In a world where AI generates code, code ownership and trust become increasingly obscure. Many enterprises already find this situation untenable, and they are looking for ways to solve it. But where do you start?

The speed of software development and product delivery is increasing for organizations everywhere – including here at Sonar. In this blog, we decided to put our guiding engineering principles in writing and share them with you.

HTML sanitization has long been touted as a solution to prevent malicious content injection. However, this approach faces numerous challenges. In this blog post, we'll explore the limitations of server-side HTML sanitization and discuss why client-side sanitization is the better approach.

This blog post explains how taint analysis tracks all data flows in an application’s source code to unveil deeply hidden vulnerabilities and showcases a critical vulnerability in the OpenAPI Generator discovered by SonarQube Cloud.

This blog post showcases why fundamental code security is essential for an application despite all hardening measures applied in the underlying infrastructure.

Sonar now supports the Dart programming language

Sonar introduces powerful AI-driven features, expanded support for new and existing languages and frameworks, and deeper security, all to elevate your code quality. These updates bring significant advancements for developers and teams.

Sonar AI CodeFix is a powerful capability that suggests code fixes for issues discovered by our code analysis solutions SonarQube Server and SonarQube Cloud.

Sonar AI Code Assurance is a robust and streamlined process for validating AI-generated code through a structured and comprehensive analysis.

Let's examine the three most common injection attack types—SQL injection, Deserialization Injection, and Logging Injection—and discuss ways to prevent them.

Security standards such as ISO 27001 are crucial for businesses as they offer a structured framework for managing and safeguarding sensitive information.

pyspider uses the convenient “basic HTTP authentication” method, but browsers don’t take the extra step to protect users from CSRF attacks. Learn more on how SonarQube Cloud detected 2 vulnerabilities in this open-source project.

With so many Large Language Models (LLMs) out there, selecting the right LLM is crucial for any organization looking to integrate AI into its operations.

Learn about the similarities and key differences between SonarQube Cloud and SonarQube Server and which one is best for your use case.

Olivier Gaudin discusses the value of quality, secure code from the start at top industry software conference. Check out his talk!

Modern JavaScript front-end frameworks protect your application from XSS vulnerabilities by automatically escaping untrusted content. This built-in feature can be bypassed intentionally, which should be taken with great care.

Sonar’s solutions, including SonarQube for IDE, SonarQube Server, and SonarQube Cloud, help you meet NIST SSDF code security requirements and enhance overall code quality. Find out how.

Sonar’s R&D team discovered a Cross-Site Scripting vulnerability in Roundcube. Similar vulnerabilities in Roundcube have been used by APTs to steal government emails.

We are excited to expand our SonarQube Cloud offering with the availability of two new plans, SonarQube Cloud Enterprise and SonarQube Cloud Team.

This blog post takes a look at the potential code issues behind the recent global CrowdStrike outage.

Sonar recently added new rules for ASP.NET WebAPI and ASP.NET MVC. In this blog post, we discuss the details of these frameworks within ASP.NET Core and how Sonar’s solutions help keep your ASP.NET web apps clean and free of issues.

G2 has once again ranked Sonar #1 in Static Code Analysis in the Summer 2024 Grid Report. In addition to leading the pack in each of the Enterprise, Mid-Market, and Small Business segments for Static Code Analysis, Sonar was also named a leader in the Static Application Security Testing (SAST) category.

Abbas Sabra covers a groundbreaking technology: AutoConfig for C and C++. It automates the normally complex setup process, making project setup a breeze. AutoConfig is designed to make code analysis free of complications bringing Clean Code to the fingertips of every C and C++ developer.

The absence of charset information seems to be a minor issue for a web application. This blog post explains why this is a false assumption and highlights the critical security implications.

Learn about critical code vulnerabilities we discovered in Gogs, a source code hosting solution. This follow-up covers how less severe flaws can still have a critical impact.

One critical metric to gauge the effectiveness of your code testing efforts is code coverage. SonarQube Server, a powerful static code analysis solution, integrates seamlessly with code coverage tools, empowering developers to write cleaner, more secure, and thoroughly tested code.

We discovered 4 critical code vulnerabilities in Gogs, a source code hosting solution, which are still unpatched. Read about the details and how to protect yourself.

Despite advances in technology and methodologies, the costs associated with fixing bad code continue to escalate, impacting businesses financially and operationally. But what is bad code, what are the clear markers of its negative impact, and how can organizations overcome it?

