Blog RSS feed

https://www.sonarsource.com

Sonar’s industry leading solution enables developers & development teams to write clean code and remediate existing code organically.

フィード

記事のアイキャッチ画像
Software and AI in 2025 — Sonar Perspectives on What’s to Come in the New Year
Blog RSS feed
Several Sonar leaders share their perspectives on what to expect in 2025 with AI and software development.
10日前
記事のアイキャッチ画像
Never Underestimate CSRF: Why Origin Reflection is a Bad Idea
Blog RSS feed
CORS misconfigurations are often overlooked, but they can have severe consequences. We demonstrate how reflecting the origin header leads to code execution in Whistle.
11日前
記事のアイキャッチ画像
The new SonarQube free tier is here
Blog RSS feed
Announcing a new free tier of SonarQube, hosted in the cloud. This tier goes beyond our current community offering and gives individual developers and small teams many of the features of our commercial SonarQube offering.
16日前
記事のアイキャッチ画像
SonarQube Server 10.8 Release Announcement
Blog RSS feed
This release includes stronger AI Code Assurance and AI CodeFix capabilities. Choose from two new operating modes to run the server in a way that best suits your business needs. Exciting things continue to happen with our language support, like new architecture rules, support for Ansible IaC, and full support of our Dart/Flutter coverage. Find out what’s in store for you.
17日前
記事のアイキャッチ画像
A better (free) SonarQube experience
Blog RSS feed
Announcing a new free tier of SonarQube, hosted in the cloud. This tier goes beyond our current community offering and gives individual developers and small teams many of the features of our commercial SonarQube offering.
1ヶ月前
記事のアイキャッチ画像
How to Trust AI Contributions to Your Codebase
Blog RSS feed
In a world where AI generates code, code ownership and trust become increasingly obscure. Many enterprises already find this situation untenable, and they are looking for ways to solve it. But where do you start?
1ヶ月前
記事のアイキャッチ画像
Our commitment to you – and an update on severity ratings for software quality
Blog RSS feed
The speed of software development and product delivery is increasing for organizations everywhere – including here at Sonar. In this blog, we decided to put our guiding engineering principles in writing and share them with you.
1ヶ月前
記事のアイキャッチ画像
Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail
Blog RSS feed
HTML sanitization has long been touted as a solution to prevent malicious content injection. However, this approach faces numerous challenges. In this blog post, we'll explore the limitations of server-side HTML sanitization and discuss why client-side sanitization is the better approach.
2ヶ月前
記事のアイキャッチ画像
The Power of Taint Analysis: Uncovering Critical Code Vulnerability in OpenAPI Generator
Blog RSS feed
This blog post explains how taint analysis tracks all data flows in an application’s source code to unveil deeply hidden vulnerabilities and showcases a critical vulnerability in the OpenAPI Generator discovered by SonarQube Cloud.
2ヶ月前
記事のアイキャッチ画像
Why Code Security Matters - Even in Hardened Environments
Blog RSS feed
This blog post showcases why fundamental code security is essential for an application despite all hardening measures applied in the underlying infrastructure.
2ヶ月前
記事のアイキャッチ画像
Announcing Sonar Support for Dart: Elevate Your Code Quality
Blog RSS feed
Sonar now supports the Dart programming language
2ヶ月前
記事のアイキャッチ画像
SonarQube Server 10.7 Release Announcement
Blog RSS feed
Sonar introduces powerful AI-driven features, expanded support for new and existing languages and frameworks, and deeper security, all to elevate your code quality. These updates bring significant advancements for developers and teams.
3ヶ月前
記事のアイキャッチ画像
Instant Code Fixes at Your Fingertips: Announcing Sonar AI CodeFix
Blog RSS feed
Sonar AI CodeFix is a powerful capability that suggests code fixes for issues discovered by our code analysis solutions SonarQube Server and SonarQube Cloud.
3ヶ月前
記事のアイキャッチ画像
Building Confidence and Trust in AI-Generated Code
Blog RSS feed
Sonar AI Code Assurance is a robust and streamlined process for validating AI-generated code through a structured and comprehensive analysis.
3ヶ月前
記事のアイキャッチ画像
Top Security Flaws hiding in your code right now - and how to fix them
Blog RSS feed
Let's examine the three most common injection attack types—SQL injection, Deserialization Injection, and Logging Injection—and discuss ways to prevent them.
3ヶ月前
記事のアイキャッチ画像
ISO 27001 Importance
Blog RSS feed
Security standards such as ISO 27001 are crucial for businesses as they offer a structured framework for managing and safeguarding sensitive information.
4ヶ月前
記事のアイキャッチ画像
Basic HTTP Authentication Risk: Uncovering pyspider Vulnerabilities
Blog RSS feed
pyspider uses the convenient “basic HTTP authentication” method, but browsers don’t take the extra step to protect users from CSRF attacks. Learn more on how SonarQube Cloud detected 2 vulnerabilities in this open-source project.
4ヶ月前
記事のアイキャッチ画像
How to Choose an LLM in Software Development
Blog RSS feed
With so many Large Language Models (LLMs) out there, selecting the right LLM is crucial for any organization looking to integrate AI into its operations.
4ヶ月前
記事のアイキャッチ画像
SonarQube Cloud or SonarQube Server, What's Right for Your Team?
Blog RSS feed
Learn about the similarities and key differences between SonarQube Cloud and SonarQube Server and which one is best for your use case.
4ヶ月前
記事のアイキャッチ画像
Sonar Founder Olivier Gaudin at QCon London 2024
Blog RSS feed
Olivier Gaudin discusses the value of quality, secure code from the start at top industry software conference. Check out his talk!
4ヶ月前
記事のアイキャッチ画像
Front-End Frameworks: When Bypassing Built-in Sanitization Might Backfire
Blog RSS feed
Modern JavaScript front-end frameworks protect your application from XSS vulnerabilities by automatically escaping untrusted content. This built-in feature can be bypassed intentionally, which should be taken with great care.
4ヶ月前
記事のアイキャッチ画像
How Sonar Helps Meeting NIST SSDF Code Security Requirements
Blog RSS feed
Sonar’s solutions, including SonarQube for IDE, SonarQube Server, and SonarQube Cloud, help you meet NIST SSDF code security requirements and enhance overall code quality. Find out how.
4ヶ月前
記事のアイキャッチ画像
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail
Blog RSS feed
Sonar’s R&D team discovered a Cross-Site Scripting vulnerability in Roundcube. Similar vulnerabilities in Roundcube have been used by APTs to steal government emails.
5ヶ月前
記事のアイキャッチ画像
Now Introducing, SonarQube Cloud Enterprise and SonarQube Cloud Team
Blog RSS feed
We are excited to expand our SonarQube Cloud offering with the availability of two new plans, SonarQube Cloud Enterprise and SonarQube Cloud Team.
5ヶ月前
記事のアイキャッチ画像
What Code Issues Caused the CrowdStrike Outage?
Blog RSS feed
This blog post takes a look at the potential code issues behind the recent global CrowdStrike outage.
5ヶ月前
記事のアイキャッチ画像
ASP.NET Core Web Apps
Blog RSS feed
Sonar recently added new rules for ASP.NET WebAPI and ASP.NET MVC. In this blog post, we discuss the details of these frameworks within ASP.NET Core and how Sonar’s solutions help keep your ASP.NET web apps clean and free of issues.
5ヶ月前
記事のアイキャッチ画像
G2 Review Static Code Analysis | Sonar Named a Leader in Grid Report
Blog RSS feed
G2 has once again ranked Sonar #1 in Static Code Analysis in the Summer 2024 Grid Report. In addition to leading the pack in each of the Enterprise, Mid-Market, and Small Business segments for Static Code Analysis, Sonar was also named a leader in the Static Application Security Testing (SAST) category.
5ヶ月前
記事のアイキャッチ画像
AutoConfig: C++ Code Analysis Redefined
Blog RSS feed
Abbas Sabra covers a groundbreaking technology: AutoConfig for C and C++. It automates the normally complex setup process, making project setup a breeze. AutoConfig is designed to make code analysis free of complications bringing Clean Code to the fingertips of every C and C++ developer.
5ヶ月前
記事のアイキャッチ画像
Encoding Differentials: Why Charset Matters
Blog RSS feed
The absence of charset information seems to be a minor issue for a web application. This blog post explains why this is a false assumption and highlights the critical security implications.
5ヶ月前
記事のアイキャッチ画像
Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (2/2)
Blog RSS feed
Learn about critical code vulnerabilities we discovered in Gogs, a source code hosting solution. This follow-up covers how less severe flaws can still have a critical impact.
5ヶ月前
記事のアイキャッチ画像
Using and Understanding SonarQube Server for Code Coverage
Blog RSS feed
One critical metric to gauge the effectiveness of your code testing efforts is code coverage. SonarQube Server, a powerful static code analysis solution, integrates seamlessly with code coverage tools, empowering developers to write cleaner, more secure, and thoroughly tested code.
5ヶ月前
記事のアイキャッチ画像
Securing Developer Tools: Unpatched Code Vulnerabilities in Gogs (1/2)
Blog RSS feed
We discovered 4 critical code vulnerabilities in Gogs, a source code hosting solution, which are still unpatched. Read about the details and how to protect yourself.
6ヶ月前
記事のアイキャッチ画像
The True Cost of Bad Code in Software Development
Blog RSS feed
Despite advances in technology and methodologies, the costs associated with fixing bad code continue to escalate, impacting businesses financially and operationally. But what is bad code, what are the clear markers of its negative impact, and how can organizations overcome it?
6ヶ月前
記事のアイキャッチ画像
SonarQube Server 10.6 Release Announcement
Blog RSS feed
The 10.6 release of SonarQube Server includes some significant changes, such as autoscaling in Kubernetes, AutoConfig for C and C++ projects, support for running in a FIPS-enforced environment, set rule priority to uphold your coding standards, easy setup of monorepos, monitoring the time it takes to upgrade, and expanded library coverage for AI/ML developers.
6ヶ月前
記事のアイキャッチ画像
Green Coding with Clean Code - A Recap of ecoCode Challenge Paris 2024
Blog RSS feed
ecoCode Challenge Paris represents an opportunity to unite innovation and sustainable coding. As a proud sponsor, we are excited to see how SonarQube Server is empowering developers to prioritize environmental sustainability in their projects.
6ヶ月前
記事のアイキャッチ画像
Re-moo-te Code Execution in Mailcow: Always Sanitize Error Messages
Blog RSS feed
Our research team discovered two vulnerabilities in mailcow, an email server solution. Attackers could compromise an instance, impersonate users, and steal emails.
6ヶ月前
記事のアイキャッチ画像
Integrating SonarQube Cloud with Amazon CodeCatalyst for Code Analysis
Blog RSS feed
Sonar recently announced the integration of SonarQube Cloud with Amazon CodeCatalyst. This blog post guides you through integrating SonarQube Cloud, a cloud-based Clean Code solution, with Amazon CodeCatalyst.
6ヶ月前
記事のアイキャッチ画像
An Open Letter to Sonar[Qube] Users
Blog RSS feed
Sonar’s new President of Field Operations introduces herself and reiterates the company's continued commitment to enabling organizations to succeed.
