4674-4b3f-8729-5f8df078df6c_MKTCOL-246%2BSL%2BClion%2BCpp%25402x.png?w=325&h=200&auto=format&fit=crop)
Supercharge your C++ analysis with SonarLint for CLion
This article talks about the powerful capabilities of the C++ analyzer with SonarLint and highlights some unique and interesting quality and security rules you might find useful. Through that lens, we demonstrate how you can leverage these rules to elevate your CLion built-in static analysis capabilities for your C++ projects.
Read Blog post >
![Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarLint.](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/d8722d45-b0bd-484d-8241-fcfc8843b330/cover-eac58edf-1cea-4939-b893-ee05a27a5aef_MKTCOL-245%2BSL%2BQuickfixes%25402x.png?w=325&h=200&auto=format&fit=crop)
Modernize Code Quality with ‘Quick Fixes’
Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarLint.
Read Blog post >
![We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/4eacb91e-afb6-4eeb-badc-307d6536c075/cover-123d8703-ee2c-4518-b7de-1a176fb5b5a9_Blogpost%2BCachet%25402x.png?w=325&h=200&auto=format&fit=crop)
Cachet 2.4: Code Execution via Laravel Configuration Injection
We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!
Read Blog post >
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/d7f6199c-9f3d-4811-9286-4d417cf3fcc4/Product%20Portals%20Open_blog%20header.png](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/d7f6199c-9f3d-4811-9286-4d417cf3fcc4/Product%20Portals%20Open_blog%20header.png?w=325&h=200&auto=format&fit=crop)
Product portals open: we want your input
We've recently opened up product portals on Productboard. You'll find them for SonarQube, SonarCloud, and SonarLint. Each one shows the features we're currently working on, the ones we've released recently, and the ones we're planning.
Read Blog post >
![We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/6e09643a-1811-40f9-ab7b-968fa954c14a/cover-278a88f4-f948-4c9a-8ede-2a8c22f9a270_RD-34%2BGhost%2BCMS%2BDOM%2BXSS%25402x.png?w=325&h=200&auto=format&fit=crop)
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!
Read Blog post >
![Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/54486124-5dd6-4e5f-8c6f-1b58378611d4/cover-41325528-f8ec-4888-840d-2f55a2c2b7b8_MKTCOL-240%2Bcompilation%2Bdatabase%2Bblog%2Bimage%25402x.png?w=325&h=200&auto=format&fit=crop)
Compilation database: An alternative way to configure your C or C++ analysis
Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of this information, called the build wrapper. Recently we introduced another way to configure your analysis, the compilation database. Learn more about the pros and cons of each option.
Read Blog post >
![Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them.](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/0b2f16b3-5e3a-4f36-b8f2-a303e0e4f74b/cover-287ee4a6-069f-4503-a54e-a156cf80dcfc_elFinder%2BBlogpost%2B%25402x.png?w=325&h=200&auto=format&fit=crop)
elFinder - A Case Study of Web File Manager Vulnerabilities
Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them.
Read Blog post >
![SonarQube has always had a rich plugin Marketplace, with much of SonarQube's functionality originally delivered as plugins and many additional needs being met by community-maintained plug...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/19b11d95-fc33-4312-9e71-174e44421521/cover-8305912b-d946-4399-8ed1-d70c4cfb1b50_Blog%2BImage_MKTCOL-232%25402x.png?w=325&h=200&auto=format&fit=crop)
Use 3rd-party plugins at your own risk
If you're using 3rd-party plugins for SonarQube, you're obviously already aware of the benefits. With this blog post, we want to make sure you're also aware of the risks. Because there are risks.
Read Blog post >