The 10.6 release of SonarQube Server includes some significant changes, such as autoscaling in Kubernetes, AutoConfig for C and C++ projects, support for running in a FIPS-enforced environment, set rule priority to uphold your coding standards, easy setup of monorepos, monitoring the time it takes to upgrade, and expanded library coverage for AI/ML developers.

ecoCode Challenge Paris represents an opportunity to unite innovation and sustainable coding. As a proud sponsor, we are excited to see how SonarQube Server is empowering developers to prioritize environmental sustainability in their projects.

Our research team discovered two vulnerabilities in mailcow, an email server solution. Attackers could compromise an instance, impersonate users, and steal emails.

Sonar recently announced the integration of SonarQube Cloud with Amazon CodeCatalyst. This blog post guides you through integrating SonarQube Cloud, a cloud-based Clean Code solution, with Amazon CodeCatalyst.

Sonar’s new President of Field Operations introduces herself and reiterates the company's continued commitment to enabling organizations to succeed.

XSS is a well-known bug class, but a lesser-known yet effective variant called mXSS has emerged over the last couple of years. In this blog, we will cover the fundamentals of this XSS variant and examine how you can protect against it.

We are excited to share that the G2 Spring 2024 reports were recently released, and once again, Sonar has been named the LEADER in Static Code Analysis!

This post delves into an actual Jenkins vulnerability to understand the intricacies of deeper SAST for detecting deeply hidden code vulnerabilities. It illustrates how deeper SAST works and explains its impact on keeping your code clean and free of these serious issues.

Parallelism has been around for decades, but it is still a source of critical vulnerabilities nowadays. This blog post details a severe vulnerability in the remote desktop gateway Apache Guacamole, highlighting the security risks of parallelism.

The rapid development of different technologies doesn’t come without risks. This blog post details a critical vulnerability in the remote desktop gateway Apache Guacamole, which showcases the challenges of code interoperability.

Speed and quality are no longer trade-offs in the modern software landscape - they're a tightly interwoven dance. That's where the "Shift Left" philosophy comes in, urging us to move critical checks and balances like code quality analysis earlier in the development lifecycle.

Unit and end-to-end testing are effective in ensuring features and functionality work properly, but what about code quality? How can we ensure that our code is reliable, maintainable, and secure? Enter static code analysis.

Explore how DevOps principles and practices can transform the challenge of managing legacy code into an opportunity for improvement. This piece outlines actionable strategies for refactoring, the importance of automation, and adopting a 'Clean as You Code' approach to ensure sustainable code quality and efficiency.

The 10.5 release of SonarQube Server includes support for Java 21, C++23, and TypeScript 5.4. Secrets detection analysis is faster and deeper SAST coverage has increased. Project onboarding is more simplified for monorepos, Maven, and GitHub Actions. Read on to find out about these and much more.

Our Vulnerability Research team discovered a critical code vulnerability in SourceForge, which attackers could have used to poison deployed files and spread malware to millions of users.

Pairing the "trust, but verify" approach with the power of Sonar’s Clean Code solutions enables organizations to be confident that their AI-generated code is high-quality, maintainable, reliable, and secure.

Are you writing logging code in your app? Logging correctly can be tricky. It is an important part of tracking the progress of your app while running and determining the origin of problems when they arise. In this blog post Denis Troller walks you through common pitfalls and logging best practices when coding in C# with .NET.

Last September 2023 Java 21 was released as the latest LTS (Long Time Support). But taking advantage of the changes and new features, which we are not used to including in our code, can be a tough task. Also, it can lead to improper use or poor uptake, bugs, or basically not taking full advantage of new improvements.

Explore the lesser-known Apache Dubbo risks that weren’t well documented until now, and delve into the importance of clean code ensuring clarity, maintainability, and comprehensibility.

By acknowledging the impact of technical debt and embracing proactive solutions like Sonar, development teams can mitigate its effects and build software that is resilient, reliable, and scalable.

Leveraging Sonar solutions to ensure code security by design

Our vulnerability researchers discovered critical vulnerabilities in Erxes with the help of SonarQube Cloud. Learn about the details and how to triage such issues in your own code!

Node.js is reducing friction when using ES modules by making it easier to get the current module directory name

As software development evolves, keeping up with best practices, the latest trends, and ensuring your code remains top-notch can feel like sailing uncharted waters. Sonar has the Clean Code tips for you!

Learn how an attacker can combine multiple security vulnerabilities to achieve arbitrary code execution on a victim that tries to reply or forward a malicious mail in Mailspring.