6ヶ月前
記事のアイキャッチ画像
mXSS: The Vulnerability Hiding in Your Code
Blog RSS feed
XSS is a well-known bug class, but a lesser-known yet effective variant called mXSS has emerged over the last couple of years. In this blog, we will cover the fundamentals of this XSS variant and examine how you can protect against it.
7ヶ月前
記事のアイキャッチ画像
Sonar Named Leader in G2 Spring Report
Blog RSS feed
We are excited to share that the G2 Spring 2024 reports were recently released, and once again, Sonar has been named the LEADER in Static Code Analysis!
7ヶ月前
記事のアイキャッチ画像
Find Deeply Hidden Security Vulnerabilities with Deeper SAST by Sonar
Blog RSS feed
This post delves into an actual Jenkins vulnerability to understand the intricacies of deeper SAST for detecting deeply hidden code vulnerabilities. It illustrates how deeper SAST works and explains its impact on keeping your code clean and free of these serious issues.
7ヶ月前
記事のアイキャッチ画像
Parallel Code Security: The Challenge of Concurrency
Blog RSS feed
Parallelism has been around for decades, but it is still a source of critical vulnerabilities nowadays. This blog post details a severe vulnerability in the remote desktop gateway Apache Guacamole, highlighting the security risks of parallelism.
7ヶ月前
記事のアイキャッチ画像
Code Interoperability: The Hazards of Technological Variety
Blog RSS feed
The rapid development of different technologies doesn’t come without risks. This blog post details a critical vulnerability in the remote desktop gateway Apache Guacamole, which showcases the challenges of code interoperability.
7ヶ月前
記事のアイキャッチ画像
Leveraging SonarQube Server, SonarQube Cloud, and SonarQube for IDE for Effective Shift Left Practices
Blog RSS feed
Speed and quality are no longer trade-offs in the modern software landscape - they're a tightly interwoven dance. That's where the "Shift Left" philosophy comes in, urging us to move critical checks and balances like code quality analysis earlier in the development lifecycle.
8ヶ月前
記事のアイキャッチ画像
Driving DevOps Transformation: Leveling Up CI/CD with Static Code Analysis
Blog RSS feed
Unit and end-to-end testing are effective in ensuring features and functionality work properly, but what about code quality? How can we ensure that our code is reliable, maintainable, and secure? Enter static code analysis.
8ヶ月前
記事のアイキャッチ画像
Legacy Codebases are a DevOps Issue
Blog RSS feed
Explore how DevOps principles and practices can transform the challenge of managing legacy code into an opportunity for improvement. This piece outlines actionable strategies for refactoring, the importance of automation, and adopting a 'Clean as You Code' approach to ensure sustainable code quality and efficiency.
8ヶ月前
記事のアイキャッチ画像
SonarQube Server 10.5 Release Announcement
Blog RSS feed
The 10.5 release of SonarQube Server includes support for Java 21, C++23, and TypeScript 5.4. Secrets detection analysis is faster and deeper SAST coverage has increased. Project onboarding is more simplified for monorepos, Maven, and GitHub Actions. Read on to find out about these and much more.
8ヶ月前
記事のアイキャッチ画像
Dangerous Import: SourceForge Patches Critical Code Vulnerability
Blog RSS feed
Our Vulnerability Research team discovered a critical code vulnerability in SourceForge, which attackers could have used to poison deployed files and spread malware to millions of users.
8ヶ月前
記事のアイキャッチ画像
AI-Generated Code Demands ‘Trust, But Verify’ Approach to Software Development
Blog RSS feed
Pairing the "trust, but verify" approach with the power of Sonar’s Clean Code solutions enables organizations to be confident that their AI-generated code is high-quality, maintainable, reliable, and secure.
8ヶ月前
記事のアイキャッチ画像
C# Logging
Blog RSS feed
Are you writing logging code in your app? Logging correctly can be tricky. It is an important part of tracking the progress of your app while running and determining the origin of problems when they arise. In this blog post Denis Troller walks you through common pitfalls and logging best practices when coding in C# with .NET.
8ヶ月前
記事のアイキャッチ画像
Ensuring the right usage of Java 21 new features
Blog RSS feed
Last September 2023 Java 21 was released as the latest LTS (Long Time Support). But taking advantage of the changes and new features, which we are not used to including in our code, can be a tough task. Also, it can lead to improper use or poor uptake, bugs, or basically not taking full advantage of new improvements.
9ヶ月前
記事のアイキャッチ画像
Apache Dubbo Consumer Risks: The Road Not Taken
Blog RSS feed
Explore the lesser-known Apache Dubbo risks that weren’t well documented until now, and delve into the importance of clean code ensuring clarity, maintainability, and comprehensibility.
9ヶ月前
記事のアイキャッチ画像
Technical debt’s impact on development speed and code quality
Blog RSS feed
By acknowledging the impact of technical debt and embracing proactive solutions like Sonar, development teams can mitigate its effects and build software that is resilient, reliable, and scalable.
9ヶ月前
記事のアイキャッチ画像
DORA Compliance for Financial Entities
Blog RSS feed
Leveraging Sonar solutions to ensure code security by design
9ヶ月前
記事のアイキャッチ画像
Micro Services, Major Headaches: Detecting Vulnerabilities in Erxes' Microservices
Blog RSS feed
Our vulnerability researchers discovered critical vulnerabilities in Erxes with the help of SonarQube Cloud. Learn about the details and how to triage such issues in your own code!
9ヶ月前
記事のアイキャッチ画像
__dirname is back in Node.js with ES modules
Blog RSS feed
Node.js is reducing friction when using ES modules by making it easier to get the current module directory name
9ヶ月前
記事のアイキャッチ画像
#CleanCodeTips: Unlock Your Coding Potential
Blog RSS feed
As software development evolves, keeping up with best practices, the latest trends, and ensuring your code remains top-notch can feel like sailing uncharted waters. Sonar has the Clean Code tips for you!
9ヶ月前
記事のアイキャッチ画像
Reply to calc: The Attack Chain to Compromise Mailspring
Blog RSS feed
Learn how an attacker can combine multiple security vulnerabilities to achieve arbitrary code execution on a victim that tries to reply or forward a malicious mail in Mailspring.
9ヶ月前
記事のアイキャッチ画像
Are You Ready For PCI DSS 4.0?
Blog RSS feed
PCI DSS 3.2.1 is being retired on March 31, 2024. Are you ready for the new standard, PCI DSS 4.0?
9ヶ月前
記事のアイキャッチ画像
Increase readability with Java's Pattern Matching
Blog RSS feed
Increase readability, reduce cognitive complexity, and avoid bugs that are hard to spot with Java's Pattern Matching.
10ヶ月前
記事のアイキャッチ画像
OpenNMS Vulnerabilities: Securing Code against Attackers’ Unexpected Ways
Blog RSS feed
Learn which unexpected ways attackers may take to exploit code vulnerabilities and how to secure against them.
10ヶ月前
記事のアイキャッチ画像
White House emphasizes need for proactive coding practices to counter cyber attacks
Blog RSS feed
The ONCD recent report puts a spotlight on one of the most foundational issues that result in insecure software. Sonar applauds the administration’s call for addressing software vulnerabilities at the programming language and source code levels.
10ヶ月前
記事のアイキャッチ画像
Sonar Reaffirms Strength of its Information Security Management Systems by Earning The Latest ISO Certification, ISO27001:2022
Blog RSS feed
As part of our continuously advancing and improving security practice, we are pleased to announce that Sonar and its products are now certified to the latest version of the ISO72001 standard.
10ヶ月前
記事のアイキャッチ画像
How timely delivery comes from transparent outsourced software development communication
Blog RSS feed
Ineffective communication impacts everything in software development. To ensure your next project meets expectations, transparent communication is essential for driving timely delivery when working with internal and external development teams.
10ヶ月前
記事のアイキャッチ画像
Builders, Withers, and Records - Java’s path to immutability
Blog RSS feed
We know that immutable objects are easier to maintain, lead to fewer errors, and are multi-thread friendly. This article will show two different approaches to creating objects: Builders and Withers, along with a new type of immutable object in Java: Records
10ヶ月前
記事のアイキャッチ画像
Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities
Blog RSS feed
Our Clean Code solution, SonarQube Cloud, led us to a severe security issue in the popular Content Management System Joomla.
10ヶ月前
記事のアイキャッチ画像
Union, intersection, difference, and more are coming to JavaScript Sets
Blog RSS feed
The JavaScript Set was introduced to the language in the ES2015 spec, but it has always seemed incomplete. That's about to change with the addition of functions like intersection, union and difference.
10ヶ月前
記事のアイキャッチ画像
Write cleaner React code with SonarQube Server 10.4
Blog RSS feed
SonarQube Server 10.4 was recently released and it includes 48 new rules and one updated rule to help you to write clean code in your React applications.
10ヶ月前
記事のアイキャッチ画像
New Web API V2
Blog RSS feed
We are modernizing our Web API. In this post, Aurélien Poscia explains how and why.
10ヶ月前
記事のアイキャッチ画像
Building the foundation for a strong AI future
Blog RSS feed
Sonar is honored to participate in the newly established U.S. Artificial Intelligence Safety Institute Consortium (AISIC) effort and is excited to join other leaders at the forefront of AI development.
10ヶ月前
記事のアイキャッチ画像
5 Risks of Outsourcing Software Development and How to Avoid Them
Blog RSS feed
Outsourcing software development requires a clear understanding of the potential risks. In this blog, we discuss five risks of this widely adopted strategy and provide tactics to minimize risk in delivered software.
10ヶ月前
記事のアイキャッチ画像
SonarQube Server 10.4 Release Announcement
Blog RSS feed
The SonarQube Server 10.4 release includes some exciting changes that show the benefit of Clean Code and the Clean as You Code methodology. Scan times are faster and connecting to SonarQube for IDE is easier. Sonar is introducing easy onboarding for GitLab, new support for Helm Charts, and much more.
10ヶ月前
記事のアイキャッチ画像
Pitfalls of Desanitization: Leaking Customer Data from osTicket
Blog RSS feed
The dangerous Desanitization pattern led to an XSS vulnerability in the open-source helpdesk software osTicket, which can be used to leak customer data.
10ヶ月前
記事のアイキャッチ画像
Juliet C# Benchmark and the SecureString case
Blog RSS feed
Juliet C# is a project from the National Institute of Standards and Technology of the USA. As a security benchmark project, we used Juliet C# 1.3 to test and improve our C# analyzer. Here is a glimpse of the work we did around Juliet and some of its test cases related to the SecureString .NET type.
1年前
記事のアイキャッチ画像
Who are you? The Importance of Verifying Message Origins
Blog RSS feed
This blog post highlights the importance of verifying the origin of JavaScript message events and outlines the potential impact of omitting this by detailing two critical vulnerabilities in the Squidex application.
1年前
記事のアイキャッチ画像
Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins
Blog RSS feed
This blog uncovers two vulnerabilities, a Critical and High severity, recently discovered by our research team. Exploiting these vulnerabilities, attackers have the potential to gain Remote Code Execution on a Jenkins instance.
1年前
記事のアイキャッチ画像
Blazor
Blog RSS feed
Sonar is helping make C# code clean as Microsoft ASP.NET Core Blazor application development grows
1年前
記事のアイキャッチ画像
Lessons learned upgrading to React 18 in SonarQube Server
Blog RSS feed
We share the biggest three issues we faced and the lessons we learned as we upgraded SonarQube Server to React 18.
