Sonar Blog

Home

Sonar's latest blog posts

Featured Post

Building Confidence and Trust in AI-Generated Code

To tackle the accountability and ownership challenge accompanying AI-generated code, we are introducing Sonar AI Code Assurance

Read More
https://assets-eu-01.kc-usercontent.com:443/6312d6a8-faef-0175-9d92-e94376ab3538/0bd6c0bc-c921-485b-8570-8de7e1384983/AI%20Code%20Assurance_square-index%402x.png
Image shows various elements of code security, languages and bugs
Blog post

Breaking the SonarQube Server Analysis with Jenkins Pipelines

One of the most requested feature regarding SonarQube Server Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube Server, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube Server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube Server, without waiting for the aggregation to complete.

Read Blog post >

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osC...
Blog post

osClass 3.6.1: Remote Code Execution via Image File

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.

Read Blog post >

Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

I do not wish to receive promotional emails about upcoming SonarQube updates, new releases, news and events.

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Image shows various elements of code security, languages and bugs
Blog post

Cognitive Complexity, Because Testability != Understandability

Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.

Read Blog post >

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnera...
Blog post

Roundcube 1.2.2: Command Execution via Email

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

We Are Adjusting Rules Severities

With the release of SonarQube Server 5.6, we introduced the SonarQube Server Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them the prominence they deserve. Now we're tackling the other half of the job: "sane-itizing" rule severities, because not every bug is Critical.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

SonarAnalyzer for C#: The Rule Engine You Want to Use

If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improved our integration with the build tool and at the same time added a lot of new rules. Also, we introduced SonarQube for IDE: Visual Studio, a new tool to analyze code inside the IDE. With these steps completed we are deprecating the SonarQube Server ReSharper plugin to be able to provide a consistent, high-level experience among our tools.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Bugs and Vulnerabilities are 1st Class Citizens in SonarQube Server Quality Model along with Code Smells

In SonarQube Server 5.5 we adopted an evolved quality model, the SonarQube Server Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we've highlighted project risks while retaining technical debt.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Why You Shouldn't Use Build Breaker

There have been some heated discussions recently about the Build Breaker plugin... SonarSource doesn't want to continue the feature. The community has come to see it as a must have... So I'd like to explain why at SonarSource we no longer think it should be used.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Analysis of Visual Studio Solutions with the SonarQube Server Scanner for MSBuild

At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube Server integration with MSBuild and Team Build. Today, half a year later, we’re releasing the SonarQube Server Scanner for MSBuild 1.0.2. But what exactly is the SonarQube Server Scanner for MSBuild? Let’s find out!

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Water Leak Changes the Game for Technical Debt Management

A few months ago, at the end of a customer presentation about “The Code Quality Paradigm Change”, I was approached by an attendee who said, “I have been following SonarQube Server & SonarSource for the last 4-5 years and I am wondering how I could have missed the stuff you just presented. Where do you publish this kind of information?”. I told him that it was all on our blog and wiki and that I would send him the links. Well...

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Unit Test Execution in SonarQube Server

Starting with Java Ecosystem version 2.2 (compatible with SonarQube Server version 4.2+), we no longer drive the execution of unit tests during Maven analysis. Dropping this feature seemed like such a natural step to us that we were a little surprised when people asked us why we'd taken it.

Read Blog post >