PCI DSS 3.2.1 is being retired on March 31, 2024. Are you ready for the new standard, PCI DSS 4.0?

Increase readability, reduce cognitive complexity, and avoid bugs that are hard to spot with Java's Pattern Matching.

Learn which unexpected ways attackers may take to exploit code vulnerabilities and how to secure against them.

The ONCD recent report puts a spotlight on one of the most foundational issues that result in insecure software. Sonar applauds the administration’s call for addressing software vulnerabilities at the programming language and source code levels.

As part of our continuously advancing and improving security practice, we are pleased to announce that Sonar and its products are now certified to the latest version of the ISO72001 standard.

Ineffective communication impacts everything in software development. To ensure your next project meets expectations, transparent communication is essential for driving timely delivery when working with internal and external development teams.

We know that immutable objects are easier to maintain, lead to fewer errors, and are multi-thread friendly. This article will show two different approaches to creating objects: Builders and Withers, along with a new type of immutable object in Java: Records

Our Clean Code solution, SonarQube Cloud, led us to a severe security issue in the popular Content Management System Joomla.

The JavaScript Set was introduced to the language in the ES2015 spec, but it has always seemed incomplete. That's about to change with the addition of functions like intersection, union and difference.

SonarQube Server 10.4 was recently released and it includes 48 new rules and one updated rule to help you to write clean code in your React applications.

We are modernizing our Web API. In this post, Aurélien Poscia explains how and why.

Sonar is honored to participate in the newly established U.S. Artificial Intelligence Safety Institute Consortium (AISIC) effort and is excited to join other leaders at the forefront of AI development.

Outsourcing software development requires a clear understanding of the potential risks. In this blog, we discuss five risks of this widely adopted strategy and provide tactics to minimize risk in delivered software.

The SonarQube Server 10.4 release includes some exciting changes that show the benefit of Clean Code and the Clean as You Code methodology. Scan times are faster and connecting to SonarQube for IDE is easier. Sonar is introducing easy onboarding for GitLab, new support for Helm Charts, and much more.

The dangerous Desanitization pattern led to an XSS vulnerability in the open-source helpdesk software osTicket, which can be used to leak customer data.

Juliet C# is a project from the National Institute of Standards and Technology of the USA. As a security benchmark project, we used Juliet C# 1.3 to test and improve our C# analyzer. Here is a glimpse of the work we did around Juliet and some of its test cases related to the SecureString .NET type.

This blog post highlights the importance of verifying the origin of JavaScript message events and outlines the potential impact of omitting this by detailing two critical vulnerabilities in the Squidex application.

This blog uncovers two vulnerabilities, a Critical and High severity, recently discovered by our research team. Exploiting these vulnerabilities, attackers have the potential to gain Remote Code Execution on a Jenkins instance.

Sonar is helping make C# code clean as Microsoft ASP.NET Core Blazor application development grows

We share the biggest three issues we faced and the lessons we learned as we upgraded SonarQube Server to React 18.

Our Vulnerability Research team looks back at a great year and summarizes the highlights of 2023.

We're excited to share not only how Sonar performs on Python benchmarks but also the ground truth corresponding to the list of expected and not-so-expected issues.

The Developer Advocate team shares their predictions on what they foresee for DevOps trends and hot topics in 2024.

Reflecting on changes in the industry over the past year, as well as the research we’ve published, the Sonar Vulnerability Research team came together and compiled our thoughts on what we foresee for cybersecurity in 2024.

Last week, several SonarSourcers traveled to London to attend our third Black Hat event of the year. Here's what happened!

Our Clean Code solution SonarQube Cloud discovered multiple vulnerabilities leading to remote code execution on pfSense CE 2.7.0. Let's see how SonarQube Cloud found them and how it can keep your code clean.

Spring framework offers a lot of help in the development, but we still have to pay attention and make the right use of it in order to avoid some issues.

Nesting ternary operators makes code more complex and less clear. Let's investigate other ways to write conditional expressions.

Not only does bad code cost companies millions of dollars, but countless hours of lost time, productivity, and brand reputation too. By acknowledging the existence of bad code and implementing proactive measures to mitigate its impact, developers and organizations can steer software toward success.

What are hard coded secrets? Why do you care if secrets are hidden in your code? How does Sonar help prevent secrets from getting into your code, entering your repository, and leaking out from your CI/CD pipeline? In this post, Product Manager, Alex Gigleux, answers all your questions.