1年前
記事のアイキャッチ画像
Vulnerability Research Highlights 2023
Blog RSS feed
Our Vulnerability Research team looks back at a great year and summarizes the highlights of 2023.
1年前
記事のアイキャッチ画像
Sonar's Scoring on the Top 3 Python SAST Benchmarks
Blog RSS feed
We're excited to share not only how Sonar performs on Python benchmarks but also the ground truth corresponding to the list of expected and not-so-expected issues.
1年前
記事のアイキャッチ画像
2024 DevOps Predictions from the Sonar Developer Advocate Team
Blog RSS feed
The Developer Advocate team shares their predictions on what they foresee for DevOps trends and hot topics in 2024.
1年前
記事のアイキャッチ画像
2024 Security Predictions from the Sonar Research Team
Blog RSS feed
Reflecting on changes in the industry over the past year, as well as the research we’ve published, the Sonar Vulnerability Research team came together and compiled our thoughts on what we foresee for cybersecurity in 2024.
1年前
記事のアイキャッチ画像
Sonar @ Black Hat Europe!
Blog RSS feed
Last week, several SonarSourcers traveled to London to attend our third Black Hat event of the year. Here's what happened!
1年前
記事のアイキャッチ画像
pfSense Security: Sensing Code Vulnerabilities with SonarQube Cloud
Blog RSS feed
Our Clean Code solution SonarQube Cloud discovered multiple vulnerabilities leading to remote code execution on pfSense CE 2.7.0. Let's see how SonarQube Cloud found them and how it can keep your code clean.
1年前
記事のアイキャッチ画像
Spring framework pitfalls
Blog RSS feed
Spring framework offers a lot of help in the development, but we still have to pay attention and make the right use of it in order to avoid some issues.
1年前
記事のアイキャッチ画像
Stop nesting ternaries in JavaScript
Blog RSS feed
Nesting ternary operators makes code more complex and less clear. Let's investigate other ways to write conditional expressions.
1年前
記事のアイキャッチ画像
Unraveling the Costs of Bad Code in Software Development
Blog RSS feed
Not only does bad code cost companies millions of dollars, but countless hours of lost time, productivity, and brand reputation too. By acknowledging the existence of bad code and implementing proactive measures to mitigate its impact, developers and organizations can steer software toward success.
1年前
記事のアイキャッチ画像
Secrets Detection
Blog RSS feed
What are hard coded secrets? Why do you care if secrets are hidden in your code? How does Sonar help prevent secrets from getting into your code, entering your repository, and leaking out from your CI/CD pipeline? In this post, Product Manager, Alex Gigleux, answers all your questions.
1年前
記事のアイキャッチ画像
Sonar is “On the Radar”: New Omdia Report
Blog RSS feed
Omdia — an analyst firm that provides decades of industry experience, world-class research and consultancy, and actionable insights in over 200 markets — has published research about Sonar, our solutions, and recent innovations of deeper SAST and zero-configuration automatic analysis for C/C++. The research digs into why Sonar should be on your radar and also takes a look at the market view as well as from a current positioning.
1年前
記事のアイキャッチ画像
Visual Studio Code Security: Finding New Vulnerabilities in the NPM Integration (3/3)
Blog RSS feed
It's time to wrap up our series on the security of Visual Studio Code with new vulnerabilities in the NPM integration, bypassing the Workspace Trust security feature.
1年前
記事のアイキャッチ画像
Top issues in Java projects
Blog RSS feed
Let's dig into the projects using Java as language and see, according to what SonarQube for IDE telemetry shows, that there are still lots of issues that appear in the huge list of analyzed projects.
1年前
記事のアイキャッチ画像
SonarQube Server 10.3 Release Announcement
Blog RSS feed
The new SonarQube Server 10.3 release is out now, including Secrets Detection at the Source, Clean Code Taxonomy & Clean as You Code Updates, Automate Provisioning GitHub Projects and Teams, 2023 CWE Top 25 Report, the Blazor Framework, and Stronger Security.
1年前
記事のアイキャッチ画像
Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions (2/3)
Blog RSS feed
We took a look at the security of the most popular code editor, Visual Studio Code! This blog post covers vulnerabilities our researchers discovered in third-party extensions.
1年前
記事のアイキャッチ画像
Sonar's Scoring on the Top 3 C# SAST Benchmarks
Blog RSS feed
Sonar's Scoring on the Top 3 C# SAST Benchmarks
1年前
記事のアイキャッチ画像
Visual Studio Code Security: Deep Dive into Your Favorite Editor (1/3)
Blog RSS feed
We took a look at the security of the most popular code editor, Visual Studio Code! This blog post covers common risks and attack surfaces so you know what to expect when using it.
1年前
記事のアイキャッチ画像
Linux Foundation Chat: Open Source & Clean Code
Blog RSS feed
Linux Foundation Executive Director Jim Zemlin joins Sonar Founder and co-CEO Olivier Gaudin to discuss Clean Code, open-source development, cybersecurity, and more!
1年前
記事のアイキャッチ画像
BlogPost | 9 Steps to get the most out of your SonarQube Cloud Trial
Blog RSS feed
To maximize the benefits of your SonarQube Cloud trial, it's essential to approach the trial with a clear plan. Start a 14-day trial for your private projects & repositories completely free to get all the features of the application that you can get as a paid subscription.
1年前
記事のアイキャッチ画像
BlogPost | Shifting Right for Secure Platforms and DevOps
Blog RSS feed
Dev tooling is not only helping shift issues left, but the tools also help identify issues that happen later, or to the right, in the development lifecycle. Like detecting secrets before they go into production or platform configuration issues.
1年前
記事のアイキャッチ画像
BlogPost | Highlights from Hexacon 2023
Blog RSS feed
Last week, members of our AppSec and Vulnerability Research teams attended the Hexacon in Paris to learn, share, and network. Read more about our highlights.
1年前
記事のアイキャッチ画像
What is Clean Code?
Blog RSS feed
If you’ve followed us for a while, you most likely noticed that we changed the way we describe what we do. It feels like in the last couple of years, we finally managed to settle on what we had been looking for from the beginning: Clean Code. But what is Clean Code, and what does it encompass?
1年前
記事のアイキャッチ画像
Security Vulnerabilities in CasaOS
Blog RSS feed
We recently uncovered two critical code vulnerabilities in the personal cloud system CasaOS. Let's see what we can learn from them.
1年前
記事のアイキャッチ画像
Java SAST Benchmarks: why you shouldn't trust them blindly
Blog RSS feed
Java SAST Benchmarks: why you shouldn't trust them blindly
1年前
記事のアイキャッチ画像
Interview with Sonar Java Enthusiasts
Blog RSS feed
Interview with Sonar Java Enthusiasts
1年前
記事のアイキャッチ画像
ISMG Interview - Securing Applications, Accelerating DevOps with Clean Code
Blog RSS feed
Sonar founder and co-CEO, Olivier Gaudin, sits down with ISMG's Tom Field at Black Hat USA 2023 to discuss how development can be improved to avoid security issues.
1年前
記事のアイキャッチ画像
Why I’m passionate about Static Analysis and how I helped make it better
Blog RSS feed
Why I’m passionate about Static Analysis and how I helped make it better
1年前
記事のアイキャッチ画像
A comprehensive guide to the dangers of Regular Expressions in JavaScript
Blog RSS feed
A deep investigation into regular expression denial of service (ReDoS) vulnerabilities in JavaScript
1年前
記事のアイキャッチ画像
Unzipping Dangers: OpenRefine Zip Slip Vulnerability
Blog RSS feed
Extracting archives can be very dangerous. Read more about a critical Zip Slip vulnerability SonarQube Cloud detected in the open-source application OpenRefine.
1年前
記事のアイキャッチ画像
Open Source Summit 2023
Blog RSS feed
Open Source Summit 2023
1年前
記事のアイキャッチ画像
Sonar's Scoring on the Top 3 Java SAST Benchmarks
Blog RSS feed
Enhancing SAST Detection: Sonar's Scoring on the Top 3 Java SAST Benchmarks
1年前
記事のアイキャッチ画像
Source Code at Risk: Critical Code Vulnerability in CI/CD Platform TeamCity
Blog RSS feed
Our Vulnerability Research team discovered a critical vulnerability in the popular CI/CD server TeamCity, which attackers could use to steal source code and poison build artifacts.
1年前
記事のアイキャッチ画像
5 Clean Code Tips for Reducing Cognitive Complexity
Blog RSS feed
Understanding how Cognitive Complexity works will help guide you on where to focus your time. This blog dives into how this Sonar-exclusive metric was formulated to accurately measure the relative understandability of methods.
1年前
記事のアイキャッチ画像
Remote Code Execution in Tutanota Desktop due to Code Flaw
Blog RSS feed
Our Research team discovered critical code vulnerabilities in Proton Mail, Skiff, and Tutanota. This post covers an XSS vulnerability in Tutanota Desktop and how it can be prevented.
1年前
記事のアイキャッチ画像
The new JDK LTS is out! Long live JDK 21!
Blog RSS feed
Let's check what the new Java JDK21 LTS brings
1年前
記事のアイキャッチ画像
Enhancing Software Development Practices through SonarQube Server: A Path to Continuous Learning
Blog RSS feed
With SonarQube Server, organizations can readily deploy workflows integrated directly into their pipelines to build on their teams’ skill sets and create resiliency to new risks.
1年前
記事のアイキャッチ画像
Typing your JavaScript without writing TypeScript
Blog RSS feed
TypeScript already understands JavaScript, but you can get more out of it when you add types to your JavaScript with JSDoc or TypeScript declaration files
1年前
記事のアイキャッチ画像
Code Vulnerabilities Put Skiff Emails at Risk
Blog RSS feed
Our Research team discovered critical code vulnerabilities in Proton Mail, Skiff, and Tutanota. This post covers the technical details of the XSS vulnerability in Skiff.
1年前
記事のアイキャッチ画像
Security Guy TV Interview - Going Deeper with SAST and Clean Code
Blog RSS feed
Sonar CEO, Olivier Gaudin, and Head of Research and Development, Johannes Dahse, meet with Security Guy TV’s Chuck Harold to discuss deeper SAST and the importance of Clean Code.
1年前
記事のアイキャッチ画像
Get the benefits of TypeScript in your JavaScript
Blog RSS feed
Let's dive into what you can do to get more and more of TypeScript's benefits in your JavaScript projects.
1年前
記事のアイキャッチ画像
Introducing SonarQube Server 10.2: Setting New Standards in Code Quality and Security
Blog RSS feed
Discover the new features in SonarQube Server 10.2!
1年前
記事のアイキャッチ画像
Code Vulnerabilities Put Proton Mails at Risk
Blog RSS feed
The Sonar Research team discovered critical code vulnerabilities in Proton Mail, Skiff and Tutanota. This post covers the technical details of the XSS vulnerability in Proton Mail.
1年前
記事のアイキャッチ画像
Playing Dominos with Moodle's Security (2/2)
Blog RSS feed
Our security researchers recently discovered two critical vulnerabilities in Moodle that leverage the use of not impactful bugs.
