Blog
Sonar's latest blog posts
What Code Issues Caused the CrowdStrike Outage?
This blog post takes a look at the potential code issues behind the recent global CrowdStrike outage.
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7b69d1cd-74f7-4610-a793-6bd3e35737fa/crowdstrike_blog_featured_2x.webp](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7b69d1cd-74f7-4610-a793-6bd3e35737fa/crowdstrike_blog_featured_2x.webp?w=1201&h=1201&auto=format&fit=crop)
![Image shows various elements of code security, languages and bugs](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/641ac088-af90-4105-adeb-b808ee67a9a8/Generic%20Blog%20Image_B.png?w=325&h=200&auto=format&fit=crop)
About the recent code leaks from SonarQube instances
On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our public response to the incident.
Read Blog post >
![Image shows various elements of code security, languages and bugs](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/550ac517-ee6c-44ec-99b6-94f1418e6fce/Generic%20Blog%20Image_C.png?w=325&h=200&auto=format&fit=crop)
Take Control of Code Quality with SonarQube Pull Request Decoration in Your Workflow
How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Pull Request Decoration gets you there!
Read Blog post >
![Image shows various elements of code security, languages and bugs](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/3b863d8e-28a8-49f6-8005-ad34ede82668/Generic%20Blog%20Image_A.png?w=325&h=200&auto=format&fit=crop)
Apache Kylin 3.0.1 Command Injection Vulnerability
We discovered a severe command injection vulnerability in Apache Kylin that allows malicious users to execute arbitrary OS commands.
Read Blog post >
![Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/430a97d8-f5b9-40e4-80ad-7d002c4f10ff/cover-52bc22cc-d6b3-4e25-8142-08866265032a_rips-hero-image.png?w=325&h=200&auto=format&fit=crop)
SonarSource acquires RIPS Technologies
Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.
Read Blog post >
![Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect ...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/c9d01eb1-8419-4ee1-b684-0422af5d5960/cover-448bd0b1-07a1-4f58-a250-e53ee45e91eb_exploiting-hibernate.png?w=325&h=200&auto=format&fit=crop)
Exploiting Hibernate Injections
Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.
Read Blog post >
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/9e3545dc-b15f-4293-b591-1df3761cfd2d/body-1a08fe56-2df2-46b9-b433-22157ef1940f_taintAnalysis1.png](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/9e3545dc-b15f-4293-b591-1df3761cfd2d/body-1a08fe56-2df2-46b9-b433-22157ef1940f_taintAnalysis1.png?w=325&h=200&auto=format&fit=crop)
What is 'taint analysis' and why do I care?
In large systems, finding the bad actors is easier said than done. First you have to find all the places you accept data from users, and then you have to sanitize the data before you use it. The hard part is making sure you've found all the sources of user data and intervened before any kind of use. That's where taint analysis comes in.
Read Blog post >
![This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress c...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/687905c6-6561-4ecd-af30-dbc1132ee89a/cover-a5df5815-4cfe-4d8e-a79d-6a57aa2f8272_wordpress-hardening-bypass.png?w=325&h=200&auto=format&fit=crop)
WordPress <= 5.2.3: Hardening Bypass
This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress core in versions prior to 5.2.4
Read Blog post >
![Image shows various elements of code security, languages and bugs](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/3b863d8e-28a8-49f6-8005-ad34ede82668/Generic%20Blog%20Image_A.png?w=325&h=200&auto=format&fit=crop)
Clean as You Code: How to win at Code Quality without even trying
Analyzing a legacy project can be overwhelming. Learn how to Clean as You Code to make sure that the code you release into production tomorrow is at least as good as - and probably better than! - the code that's in production today.
Read Blog post >
![BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at...](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/490a607e-7aaf-4eda-acc2-1d80390ca4d0/cover-7d2a0237-0354-48e2-8991-dbbf7b46a6e7_bigtree446_blog.png?w=325&h=200&auto=format&fit=crop)
Backend SQL Injection in BigTree CMS 4.4.6
BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at a few vulnerabilities we have detected in the codebase of BigTree.
Read Blog post >
![https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7ddf0933-4fb6-487c-bcc3-b93685017340/driveby-rce-exploit-pimcore.png.webp](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/7ddf0933-4fb6-487c-bcc3-b93685017340/driveby-rce-exploit-pimcore.png.webp?w=325&h=200&auto=format&fit=crop)
Drive By RCE Exploit in Pimcore 6.2.0
In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands.
Read Blog post >
![WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.](https://assets-eu-01.kc-usercontent.com:443/275a16f7-9b36-0172-ed6f-fce50dc34f53/50e60f37-40a8-4af3-a242-f5c78a9962d6/cover-8d0b1e65-ffef-4811-a2b4-7fbf34d8a6a4_woocommerce-csrf-to-stored-xss.png?w=325&h=200&auto=format&fit=crop)
WooCommerce 3.6.4 - CSRF Bypass to Stored XSS
WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.
Read Blog post >