Omdia — an analyst firm that provides decades of industry experience, world-class research and consultancy, and actionable insights in over 200 markets — has published research about Sonar, our solutions, and recent innovations of deeper SAST and zero-configuration automatic analysis for C/C++. The research digs into why Sonar should be on your radar and also takes a look at the market view as well as from a current positioning.

It's time to wrap up our series on the security of Visual Studio Code with new vulnerabilities in the NPM integration, bypassing the Workspace Trust security feature.

Let's dig into the projects using Java as language and see, according to what SonarQube for IDE telemetry shows, that there are still lots of issues that appear in the huge list of analyzed projects.

The new SonarQube Server 10.3 release is out now, including Secrets Detection at the Source, Clean Code Taxonomy & Clean as You Code Updates, Automate Provisioning GitHub Projects and Teams, 2023 CWE Top 25 Report, the Blazor Framework, and Stronger Security.

We took a look at the security of the most popular code editor, Visual Studio Code! This blog post covers vulnerabilities our researchers discovered in third-party extensions.

Sonar's Scoring on the Top 3 C# SAST Benchmarks

We took a look at the security of the most popular code editor, Visual Studio Code! This blog post covers common risks and attack surfaces so you know what to expect when using it.

Linux Foundation Executive Director Jim Zemlin joins Sonar Founder and co-CEO Olivier Gaudin to discuss Clean Code, open-source development, cybersecurity, and more!

To maximize the benefits of your SonarQube Cloud trial, it's essential to approach the trial with a clear plan. Start a 14-day trial for your private projects & repositories completely free to get all the features of the application that you can get as a paid subscription.

Dev tooling is not only helping shift issues left, but the tools also help identify issues that happen later, or to the right, in the development lifecycle. Like detecting secrets before they go into production or platform configuration issues.

Last week, members of our AppSec and Vulnerability Research teams attended the Hexacon in Paris to learn, share, and network. Read more about our highlights.

If you’ve followed us for a while, you most likely noticed that we changed the way we describe what we do. It feels like in the last couple of years, we finally managed to settle on what we had been looking for from the beginning: Clean Code. But what is Clean Code, and what does it encompass?

We recently uncovered two critical code vulnerabilities in the personal cloud system CasaOS. Let's see what we can learn from them.

Java SAST Benchmarks: why you shouldn't trust them blindly

Interview with Sonar Java Enthusiasts

Sonar founder and co-CEO, Olivier Gaudin, sits down with ISMG's Tom Field at Black Hat USA 2023 to discuss how development can be improved to avoid security issues.

Why I’m passionate about Static Analysis and how I helped make it better

A deep investigation into regular expression denial of service (ReDoS) vulnerabilities in JavaScript

Extracting archives can be very dangerous. Read more about a critical Zip Slip vulnerability SonarQube Cloud detected in the open-source application OpenRefine.

Open Source Summit 2023

Enhancing SAST Detection: Sonar's Scoring on the Top 3 Java SAST Benchmarks

Our Vulnerability Research team discovered a critical vulnerability in the popular CI/CD server TeamCity, which attackers could use to steal source code and poison build artifacts.

Understanding how Cognitive Complexity works will help guide you on where to focus your time. This blog dives into how this Sonar-exclusive metric was formulated to accurately measure the relative understandability of methods.

Our Research team discovered critical code vulnerabilities in Proton Mail, Skiff, and Tutanota. This post covers an XSS vulnerability in Tutanota Desktop and how it can be prevented.

Let's check what the new Java JDK21 LTS brings

With SonarQube Server, organizations can readily deploy workflows integrated directly into their pipelines to build on their teams’ skill sets and create resiliency to new risks.

TypeScript already understands JavaScript, but you can get more out of it when you add types to your JavaScript with JSDoc or TypeScript declaration files

Our Research team discovered critical code vulnerabilities in Proton Mail, Skiff, and Tutanota. This post covers the technical details of the XSS vulnerability in Skiff.

Sonar CEO, Olivier Gaudin, and Head of Research and Development, Johannes Dahse, meet with Security Guy TV’s Chuck Harold to discuss deeper SAST and the importance of Clean Code.

Let's dive into what you can do to get more and more of TypeScript's benefits in your JavaScript projects.

Discover the new features in SonarQube Server 10.2!

The Sonar Research team discovered critical code vulnerabilities in Proton Mail, Skiff and Tutanota. This post covers the technical details of the XSS vulnerability in Proton Mail.

Our security researchers recently discovered two critical vulnerabilities in Moodle that leverage the use of not impactful bugs.