1年前
記事のアイキャッチ画像
Enhancing SAST Detection: Leveraging Benchmarks for Measuring Progress
Blog RSS feed
Enhancing Static Application Security Testing SAST, leverage benchmarks for tracking our progress.
1年前
記事のアイキャッチ画像
Playing Dominos with Moodle's Security (1/2)
Blog RSS feed
Our security researchers recently discovered two critical vulnerabilities in Moodle that leverage the use of not impactful bugs.
1年前
記事のアイキャッチ画像
BlackHat 2023: Hackers, Casinos, and an Exciting Announcement
Blog RSS feed
The Sonar team of developers are just returning from their trip to Las Vegas where they attended BlackHat USA 2023. If you were not able to make it, here is what you missed.
1年前
記事のアイキャッチ画像
What is deeper SAST in JavaScript?
Blog RSS feed
What is SAST, what does deeper SAST mean, and how does this apply to your JavaScript and TypeScript applications?
1年前
記事のアイキャッチ画像
Patches, Collisions, and Root Shells: A Pwn2Own Adventure
Blog RSS feed
We dive into the technical details of the vulnerabilities we identified as part of last year's Pwn2Own competition.
1年前
記事のアイキャッチ画像
No, C++ static analysis does not have to be painful
Blog RSS feed
No C and C++ static analysis does not need to mean difficult configuration and pain. We explain how Sonar has made the impossible possible with one-click analysis for projects hosted in GitHub. A free automatic analysis of C and C++ projects.
1年前
記事のアイキャッチ画像
WeAreDevelopers 2023 - what did you miss?
Blog RSS feed
The Sonar team of developers are just returning from their trip to Berlin where they attended WeAreDevelopers 2023. If you were not able to make it, here is what you missed.
1年前
記事のアイキャッチ画像
Uncovering hidden security vulnerabilities with deeper SAST
Blog RSS feed
Uncovering security vulnerabilities is particularly challenging because these issues can be complex and deeply hidden when your code uses and interacts with third-party dependency code. We are excited to share more about a major breakthrough in our detection of deeply hidden security vulnerabilities that traditional tools cannot detect.
1年前
記事のアイキャッチ画像
Working with Multiple Code Variants in C++
Blog RSS feed
Multiple variants of C++ code-bases at build time are a necessary evil on most projects - even if that's just debug and release. This has always made analysis more complex. But now, with first class support in SonarQube Server, multiple code variants are easier to analyze and understand.
1年前
記事のアイキャッチ画像
A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State
Blog RSS feed
Unexpected application states are often overlooked and can introduce severe security vulnerabilities. Read more about this real-world example.
1年前
記事のアイキャッチ画像
New Research from Sonar on Cost of Technical Debt
Blog RSS feed
New original research from Sonar puts a spotlight on the millions of dollars that businesses lose when they fail to implement an optimal approach for software development.
1年前
記事のアイキャッチ画像
How Sonar Developer Advocates got started in their careers
Blog RSS feed
Interviews with Sonar’s Developer Advocates on their careers and what Clean Code means to them.
1年前
記事のアイキャッチ画像
Why SonarQube Server 9.9 LTS is a must-have for PHP Developers
Blog RSS feed
PHP analysis gets faster and better with new rules, fixed false-positives, and much more in SonarQube Server 9.9 LTS.
1年前
記事のアイキャッチ画像
TROOPERS 2023 Conference Takeaways
Blog RSS feed
Read about our key takeaways from the TROOPERS 2023 including our favorite talks and overall experience during the two days conference.
1年前
記事のアイキャッチ画像
TyphoonCon 2023 Wrap Up
Blog RSS feed
Last week, our Vulnerability Researchers traveled to TyphoonCon 2023 in Seoul to present their talk "Patches, collisions and root shells: a Pwn2Own Adventure".
1年前
記事のアイキャッチ画像
Why ORMs and Prepared Statements Can't (Always) Win
Blog RSS feed
We always assume prepared statements and ORMs are enough to protect us from SQL injection, but be careful not to misuse their APIs! Let's look into a real-world case and see what we can learn from it.
1年前
記事のアイキャッチ画像
Why SonarQube Server 9.9 LTS is a must-have for JavaScript and TypeScript Developers
Blog RSS feed
Read about the new features of SonarQube Server 9.9 LTS which help JavaScript and TypeScript developers to write Clean Code.
1年前
記事のアイキャッチ画像
SonarQube Server 10.1 Release
Blog RSS feed
Smoother centralized access management with GitHub, multiple code variant analysis for C/C+, a big coverage boost in Java security, and more in the latest from SonarQube Server.
2年前
記事のアイキャッチ画像
Smarter Together: Fostering a culture of collaboration and growth at Sonar
Blog RSS feed
The Sonar culture is the shared vision, mission, values, and behaviors that make up our day-to-day experience at Sonar. Our goal as an organization is that our culture will unite and motivate SonarSourcers to work and grow together and achieve company goals while creating meaningful benevolent relationships. Discover more about our Smarter Together core value in this blog post.
2年前
記事のアイキャッチ画像
Sonar at JSNation 2023 in Amsterdam
Blog RSS feed
We take a look at our highlights from JSNation 2023 in Amsterdam, including our favourite talks, memorable conversations and key takeaways.
2年前
記事のアイキャッチ画像
What Mr. Miyagi can teach you about writing Clean Code
Blog RSS feed
Just like it's not enough to simply practice karate for Mr. Miyagi, it's not enough for Sonar to find and fix issues when guiding developers to practice Clean Code. Developers should be able to find, understand, and fix issues to write Clean Code optimally.
2年前
記事のアイキャッチ画像
Why SonarQube Server 9.9 LTS is a must-have for Java developers
Blog RSS feed
Explore the game-changing features of SonarQube Server 9.9 LTS, empowering Java developers to write Clean Code with enhanced speed and precision.
2年前
記事のアイキャッチ画像
Hands on with the Node.js test runner
Blog RSS feed
Node.js released an experimental test runner in version 18 and made that test runner stable in version 20. What does that mean for us as JavaScript developers?
2年前
記事のアイキャッチ画像
Reflections from OffensiveCon 2023
Blog RSS feed
Our Vulnerability Researchers are just returning from their trip to Berlin where they attended OffensiveCon 2023! Here's what they loved about the event.
2年前
記事のアイキャッチ画像
Sonar and HashiCorp Partner to Deliver Clean Terraform Code & Good Vibes
Blog RSS feed
Learn about the Sonar - HashiCorp partnership and the SonarQube Cloud Terraform Cloud integration.
2年前
記事のアイキャッチ画像
SonarQube for IDE supports Go analysis!
Blog RSS feed
SonarQube for IDE supports Go analysis!
2年前
記事のアイキャッチ画像
Pimcore: One click, two security vulnerabilities
Blog RSS feed
We discovered two vulnerabilities in Pimcore that could be chained together in one GET request to achieve RCE.
2年前
記事のアイキャッチ画像
Is Clean Code the solution to Jupyter notebook code quality?
Blog RSS feed
Is Clean Code the solution to Jupyter notebook code quality?
2年前
記事のアイキャッチ画像
ES2023 introduces new array copying methods to JavaScript
Blog RSS feed
There are new array methods in JavaScript and they are here to make our programs more predictable and maintainable.
2年前
記事のアイキャッチ画像
CNCF Silver membership
Blog RSS feed
Sonar becomes Silver member of the Cloud native computing foundation
2年前
記事のアイキャッチ画像
Why SonarQube Server 9.9 LTS is a must-have for Python developers
Blog RSS feed
Learn about the changes in SonarQube Server 9.9 LTS that help Python developers write Clean Code.
2年前
記事のアイキャッチ画像
Weird Python: 5 Unexpected Behaviors in the Python Interpreter
Blog RSS feed
Five ways in which Python's interpreter behaves in ways that you wouldn't expect.
2年前
記事のアイキャッチ画像
Reflections from DevNexus, the largest Java conference in the U.S.A.
Blog RSS feed
Reflections from DevNexus, the largest Java conference in the U.S.A.
2年前
記事のアイキャッチ画像
Interview with Sonar Python Developers Part 2
Blog RSS feed
Latest Python developments. Interview with Python developers from Sonar.
2年前
記事のアイキャッチ画像
Odoo: Get your Content Type right, or else!
Blog RSS feed
What do we need content types for anyway? Let's look into how an incorrect content type led to a real-world vulnerability in Odoo, CVE-2023-1434.
2年前
記事のアイキャッチ画像
Interview with Sonar Python Developers Part 1
Blog RSS feed
Why should I learn Python language? When should I use Python? Is tooling around Python development mature?
2年前
記事のアイキャッチ画像
Sonar Compiler Explorer: Write clean C++ code inside your browser
Blog RSS feed
Sonar ❤️ Compiler Explorer: Write clean C++ code inside your browser
2年前
記事のアイキャッチ画像
Pretalx Vulnerabilities: How to get accepted at every conference
Blog RSS feed
We recently discovered two vulnerabilities in pretalx and found a generic technique to gain code execution from a file write.
2年前
記事のアイキャッチ画像
Another 9 reasons to upgrade to SonarQube Server 9.9 LTS
Blog RSS feed
SonarQube Server 9.9 LTS is here! We're back with another 9 reasons you should prioritise upgrading as soon as possible.
2年前
記事のアイキャッチ画像
How bad code destroys developer velocity
Blog RSS feed
When bad code gets overlooked, it can create lasting problems and ultimately impact developer productivity and velocity.
2年前
記事のアイキャッチ画像
Announcing SonarQube Server 10.0
Blog RSS feed
Learn what features - like faster first analysis and better user management with SCIM - are available to you and your teams in SonarQube Server 10.0!
2年前
記事のアイキャッチ画像
It’s a (SNMP) Trap: Gaining Code Execution on LibreNMS
Blog RSS feed
Our researchers discovered a vulnerability in LibreNMS, which could be exploited by attackers to gain RCE by sending a single SNMP trap.
2年前
記事のアイキャッチ画像
Sonar is the Clean Code solution for your DevOps workflow
Blog RSS feed
Clean Code from Sonar aims to streamline your DevOps workflow so that your organization can yield the best possible results from your software.
2年前
記事のアイキャッチ画像
Your Guide to Clean Code in Cloud Native Apps
Blog RSS feed
Companies are adopting cloud native practices because it puts their core business first and affords them speed and efficiency advantages over the competition. However, reaping these rewards requires a solid, sustainable foundation - a Clean Code foundation.
2年前
記事のアイキャッチ画像
The top 5 common TypeScript issues found by SonarQube for IDE
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. This is a summary of the top 5
2年前
記事のアイキャッチ画像
Cloud native features in SonarQube Server 9.9 LTS
Blog RSS feed
The best LTS ever - SonarQube Server v9.9 - packed together a lot of new features and functionality. Read more to learn about the cloud native, IaC and serverless analysis capabilities included in the LTS.
2年前
記事のアイキャッチ画像
9 more reasons to upgrade to SonarQube Server 9.9 LTS
Blog RSS feed
SonarQube Server 9.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LTS Ever.
2年前
記事のアイキャッチ画像
Common TypeScript Issues Nº 1: assignments within sub-expressions
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.
2年前
記事のアイキャッチ画像
Celebrating International Women's Day with the women of Sonar
Blog RSS feed
Sonar is celebrating International Women's Day (March 8) with interviews from women across our many teams about their careers in technology.
