Sonar Blog

Home

Blog

Sonar's latest blog posts

Featured Post

What is Clean Code?

If you’ve followed us for a while, you most likely noticed that we changed the way we describe what we do: from “code quality” to “continuous code inspection,” then “code quality and code security”… to Clean Code.


But what is Clean Code, and what does it encompass?

Read More
https://assets-eu-01.kc-usercontent.com:443/e2fe37e7-55cd-01b0-b5d2-5ad4e116ce31/ddb995eb-cb89-4435-82fb-1b937cdf11dc/what_is_clean_code_blog_feature.webp
Image shows various elements of code security, languages and bugs
Blog post

Joomla! 3.8.3: Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL injection (CVE-2018-6376) that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions on Joomla! prior version 3.8.4.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Why did my coverage just drop?!

After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe it or not, that really is a feature, not a bug, and it's called Executable Lines.

Read Blog post >

Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

Image shows various elements of code security, languages and bugs
Blog post

CubeCart 6.1.12 - Admin Authentication Bypass

CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator (CVE-2018-20716).

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Supporting analysis of .NET Core projects

Support for SonarQube analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it's done !

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/e2fe37e7-55cd-01b0-b5d2-5ad4e116ce31/e735ea2e-b5be-42e7-b491-050d72711136/shopware_exploit.jpg
Blog post

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).

Read Blog post >

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to l...
Blog post

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to leak the super user password and to fully take over any Joomla! installation.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/e2fe37e7-55cd-01b0-b5d2-5ad4e116ce31/480d06ea-3df3-43e0-93c0-15256c00cc2e/SugarCRM_security.png
Blog post

SugarCRM's Security Diet - Multiple Vulnerabilities

SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal customer data or sensitive files from the server.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/e2fe37e7-55cd-01b0-b5d2-5ad4e116ce31/4ba7774f-9f96-48ec-a70c-d5819140a8d0/ca5a7ab4-6eca-4203-9eac-34cff3a67d59_php_core_security.png
Blog post

How security flaws in PHP's core can affect your application

Learn how memory corruption bugs in the PHP core itself can affect your PHP application.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

SonarCFamily Now Supports ARM Compilers

For those not familiar with ARM (Advanced RISC Machine), let's start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used architecture in mobile devices and the most popular 32-bit one in embedded systems (see). Moreover in 2013, 10 billion were produced (see) and "ARM-based chips are found in nearly 60 percent of the world’s mobile devices" (see).

Read Blog post >

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() func...
Blog post

Why mail() is dangerous in PHP

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() function. In this post, we have a look at the common ground of these vulnerabilities and how to use mail() securely.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Breaking the SonarQube Analysis with Jenkins Pipelines

One of the most requested feature regarding SonarQube Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube server, without waiting for the aggregation to complete.

Read Blog post >