Enhancing Static Application Security Testing SAST, leverage benchmarks for tracking our progress.

Our security researchers recently discovered two critical vulnerabilities in Moodle that leverage the use of not impactful bugs.

The Sonar team of developers are just returning from their trip to Las Vegas where they attended BlackHat USA 2023. If you were not able to make it, here is what you missed.

What is SAST, what does deeper SAST mean, and how does this apply to your JavaScript and TypeScript applications?

We dive into the technical details of the vulnerabilities we identified as part of last year's Pwn2Own competition.

No C and C++ static analysis does not need to mean difficult configuration and pain. We explain how Sonar has made the impossible possible with one-click analysis for projects hosted in GitHub. A free automatic analysis of C and C++ projects.

The Sonar team of developers are just returning from their trip to Berlin where they attended WeAreDevelopers 2023. If you were not able to make it, here is what you missed.

Uncovering security vulnerabilities is particularly challenging because these issues can be complex and deeply hidden when your code uses and interacts with third-party dependency code. We are excited to share more about a major breakthrough in our detection of deeply hidden security vulnerabilities that traditional tools cannot detect.

Multiple variants of C++ code-bases at build time are a necessary evil on most projects - even if that's just debug and release. This has always made analysis more complex. But now, with first class support in SonarQube Server, multiple code variants are easier to analyze and understand.

Unexpected application states are often overlooked and can introduce severe security vulnerabilities. Read more about this real-world example.

New original research from Sonar puts a spotlight on the millions of dollars that businesses lose when they fail to implement an optimal approach for software development.

Interviews with Sonar’s Developer Advocates on their careers and what Clean Code means to them.

PHP analysis gets faster and better with new rules, fixed false-positives, and much more in SonarQube Server 9.9 LTS.

Read about our key takeaways from the TROOPERS 2023 including our favorite talks and overall experience during the two days conference.

Last week, our Vulnerability Researchers traveled to TyphoonCon 2023 in Seoul to present their talk "Patches, collisions and root shells: a Pwn2Own Adventure".

We always assume prepared statements and ORMs are enough to protect us from SQL injection, but be careful not to misuse their APIs! Let's look into a real-world case and see what we can learn from it.

Read about the new features of SonarQube Server 9.9 LTS which help JavaScript and TypeScript developers to write Clean Code.

Smoother centralized access management with GitHub, multiple code variant analysis for C/C+, a big coverage boost in Java security, and more in the latest from SonarQube Server.

The Sonar culture is the shared vision, mission, values, and behaviors that make up our day-to-day experience at Sonar. Our goal as an organization is that our culture will unite and motivate SonarSourcers to work and grow together and achieve company goals while creating meaningful benevolent relationships. Discover more about our Smarter Together core value in this blog post.

We take a look at our highlights from JSNation 2023 in Amsterdam, including our favourite talks, memorable conversations and key takeaways.

Just like it's not enough to simply practice karate for Mr. Miyagi, it's not enough for Sonar to find and fix issues when guiding developers to practice Clean Code. Developers should be able to find, understand, and fix issues to write Clean Code optimally.

Explore the game-changing features of SonarQube Server 9.9 LTS, empowering Java developers to write Clean Code with enhanced speed and precision.

Node.js released an experimental test runner in version 18 and made that test runner stable in version 20. What does that mean for us as JavaScript developers?

Our Vulnerability Researchers are just returning from their trip to Berlin where they attended OffensiveCon 2023! Here's what they loved about the event.

Learn about the Sonar - HashiCorp partnership and the SonarQube Cloud Terraform Cloud integration.

SonarQube for IDE supports Go analysis!

We discovered two vulnerabilities in Pimcore that could be chained together in one GET request to achieve RCE.

Is Clean Code the solution to Jupyter notebook code quality?

There are new array methods in JavaScript and they are here to make our programs more predictable and maintainable.

Sonar becomes Silver member of the Cloud native computing foundation

Learn about the changes in SonarQube Server 9.9 LTS that help Python developers write Clean Code.

Five ways in which Python's interpreter behaves in ways that you wouldn't expect.

Reflections from DevNexus, the largest Java conference in the U.S.A.

Latest Python developments. Interview with Python developers from Sonar.

What do we need content types for anyway? Let's look into how an incorrect content type led to a real-world vulnerability in Odoo, CVE-2023-1434.

Why should I learn Python language? When should I use Python? Is tooling around Python development mature?