2年前
記事のアイキャッチ画像
SonarQube Server LTS Upgrade Checklist
Blog RSS feed
A checklist to help you upgrade to SonarQube Server LTS
2年前
記事のアイキャッチ画像
Common TypeScript Issues Nº 2: non-empty statements
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.
2年前
記事のアイキャッチ画像
Empowering weak primitives: file truncation to code execution with Git
Blog RSS feed
Let's dive into how a seemingly minor code vulnerability can hide a critical impact!
2年前
記事のアイキャッチ画像
The Best Approach to Writing Secure Cloud Native Apps
Blog RSS feed
With Sonar and the Clean as You Code methodology, developers can directly impact the security of the cloud native apps they create.
2年前
記事のアイキャッチ画像
Common TypeScript Issues Nº 3: unused local variables and functions
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.
2年前
記事のアイキャッチ画像
Increase developer velocity today with Clean as You Code
Blog RSS feed
The Clean as You Code methodology allows developers to keep working on new and interesting projects without sacrificing quality or getting bogged down in refactoring legacy code.
2年前
記事のアイキャッチ画像
We are Sonar!
Blog RSS feed
Culture is a key aspect of working at Sonar. It is our binding agent; it is what we value, what we believe in, the way we work, and the way we interact. It is what makes us SonarSourcers!
2年前
記事のアイキャッチ画像
Common TypeScript Issues Nº 4: Don't create and drop objects immediately
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.
2年前
記事のアイキャッチ画像
SonarQube Server 9.9 LTS
Blog RSS feed
Big year, big announcement – the most anticipated SonarQube Server 9.9 Long-Term-Support release is here! Check out this post for all details.
2年前
記事のアイキャッチ画像
Common TypeScript Issues Nº 5: Optional property declarations
Blog RSS feed
We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.
2年前
記事のアイキャッチ画像
OpenEMR - Remote Code Execution in your Healthcare System
Blog RSS feed
We recently discovered three vulnerabilities that allow arbitrary code execution on OpenEMR. Let’s see what we can learn from them and discuss their patches!
2年前
記事のアイキャッチ画像
Vulnerability Research Highlights 2022
Blog RSS feed
Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2022.
2年前
記事のアイキャッチ画像
Level up your team's skills as they code
Blog RSS feed
Clear context and specific education for why an issue occurs and how to fix it should be by the developers’ side without leaving the development workflow. Sonar has your answer.
2年前
記事のアイキャッチ画像
Lesser spotted React mistakes: What are we even rendering?
Blog RSS feed
This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising.
2年前
記事のアイキャッチ画像
Cacti: Unauthenticated Remote Code Execution
Blog RSS feed
Learn how we discovered a critical vulnerability in Cacti with the help of SonarQube Cloud.
2年前
記事のアイキャッチ画像
SonarQube Server 9.8 is here!
Blog RSS feed
The latest version of SonarQube Server from Sonar has arrived. Check out what’s new in SonarQube Server 9.8 in this quick video and download it now.
2年前
記事のアイキャッチ画像
Develop Your Cloud Native Apps the Sustainable Way
Blog RSS feed
Application development using cloud native technologies is a game changer for developers. With a robust, maintainable codebase, they are positioned to do their best work. Learn how Sonar has the clean code game plan to perfectly complement your cloud native initiatives.
2年前
記事のアイキャッチ画像
Sonar @ Pwn2Own Toronto 2022
Blog RSS feed
Members of the Sonar Vulnerability Research team remotely participated in Pwn2Own Toronto 2022. This competition is quite special for us: we usually focus on code vulnerabilities in open-source web application projects.
2年前
記事のアイキャッチ画像
How to enable your development team to deliver Clean Code?
Blog RSS feed
Regardless of the company we work for, the project we contribute to, or our years of experience as individual developers or as a team, we inevitably make mistakes while coding. On average, a development team generates about 15 to 50 errors per 1,000 lines of delivered code.
2年前
記事のアイキャッチ画像
Scaling Clean Code Across the Enterprise
Blog RSS feed
Code is at the core of your software and dictates its behavior and performance. Clean code makes it easier for your development teams to introduce changes and enhancements to software because it is free of issues.
2年前
記事のアイキャッチ画像
What I learned from using SonarQube Server for the first time
Blog RSS feed
In this blog, I will share the story of how I got introduced to SonarQube Server and made use of it as a team lead. I will explain how it helped us improve our code, and also assisted me in growing a team of junior developers with a Clean Code companion by their side.
2年前
記事のアイキャッチ画像
Code Security Advent Calendar 2022
Blog RSS feed
The year is slowly coming to an end and it’s time again to look back and reflect on the great fun and achievements of the year. This is where we would like to thank our community and share a little gift, as we do every December since 2016.
2年前
記事のアイキャッチ画像
Lesser spotted React mistakes: Zombie methods
Blog RSS feed
This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising. Part 2.
2年前
記事のアイキャッチ画像
Doing More with Less in Uncertain Times
Blog RSS feed
Even though efficiency of all work processes is a goal of any business striving for success, it is even more of a challenge given the current economic climate. This bar shifts higher every day.
2年前
記事のアイキャッチ画像
Checkmk: Remote Code Execution by Chaining Multiple Bugs (3/3)
Blog RSS feed
This last article of the series determines how an attacker can chain two further vulnerabilities to fully take over a Checkmk server.
2年前
記事のアイキャッチ画像
A Look Back at KubeCon 2022
Blog RSS feed
The Sonar Team had a great time sponsoring KubeCon 2022 in Detroit. Read about our takeaways from the event...
2年前
記事のアイキャッチ画像
Checkmk: Remote Code Execution by Chaining Multiple Bugs (2/3)
Blog RSS feed
The second article of this series outlines how an attacker can leverage the ability to forge arbitrary LQL queries to gain access to the NagVis component.
2年前
記事のアイキャッチ画像
Checkmk: Remote Code Execution by Chaining Multiple Bugs (1/3)
Blog RSS feed
We discovered multiple vulnerabilities in Checkmk, which can be chained together by an unauthenticated, remote attacker to fully take over a vulnerable server.
2年前
記事のアイキャッチ画像
Beyond the Rules of Three, Five and Zero
Blog RSS feed
After examining the Rules of Three, Five, and Zero, part 2 of this series looks at the exceptions that prove the rule(s). Some of them may surprise you (no, really)!
2年前
記事のアイキャッチ画像
Bits from Hexacon 2022
Blog RSS feed
Our AppSec and Vulnerability Research teams had a great time at Hexacon 2022, here's what we enjoyed!
2年前
記事のアイキャッチ画像
Lesser spotted React mistakes: Hooked on a feeling
Blog RSS feed
This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising.
2年前
記事のアイキャッチ画像
SonarQube Server 9.7 is here!
Blog RSS feed
Check out what’s new in SonarQube Server 9.7 in this quick video.
2年前
記事のアイキャッチ画像
Remote Code Execution in Melis Platform
Blog RSS feed
We come back on a critical deserialization vulnerability identified by our SAST engine in the software Melis Platform. Let’s look at how it works under the hood and how we confirmed its exploitability.
2年前
記事のアイキャッチ画像
Bad code costs more than just your money
Blog RSS feed
Bad code doesn’t just disappear and the consequences of overlooking it can be costly.
2年前
記事のアイキャッチ画像
The Rules of Three, Five and Zero
Blog RSS feed
The Rule of Three was coined back in 1991. That expanded to the Rule of Five with C++11's move semantics - and even that was then subsumed by The Rule of Zero. But what are all these rules? And do we have to follow them?
2年前
記事のアイキャッチ画像
Five SonarQube Cloud features for developers that want Clean Code
Blog RSS feed
Whether you’re working on a new project or an existing one, you might think of Clean Code as an ideal, somewhere far out of reach. Let’s go over 5 key features that make SonarQube Cloud the perfect tool for developers and development teams to deliver Clean Code consistently and efficiently, without disrupting the existing development workflow.
2年前
記事のアイキャッチ画像
Securing Developer Tools: A New Supply Chain Attack on PHP
Blog RSS feed
What is your worst supply chain nightmare and why is it somebody that could take over all the PHP packages at once? Let's deep dive into how we could demonstrate it!
2年前
記事のアイキャッチ画像
Our journey toward accessibility
Blog RSS feed
When you think about your typical workday, how much time do you spend working on a computer? How hard would it be for you to perform your job if you did not have access to a computer?
2年前
記事のアイキャッチ画像
Securing Developer Tools: OneDev Remote Code Execution
Blog RSS feed
We recently discovered several vulnerabilities in OneDev 7.2.9 that allowed attackers to fully compromise a server and even break out of a Docker environment.
2年前
記事のアイキャッチ画像
Interview with a SonarSource Developer
Blog RSS feed
Curious about life as a Developer at SonarSource? Join us as we discuss changes in the world of programming, the importance of Security, and writing code with SonarQube Cloud Backend Developer Claire Villard.
2年前
記事のアイキャッチ画像
Why the Power of Clean Code is Important
Blog RSS feed
Clean Code—a term you may have casually used or heard before but may not have synthesized or internalized its true essence. In this post, learn what Clean Code is and why it matters.
2年前
記事のアイキャッチ画像
WordPress Core - Unauthenticated Blind SSRF
Blog RSS feed
Our security researchers were surprised to discover a low-hanging code vulnerability in WordPress Core that we will discuss in this blog post.
2年前
記事のアイキャッチ画像
You’re 3 minutes away from clean Java pull requests!
Blog RSS feed
In this blog, we demonstrate how you can get started with SonarQube Cloud in less than 3 minutes and ensure all new Java pull requests are clean, every time.
2年前
記事のアイキャッチ画像
Sonar Streamlines the Race to Release
Blog RSS feed
Knowing if your latest release candidate is built with clean code doesn’t have to be a guessing game. With Sonar at your side, you’ll know that every new line, every PR and every build is clean.
2年前
記事のアイキャッチ画像
Securing Developer Tools: Argument Injection in Visual Studio Code
Blog RSS feed
In the third part of our Securing Developer Tools series, we look at a critical vulnerability that affects one of the most popular code editors: Visual Studio Code.
2年前
記事のアイキャッチ画像
Security Implications of URL Parsing Differentials
Blog RSS feed
Our security research led to the discovery of a flaw in a popular Apache2 authentication module. We come back on this case of parsing differential and how various languages behave when working with URLs.
2年前
記事のアイキャッチ画像
Disclosing information with a side-channel in Django
Blog RSS feed
We recently found a vulnerability in Django that allows us to disclose sensitive information. Let’s review the root cause, exploiting technique, and patch.
2年前
記事のアイキャッチ画像
Remote Code Execution via Prototype Pollution in Blitz.js
Blog RSS feed
We recently discovered a Prototype Pollution vulnerability in Blitz.js leading to Remote Code Execution. Learn about this bug class and how to avoid it in your code!
2年前
記事のアイキャッチ画像
Unrar Path Traversal Vulnerability affects Zimbra Mail
Blog RSS feed
We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar.
2年前
記事のアイキャッチ画像
Zimbra Email - Stealing Clear-Text Credentials via Memcache injection
Blog RSS feed
We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts.
3年前
記事のアイキャッチ画像
Sonar’s analysis performance targets
Blog RSS feed
We've finally defined our own performance goals for analysis - so that we're no longer subjecting ourselves to apples-to-oranges comparisons with tools that may not have the same goals or outcomes. Now, we can clearly state what you can expect from analysis, and how long analysis of a project should take under standardized conditions.
3年前
記事のアイキャッチ画像
Horde Webmail - Remote Code Execution via Email
Blog RSS feed
We discovered vulnerabilities in Horde Webmail that allow an attacker to execute arbitrary code on Horde instances by having a victim open an email
3年前
記事のアイキャッチ画像
Path Traversal Vulnerabilities in Icinga Web
Blog RSS feed
We recently discovered two critical vulnerabilities in the IT monitoring dashboard Icinga Web. Let’s review their respective root cause and their patches!
3年前
記事のアイキャッチ画像
A C&C++ tour of SonarQube for IDE: Visual Studio Code
Blog RSS feed
VS Code has been gaining popularity for C and C++ development. We are happy to announce that finally, we will be able to help you write clean C and C++ code in VS Code.
3年前
記事のアイキャッチ画像
RainLoop Webmail - Emails at Risk due to Code Flaw
Blog RSS feed
We recently discovered a critical code vulnerability in RainLoop Webmail that allows attackers to steal all emails by sending a malicious mail.
3年前
記事のアイキャッチ画像
PHP Supply Chain Attack on PEAR
Blog RSS feed
For the second time in a year, we identified critical code vulnerabilities in a central component of the PHP supply chain. Let's dive into it!
3年前
記事のアイキャッチ画像
Clean Your Infrastructure Code with Sonar
Blog RSS feed
The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solution for safeguarding your IaC invoked infrastructure.
3年前
記事のアイキャッチ画像
Securing Developer Tools: Git Integrations
Blog RSS feed
With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s article revisits Git integrations.
3年前
記事のアイキャッチ画像
Securing Developer Tools: Package Managers
Blog RSS feed
Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers.
3年前
記事のアイキャッチ画像
5 things to consider in performance comparisons
Blog RSS feed
When talking about static analysis and/or SAST performance comparisons - or really, comparisons of any kind of performance - what criteria do you consider? Maybe it was fast, but what did it accomplish? Here's what you ought to look at when you compare performance.
3年前
記事のアイキャッチ画像
Review your security vulnerabilities in GitHub with code scanning alerts
Blog RSS feed
We’re happy to announce that SonarQube Cloud integrates with GitHub code scanning! It’s available to everyone with a GitHub repository - private or public - independently of your SonarQube Cloud plan. If you have access to the feature on GiHub and your organization admin already accepted the update for the SonarQube Cloud app permissions, you’re all set! You should be able to start using the feature during your next code review.
3年前
記事のアイキャッチ画像
Horde Webmail 5.2.22 - Account Takeover via Email
Blog RSS feed
We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email.
3年前
記事のアイキャッチ画像
Zabbix - A Case Study of Unsafe Session Storage
Blog RSS feed
In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix.
3年前
記事のアイキャッチ画像
WordPress < 5.8.3 - Object Injection Vulnerability
Blog RSS feed
We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS.
3年前
記事のアイキャッチ画像
How to disable XXE processing?
Blog RSS feed
In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution.
3年前
記事のアイキャッチ画像
Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them
Blog RSS feed
Today XML External Entities (XXE) vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, we will try to demystify XXE vulnerabilities and present the rule we put in place to help you detect and prevent them.
3年前
記事のアイキャッチ画像
WordPress 5.8.2 Stored XSS Vulnerability
Blog RSS feed
We reported a Stored XSS vulnerability in WordPress (CVE-2022-21662) which remained unpatched for more than 3 years and affected the wordpress.org website.
3年前
記事のアイキャッチ画像
Vulnerability Research Highlights 2021
Blog RSS feed
Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2021.
3年前
記事のアイキャッチ画像
Modernizing your code with C++20
Blog RSS feed
C++20 is here! It's a big release with many features designed to make your code easier, faster and safer. Let's see how the latest C++ analysis rules in SonarQube for IDE, SonarQube Server and SonarQube Cloud can help us modernize our code to take advantage of some of the new features.
3年前
記事のアイキャッチ画像
NodeBB 1.18.4 - Remote Code Execution With One Shot
Blog RSS feed
We recently discovered three interesting code vulnerabilities in NodeBB 1.18.4, allowing attackers to compromise servers. Find out about the details in this article!
3年前
記事のアイキャッチ画像
Code Security Advent Calendar 2021
Blog RSS feed
Our code security advent calendar is back for the sixth consecutive year. We will release daily challenges until December 24th, get ready to fill your bag of tricks!
3年前
記事のアイキャッチ画像
10 Unknown Security Pitfalls for Python
Blog RSS feed
In this blog post, we share 10 security pitfalls for Python developers that we encountered in real-world projects.
3年前
記事のアイキャッチ画像
Agent 008: Chaining Vulnerabilities to Compromise GoCD
Blog RSS feed
We discovered 3 more code vulnerabilities in the popular GoCD CI/CD system that can be chained by attackers to leak or modify internal code. Learn more in this blog post.
3年前
記事のアイキャッチ画像
SmartStoreNET - Malicious Message leading to E-Commerce Takeover
Blog RSS feed
Check out the details of a Cross-Site Scripting bug in the BBCode processing in SmartStoreNET and how it can be chained into arbitrary code execution!
3年前
記事のアイキャッチ画像
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD
Blog RSS feed
We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers
3年前
記事のアイキャッチ画像
Meet the new project experience for SonarQube Cloud
Blog RSS feed
We are very pleased to announce that we have released a new project experience. It’s now available in SonarQube Cloud for all users. You’ll notice a few improvements the next time you open SonarQube Cloud.
3年前
記事のアイキャッチ画像
Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services
Blog RSS feed
We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox.
3年前
記事のアイキャッチ画像
Supercharge your C++ analysis with SonarQube for IDE for CLion
Blog RSS feed
This article talks about the powerful capabilities of the C++ analyzer with SonarQube for IDE and highlights some unique and interesting quality and security rules you might find useful. Through that lens, we demonstrate how you can leverage these rules to elevate your CLion built-in static analysis capabilities for your C++ projects.
3年前
記事のアイキャッチ画像
Modernize Code Quality with ‘Quick Fixes’
Blog RSS feed
Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarQube for IDE.
3年前
記事のアイキャッチ画像
Cachet 2.4: Code Execution via Laravel Configuration Injection
Blog RSS feed
We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!
3年前
記事のアイキャッチ画像
Product portals open: we want your input
Blog RSS feed
We've recently opened up product portals on Productboard. You'll find them for SonarQube Server, SonarQube Cloud, and SonarQube for IDE. Each one shows the features we're currently working on, the ones we've released recently, and the ones we're planning.
3年前
記事のアイキャッチ画像
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
Blog RSS feed
We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!
3年前
記事のアイキャッチ画像
Compilation database: An alternative way to configure your C or C++ analysis
Blog RSS feed
Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of this information, called the build wrapper. Recently we introduced another way to configure your analysis, the compilation database. Learn more about the pros and cons of each option.
3年前
記事のアイキャッチ画像
elFinder - A Case Study of Web File Manager Vulnerabilities
Blog RSS feed
Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them.
3年前
記事のアイキャッチ画像
Use 3rd-party plugins at your own risk
Blog RSS feed
If you're using 3rd-party plugins for SonarQube Server, you're obviously already aware of the benefits. With this blog post, we want to make sure you're also aware of the risks. Because there are risks.
3年前
記事のアイキャッチ画像
Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe
Blog RSS feed
Learn how developers can safeguard their cloud 'secrets' from publicly leaking and take charge of their Code Security with SonarQube for IDE.
3年前
記事のアイキャッチ画像
How Clean Code Practices Help You Retain Your Development Talent
Blog RSS feed
It can be challenging to maintain good coding vibes when your team or company often prioritizes feature delivery over code quality. If your developers are never allowed the time to work on new and exciting things they may eventually find somewhere else to bring their coding talents to.
3年前
記事のアイキャッチ画像
Zimbra 8.8.15 - Webmail Compromise via Email
Blog RSS feed
We discovered critical code issues in Zimbra, a popular enterprise webmail solution, that could lead to a compromise of all emails by an unauthenticated attacker.
3年前
記事のアイキャッチ画像
Clean As You Code essentials - What are Quality Profiles and Quality Gates?
Blog RSS feed
Learn how the functionality of Quality Profiles and Quality Gates come together to enable the SonarSource Clean As You Code methodology.
3年前
記事のアイキャッチ画像
Etherpad 1.8.13 - Code Execution Vulnerabilities
Blog RSS feed
We discovered two code execution vulnerabilities that affected Etherpad servers and data. Learn more about the technical details and how to avoid such coding issues.
3年前
記事のアイキャッチ画像
Enterprise-ready: Authentication & Authorization with SonarQube Server (LDAP, SSO & more)
Blog RSS feed
Discover how SonarQube Server can integrate with your existing enterprise setup (LDAP, SSO & co.) for user authentication and authorization.
3年前
記事のアイキャッチ画像
CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained
Blog RSS feed
We discovered critical code vulnerabilities in CiviCRM, a popular CRM plugin for Wordpress, Joomla and Drupal. Learn more about how to find and patch these issues.
3年前
記事のアイキャッチ画像
7 more reasons to upgrade to SonarQube Server 8.9 LTS
Blog RSS feed
SonarQube Server 8.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LTS Ever.
4年前
記事のアイキャッチ画像
Broken pipelines for everyone!
Blog RSS feed
With SonarQube Server 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. But with great power comes ... well, you know. In this post you'll learn what went into the decision to make this available and what you'll want to watch out for when you use it.
4年前
記事のアイキャッチ画像
Grav CMS 1.7.10 - Code Execution Vulnerabilities
Blog RSS feed
We responsibly disclosed two code execution vulnerabilities in Grav CMS, one of the most popular flat-file PHP CMS in the market. Let’s see what we can learn from them and discuss their patches!
4年前
記事のアイキャッチ画像
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket
Blog RSS feed
We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances.
4年前
記事のアイキャッチ画像
What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop
Blog RSS feed
In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did in the past for these languages. With this post, we’re going to tell you what you can expect for these languages, and more specifically which vulnerabilities can be detected.
4年前
記事のアイキャッチ画像
SonarQube Server 8.9 LTS: 3 steps to a smooth upgrade
Blog RSS feed
SonarQube Server 8.9 Long Term Support (LTS) is officially here! Check out this list of tips & tricks on how to upgrade your environment from start to finish.
4年前
記事のアイキャッチ画像
PHP Supply Chain Attack on Composer
Blog RSS feed
We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.org.
4年前
記事のアイキャッチ画像
WordPress 5.7 XXE Vulnerability
Blog RSS feed
In this blog post we analyze a XXE vulnerability that our analyzers discovered in WordPress, the most popular CMS, and what PHP 8 developers can learn from it.
4年前
記事のアイキャッチ画像
Code Vulnerabilities in NSA Application Revealed
Blog RSS feed
Our security research team discovered multiple code vulnerabilities in the NSA's Java application Emissary. Find out more about these issues and related attacks.
4年前
記事のアイキャッチ画像
Mono-repository support for Bitbucket Cloud now available for SonarQube Cloud!
Blog RSS feed
Last September, we announced that mono-repository support was added for GitHub and Azure DevOps Services. The good news is: mono-repository support is now also available for Bitbucket Cloud! See what it brings and how you can configure it in SonarQube Cloud.
4年前
記事のアイキャッチ画像
My Support Engineer Journey at SonarSource
Blog RSS feed
What does a Support Engineer do and how could it ever be interesting? Here we share more about a unique and rewarding journey in this role at SonarSource that will help you understand more about the job and opportunity.
4年前
記事のアイキャッチ画像
MyBB Remote Code Execution Chain
Blog RSS feed
Today SonarSource is pleased to share a guest contribution to our Code Security blog series about learnings from a chain of serious vulnerabilities in MyBB.
4年前
記事のアイキャッチ画像
Hack the Stack with LocalStack: Code Vulnerabilities Explained
Blog RSS feed
Our vulnerability researchers found critical code vulnerabilities in a popular Python application that can be exploited remotely, even when the application instance is hosted locally.
4年前
記事のアイキャッチ画像
Crafting regexes to avoid stack overflows
Blog RSS feed
Due to the way regular expression matching is implemented in Java (and many other languages/libraries), matching a pattern may - depending on the regex - require stack space proportional to the length of the input. This means large inputs could cause the program to crash with a `StackOverflowException` when you try to use the regex.
4年前
記事のアイキャッチ画像
Setting the right (regex) boundaries is important
Blog RSS feed
Regular expressions pack a lot of power into terse little packages and unfortunately that introduces a lot of room for error. This post talks about regex boundaries, another feature that can lead to bugs when used incorrectly, and a rule of ours that can help you avoid such issues. it also covers about complexity and maintainability in regular expressions and our rule to help you find regular expressions that are too complex.
4年前
記事のアイキャッチ画像
Regular expressions present challenges even for not-so-regular developers
Blog RSS feed
Regular expressions are a concise and powerful tool for processing text. However, they also come with a steep learning curve and plenty of opportunities to make mistakes. This is the first in a series of posts about some specific regex pitfalls.
4年前
記事のアイキャッチ画像
Code security: now there's a tool for developers
Blog RSS feed
Hey SonarQube Server and SonarQube Cloud users! You now have a tool to own Code Security! SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We're glad to say that today you have at your fingertips unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.
4年前
記事のアイキャッチ画像
Code Security Advent Calendar 2020
Blog RSS feed
It's time to have some December fun! We have 24 little challenge gifts awaiting you that hide security vulnerabilities in real-world Java, C#, PHP and Python code. Can you spot the vulnerability?
4年前
記事のアイキャッチ画像
Make Code Quality & Security™ an integral part of your workflow
Blog RSS feed
SonarQube Server Developer Edition overlays Code Quality and Security™ right onto your projects. Your pull requests are automatically analyzed and decorated with a clear Go/No Go Quality Gate so you only merge clean, quality code! 👏
4年前
記事のアイキャッチ画像
How SonarQube Cloud finds bugs in high-quality Python projects
Blog RSS feed
As developers, there always comes a time when we find a bug in production and wonder how it passed all our quality checks. Let's go over a few Bugs we found with SonarQube Cloud and see why it is able to detect them when popular linters don't .
4年前
記事のアイキャッチ画像
Code vulnerabilities put health records at risk
Blog RSS feed
Recently, we discovered several code vulnerabilities in OpenEMR 5.0.2.1. A combination of these vulnerabilities allowed remote attackers to execute arbitrary system commands on any OpenEMR server that uses the Patient Portal component. This can lead to the compromise of sensitive patient data, or worse, to a compromise of critical infrastructure.
4年前
記事のアイキャッチ画像
Winning the race against TOCTOU vulnerabilities in C & C++
Blog RSS feed
Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I'm proud to announce a step forward for defenders with a new rule to detect a literal race condition: TOCTOU (or TOCTTOU) vulnerabilities, known in long-form as Time Of Check (to) Time Of Use.
4年前
記事のアイキャッチ画像
Mono-repository support for GitHub and Azure DevOps Services available now!
Blog RSS feed
Take a tour of SonarQube Cloud's integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gates per project and receive multiple results in your pull requests.
4年前
記事のアイキャッチ画像
Pandora FMS 742: Critical Code Vulnerabilities Explained
Blog RSS feed
How code vulnerabilities in your web application can be the single point of failure for your IT infrastructure’s security.
4年前
記事のアイキャッチ画像
False positives are our enemies, but may still be your friends
Blog RSS feed
When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. Learn how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help.
4年前
記事のアイキャッチ画像
Codoforum 4.8.7: Critical Code Vulnerabilities Explained
Blog RSS feed
We analyze the root cause of three critical security vulnerabilities that enabled a complete board take over, and how to correctly prevent these in your code.
4年前
記事のアイキャッチ画像
About the recent code leaks from SonarQube Server instances
Blog RSS feed
On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our public response to the incident.
4年前
記事のアイキャッチ画像
Take Control of Code Quality with SonarQube Server Pull Request Decoration in Your Workflow
Blog RSS feed
How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Server Pull Request Decoration gets you there!
4年前
記事のアイキャッチ画像
Apache Kylin 3.0.1 Command Injection Vulnerability
Blog RSS feed
We discovered a severe command injection vulnerability in Apache Kylin that allows malicious users to execute arbitrary OS commands.
5年前
記事のアイキャッチ画像
SonarSource acquires RIPS Technologies
Blog RSS feed
Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.
5年前
記事のアイキャッチ画像
Exploiting Hibernate Injections
Blog RSS feed
Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.
5年前
記事のアイキャッチ画像
What is 'taint analysis' and why do I care?
Blog RSS feed
In large systems, finding the bad actors is easier said than done. First you have to find all the places you accept data from users, and then you have to sanitize the data before you use it. The hard part is making sure you've found all the sources of user data and intervened before any kind of use. That's where taint analysis comes in.
5年前
記事のアイキャッチ画像
WordPress <= 5.2.3: Hardening Bypass
Blog RSS feed
This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress core in versions prior to 5.2.4
5年前
記事のアイキャッチ画像
Clean as You Code: How to win at Code Quality without even trying
Blog RSS feed
Analyzing a legacy project can be overwhelming. Learn how to Clean as You Code to make sure that the code you release into production tomorrow is at least as good as - and probably better than! - the code that's in production today.
5年前
記事のアイキャッチ画像
Backend SQL Injection in BigTree CMS 4.4.6
Blog RSS feed
BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at a few vulnerabilities we have detected in the codebase of BigTree.
5年前
記事のアイキャッチ画像
Drive By RCE Exploit in Pimcore 6.2.0
Blog RSS feed
In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands.
5年前
記事のアイキャッチ画像
WooCommerce 3.6.4 - CSRF Bypass to Stored XSS
Blog RSS feed
WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.
5年前
記事のアイキャッチ画像
Bitbucket 6.1.1 Path Traversal to RCE
Blog RSS feed
In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).
5年前
記事のアイキャッチ画像
SuiteCRM 7.11.4 - Breaking Into Your Internal Network
Blog RSS feed
In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any adversary.
5年前
記事のアイキャッチ画像
Pre-Auth Takeover of OXID eShops
Blog RSS feed
We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few seconds - all on default configurations.
5年前
記事のアイキャッチ画像
TYPO3 9.5.7: Overriding the Database to Execute Code
Blog RSS feed
In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbitrary PHP code on the underlying system as authenticated user.
5年前
記事のアイキャッチ画像
Magento 2.3.1: Unauthenticated Stored XSS to RCE
Blog RSS feed
This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high severe exploit chain. This chain can be abused by an unauthenticated attacker to fully takeover certain Magento stores and to redirect payments.
5年前
記事のアイキャッチ画像
dotCMS 5.1.5: Exploiting H2 SQL injection to RCE
Blog RSS feed
In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how we escalated it to execute code remotely.
5年前
記事のアイキャッチ画像
MyBB <= 1.8.20: From Stored XSS to RCE
Blog RSS feed
This blog post shows how an attacker can take over any board hosted with MyBB prior to version 1.8.21 by sending a malicious private message to an administrator or by creating a malicious post. We use a chain of two security vulnerabilities detected in the code.
6年前
記事のアイキャッチ画像
The Hidden Flaws of Archives in Java
Blog RSS feed
Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extraction of archives can introduce security risks which resulted in multiple critical vulnerabilities in popular applications in the past. In this post we explain the risk behind archive extraction and show how to securely extract archives in Java.
6年前
記事のアイキャッチ画像
The NeverEnding Story of writing a rule for argument passing in C++
Blog RSS feed
Here is a story of a rule, from concept to production. While the selected rule is for C++, this story contains interesting insight on the craft of rule development, no matter the target language.
6年前
記事のアイキャッチ画像
WordPress 5.1 CSRF to Remote Code Execution
Blog RSS feed
This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution (CVE-2019-9787).
6年前
記事のアイキャッチ画像
Announcing the SonarQube Cloud Pipe for Bitbucket Cloud users!
Blog RSS feed
SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarQube Cloud Scan Pipe, you can configure code analysis in your Bitbucket Pipeline in no time.
6年前
記事のアイキャッチ画像
WordPress 5.0.0 Remote Code Execution
Blog RSS feed
This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2019-8943). The vulnerability remained uncovered in the WordPress core for over 6 years.
6年前
記事のアイキャッチ画像
CTF Writeup: Complex Drupal POP Chain
Blog RSS feed
A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.
6年前
記事のアイキャッチ画像
WordPress Privilege Escalation through Post Types
Blog RSS feed
A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.
6年前
記事のアイキャッチ画像
phpBB 3.2.3: Phar Deserialization to RCE
Blog RSS feed
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board (CVE-2018-19274).
6年前
記事のアイキャッチ画像
WordPress Design Flaw Leads to WooCommerce RCE
Blog RSS feed
WordPress Design Flaw Leads to WooCommerce RCEA flaw in the way WordPress handles privileges can lead to a privilege escalation in plugins. This affects for example the popular WooCommerce.
6年前
記事のアイキャッチ画像
PHP Object Injection
Blog RSS feed
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.
6年前
記事のアイキャッチ画像
Fully Automated Promotion Pipelines with SonarQube Server and Artifactory
Blog RSS feed
Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube Server.
6年前
記事のアイキャッチ画像
My Journey Interviewing with SonarSource...
Blog RSS feed
What's it like to interview with SonarSource? Read on and find out!
6年前
記事のアイキャッチ画像
What is Phar Deserialization
Blog RSS feed
Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog post.
6年前
記事のアイキャッチ画像
Protect your code against injection vulnerabilities with SonarQube Cloud!
Blog RSS feed
Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarQube Cloud updates now provide advanced security checks to continuously detect them.
6年前
記事のアイキャッチ画像
WordPress File Delete to Code Execution
Blog RSS feed
In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers executing arbitrary code.
6年前
記事のアイキャッチ画像
Evil Teacher: Code Injection in Moodle
Blog RSS feed
In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133).
7年前
記事のアイキャッチ画像
Import issues of your favorite linters in SonarQube Cloud!
Blog RSS feed
Over the past 2 weeks, the following new features were deployed on SonarQube Cloud: import of issues from external linters with built-in support for TypeScript projects, support for the Go language, graceful handling of username change, first version of the GitHub Application, new rules for Python, Java and Swift
7年前
記事のアイキャッチ画像
A Salesmans Code Execution: PrestaShop 1.7.2.4
Blog RSS feed
PrestaShop is one of the most popular e-commerce solutions. We detected a highly critical vulnerability that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have been misused by attackers (CVE-2018-20717).
7年前
記事のアイキャッチ画像
LimeSurvey 2.72.3 - Persistent XSS to Code Execution
Blog RSS feed
We detected two vulnerabilities in LimeSurvey < 2.72.3: An unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated arbitrary file write vulnerability which can be chained.
7年前
記事のアイキャッチ画像
Joomla! 3.8.3: Privilege Escalation via SQL Injection
Blog RSS feed
Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL injection (CVE-2018-6376) that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions on Joomla! prior version 3.8.4.
7年前
記事のアイキャッチ画像
Why did my coverage just drop?!
Blog RSS feed
After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe it or not, that really is a feature, not a bug, and it's called Executable Lines.
7年前
記事のアイキャッチ画像
CubeCart 6.1.12 - Admin Authentication Bypass
Blog RSS feed
CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator (CVE-2018-20716).
7年前
記事のアイキャッチ画像
Supporting analysis of .NET Core projects
Blog RSS feed
Support for SonarQube Server analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it's done !
7年前
記事のアイキャッチ画像
Shopware 5.3.3: PHP Object Instantiation to Blind XXE
Blog RSS feed
Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).
7年前
記事のアイキャッチ画像
Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
Blog RSS feed
Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to leak the super user password and to fully take over any Joomla! installation.
7年前
記事のアイキャッチ画像
SugarCRM's Security Diet - Multiple Vulnerabilities
Blog RSS feed
SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal customer data or sensitive files from the server.
7年前
記事のアイキャッチ画像
How security flaws in PHP's core can affect your application
Blog RSS feed
Learn how memory corruption bugs in the PHP core itself can affect your PHP application.
7年前
記事のアイキャッチ画像
SonarCFamily Now Supports ARM Compilers
Blog RSS feed
For those not familiar with ARM (Advanced RISC Machine), let's start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used architecture in mobile devices and the most popular 32-bit one in embedded systems (see). Moreover in 2013, 10 billion were produced (see) and "ARM-based chips are found in nearly 60 percent of the world’s mobile devices" (see).
8年前
記事のアイキャッチ画像
Why mail() is dangerous in PHP
Blog RSS feed
Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() function. In this post, we have a look at the common ground of these vulnerabilities and how to use mail() securely.
8年前
記事のアイキャッチ画像
Breaking the SonarQube Server Analysis with Jenkins Pipelines
Blog RSS feed
One of the most requested feature regarding SonarQube Server Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube Server, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube Server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube Server, without waiting for the aggregation to complete.
8年前
記事のアイキャッチ画像
osClass 3.6.1: Remote Code Execution via Image File
Blog RSS feed
In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.
8年前
記事のアイキャッチ画像
Cognitive Complexity, Because Testability != Understandability
Blog RSS feed
Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.
8年前
記事のアイキャッチ画像
Roundcube 1.2.2: Command Execution via Email
Blog RSS feed
In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.
8年前
記事のアイキャッチ画像
We Are Adjusting Rules Severities
Blog RSS feed
With the release of SonarQube Server 5.6, we introduced the SonarQube Server Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them the prominence they deserve. Now we're tackling the other half of the job: "sane-itizing" rule severities, because not every bug is Critical.
8年前
記事のアイキャッチ画像
SonarAnalyzer for C#: The Rule Engine You Want to Use
Blog RSS feed
If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improved our integration with the build tool and at the same time added a lot of new rules. Also, we introduced SonarQube for IDE: Visual Studio, a new tool to analyze code inside the IDE. With these steps completed we are deprecating the SonarQube Server ReSharper plugin to be able to provide a consistent, high-level experience among our tools.
8年前
記事のアイキャッチ画像
Bugs and Vulnerabilities are 1st Class Citizens in SonarQube Server Quality Model along with Code Smells
Blog RSS feed
In SonarQube Server 5.5 we adopted an evolved quality model, the SonarQube Server Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we've highlighted project risks while retaining technical debt.
9年前
記事のアイキャッチ画像
Why You Shouldn't Use Build Breaker
Blog RSS feed
There have been some heated discussions recently about the Build Breaker plugin... SonarSource doesn't want to continue the feature. The community has come to see it as a must have... So I'd like to explain why at SonarSource we no longer think it should be used.
9年前
記事のアイキャッチ画像
Analysis of Visual Studio Solutions with the SonarQube Server Scanner for MSBuild
Blog RSS feed
At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube Server integration with MSBuild and Team Build. Today, half a year later, we’re releasing the SonarQube Server Scanner for MSBuild 1.0.2. But what exactly is the SonarQube Server Scanner for MSBuild? Let’s find out!
9年前
記事のアイキャッチ画像
Water Leak Changes the Game for Technical Debt Management
Blog RSS feed
A few months ago, at the end of a customer presentation about “The Code Quality Paradigm Change”, I was approached by an attendee who said, “I have been following SonarQube Server & SonarSource for the last 4-5 years and I am wondering how I could have missed the stuff you just presented. Where do you publish this kind of information?”. I told him that it was all on our blog and wiki and that I would send him the links. Well...
9年前
記事のアイキャッチ画像
Unit Test Execution in SonarQube Server
Blog RSS feed
Starting with Java Ecosystem version 2.2 (compatible with SonarQube Server version 4.2+), we no longer drive the execution of unit tests during Maven analysis. Dropping this feature seemed like such a natural step to us that we were a little surprised when people asked us why we'd taken it.
10年前
記事のアイキャッチ画像
Three options for pre-commit analysis
Blog RSS feed
As a quality-first focus becomes increasingly important in modern software development, more and more developers are asking how to find new issues before they check their code in. For some of you, it's a point of pride. For others, it's a question of keeping management off your back, and for still others it's simply a matter of not embarrassing yourself publicly. Fortunately, the SonarQube Server developers (being developers themselves) understand the problem and have come up with three different ways of dealing with it: the Eclipse plugin, the IntelliJ plugin, and the Issues Report plugin.
11年前
記事のアイキャッチ画像
Already 158 Checkstyle and PMD rules deprecated by SonarQube Server Java rules
Blog RSS feed
Already 158 Checkstyle and PMD rules deprecated by SonarQube Server Java rules
11年前
記事のアイキャッチ画像
Everything's a component
Blog RSS feed
Something occurred to me recently that I wanted to share. Sometimes I'm late to the party, so this may have been obvious to you all along, but it didn't jump out at me at first, so I thought it might be worth talking about. It's the fact that the Views plugin turns a project into just another component.
11年前
記事のアイキャッチ画像
Differentials: Four ways to see what's changed
Blog RSS feed
After a Sonar analysis, it's easy to see your project's current state - just browse to the project dashboard and it's laid out for you. Want details? Just start clicking. But it's not always enough to know where you are. Sometimes, you need to know where you are in comparison to where you've been.
12年前
記事のアイキャッチ画像
Customizing Sonar to Fit Your Needs
Blog RSS feed
Sonar is a super-radiator for code quality and as such, you can expect it brings value to all stakeholders in a development group. To achieve this, Sonar must be able to show only relevant information in a certain context and shut off the noise to facilitate investigation and decision making. In this post, I will show how to customize Sonar to fit your needs by:
12年前
記事のアイキャッチ画像
Manage Duplicated Code with Sonar
Blog RSS feed
If you use Sonar already, I am sure that you know already the worse of all 7 developer's deadly sins:And if you don't, I would assume you know about duplicated / cloned / similar code when you talk about quality of code and that you have heard of tools such PMD CPD or Simian.But why does copy paste matters from a code quality point of view? How can you benefit from Sonar to improve this? Let’s try to figure this out.
13年前
記事のアイキャッチ画像
Effective Code Review with Sonar
Blog RSS feed
At SonarSource, we like eating our own dog food as much as possible. This is not always the case in software development, but in our case since we develop software for software companies, we can do it. We therefore have an instance of Sonar that analyses all our products daily.
13年前
記事のアイキャッチ画像
SQALE, the ultimate Quality Model to assess Technical Debt
Blog RSS feed
Six months ago, we would never have believed that one day we would be happy and excited to write about the implementation of a Quality Model in Sonar. Indeed the Quality Models that we knew at the time (most of them are based on ISO 9126 standard) are complex, expensive to implement, can be understood only by an elite of quality experts and are not fun at all.
14年前
記事のアイキャッチ画像
Detect Dead Code and Calls to Deprecated Methods with Sonar Squid
Blog RSS feed
Up to version 2.1, Sonar was relying only on external coding rules engines such as Checkstyle, PMD and Findbugs to report violations on Java applications. But since version 2.1, Sonar also provides its own rules engine to work on Java dependencies. This rules engine is based on Squid and three rules are currently available :
15年前
記事のアイキャッチ画像
Securing access to projects in Sonar
Blog RSS feed
When used out-of-the-box, Sonar is a code quality radiator accessible by everyone at anytime. Like for JIRA, Hudson, a post-it dashboard or any other piece of the development toolset transparency is a key success factor for adoption. So, by default in Sonar, anyone can access any project under continuous inspection and navigate through it.
15年前
記事のアイキャッチ画像
Sonar to identify security vulnerabilities
Blog RSS feed
During the last few months, Sonar has definitely become the leading Open Source Platform to manage Java code quality. The objective to democratize access to code quality is becoming concrete. However when analyzing source code, quality is only one aspect of things...
15年前
記事のアイキャッチ画像
Reuse in Sonar unit test reports generated by other systems
Blog RSS feed
Reuse in Sonar unit test reports generated by other systems
16年前
記事のアイキャッチ画像
Using quality profiles in Sonar
Blog RSS feed
Last month, Sonar 1.6 was released. The main feature of the new version is the ability to manage quality profiles. The purpose of this post is to explain what gap the functionality fills, to define what is a quality profile and to explain how to use it.Prior to Sonar 1.6, it was only possible to run analysis with one set of defined coding rules per instance of Sonar. It means that within an instance of Sonar, it was not possible to process differently various types of projects (legacy application, technical libraries, new projects, ...). They were all analyzed with the same set of rules. Therefore there was sometimes unnecessary noise around the quality data that made it difficult to see quickly what real action was required. Sonar 1.6 turns off this noise by allowing to define and simultaneously use several quality profiles.
16年前
記事のアイキャッチ画像
What makes Checkstyle, PMD, Findbugs and Macker complementary ?
Blog RSS feed
There is often some misunderstanding when people talk about coding rules engines. Everyone tries to take position in favor of his preferred tool and does his best to explain what are the weaknesses of the other ones.
16年前
記事のアイキャッチ画像
Discussing Cyclomatic Complexity
Blog RSS feed
Googling on Cyclomatic Complexity (CC), gives some interesting results... Among those results, you'll find the two following definitions :
16年前
記事のアイキャッチ画像
Is 80% of code coverage any good ?
Blog RSS feed
When talking about source code quality, there are always voices to tell you that metrics mean nothing and that plenty of projects have great metrics and poor quality! Let's look at one particular metric: the code coverage by unit tests.
16年前