Sonar ❤️ Compiler Explorer: Write clean C++ code inside your browser

We recently discovered two vulnerabilities in pretalx and found a generic technique to gain code execution from a file write.

SonarQube Server 9.9 LTS is here! We're back with another 9 reasons you should prioritise upgrading as soon as possible.

When bad code gets overlooked, it can create lasting problems and ultimately impact developer productivity and velocity.

Learn what features - like faster first analysis and better user management with SCIM - are available to you and your teams in SonarQube Server 10.0!

Our researchers discovered a vulnerability in LibreNMS, which could be exploited by attackers to gain RCE by sending a single SNMP trap.

Clean Code from Sonar aims to streamline your DevOps workflow so that your organization can yield the best possible results from your software.

Companies are adopting cloud native practices because it puts their core business first and affords them speed and efficiency advantages over the competition. However, reaping these rewards requires a solid, sustainable foundation - a Clean Code foundation.

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. This is a summary of the top 5

The best LTS ever - SonarQube Server v9.9 - packed together a lot of new features and functionality. Read more to learn about the cloud native, IaC and serverless analysis capabilities included in the LTS.

SonarQube Server 9.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LTS Ever.

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.

Sonar is celebrating International Women's Day (March 8) with interviews from women across our many teams about their careers in technology.

A checklist to help you upgrade to SonarQube Server LTS

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.

Let's dive into how a seemingly minor code vulnerability can hide a critical impact!

With Sonar and the Clean as You Code methodology, developers can directly impact the security of the cloud native apps they create.

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.

The Clean as You Code methodology allows developers to keep working on new and interesting projects without sacrificing quality or getting bogged down in refactoring legacy code.

Culture is a key aspect of working at Sonar. It is our binding agent; it is what we value, what we believe in, the way we work, and the way we interact. It is what makes us SonarSourcers!

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.

Big year, big announcement – the most anticipated SonarQube Server 9.9 Long-Term-Support release is here! Check out this post for all details.

We crunched the data from SonarQube for IDE to discover the top 5 most common TypeScript issues. In this 5 part series, we outline each issue and how to avoid it.

We recently discovered three vulnerabilities that allow arbitrary code execution on OpenEMR. Let’s see what we can learn from them and discuss their patches!

Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2022.

Clear context and specific education for why an issue occurs and how to fix it should be by the developers’ side without leaving the development workflow. Sonar has your answer.

This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising.

Learn how we discovered a critical vulnerability in Cacti with the help of SonarQube Cloud.

The latest version of SonarQube Server from Sonar has arrived. Check out what’s new in SonarQube Server 9.8 in this quick video and download it now.

Application development using cloud native technologies is a game changer for developers. With a robust, maintainable codebase, they are positioned to do their best work. Learn how Sonar has the clean code game plan to perfectly complement your cloud native initiatives.

Members of the Sonar Vulnerability Research team remotely participated in Pwn2Own Toronto 2022. This competition is quite special for us: we usually focus on code vulnerabilities in open-source web application projects.

Regardless of the company we work for, the project we contribute to, or our years of experience as individual developers or as a team, we inevitably make mistakes while coding. On average, a development team generates about 15 to 50 errors per 1,000 lines of delivered code.

Code is at the core of your software and dictates its behavior and performance. Clean code makes it easier for your development teams to introduce changes and enhancements to software because it is free of issues.

In this blog, I will share the story of how I got introduced to SonarQube Server and made use of it as a team lead. I will explain how it helped us improve our code, and also assisted me in growing a team of junior developers with a Clean Code companion by their side.

The year is slowly coming to an end and it’s time again to look back and reflect on the great fun and achievements of the year. This is where we would like to thank our community and share a little gift, as we do every December since 2016.

This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising. Part 2.

Even though efficiency of all work processes is a goal of any business striving for success, it is even more of a challenge given the current economic climate. This bar shifts higher every day.

This last article of the series determines how an attacker can chain two further vulnerabilities to fully take over a Checkmk server.

The Sonar Team had a great time sponsoring KubeCon 2022 in Detroit. Read about our takeaways from the event...

The second article of this series outlines how an attacker can leverage the ability to forge arbitrary LQL queries to gain access to the NagVis component.

We discovered multiple vulnerabilities in Checkmk, which can be chained together by an unauthenticated, remote attacker to fully take over a vulnerable server.

After examining the Rules of Three, Five, and Zero, part 2 of this series looks at the exceptions that prove the rule(s). Some of them may surprise you (no, really)!

Our AppSec and Vulnerability Research teams had a great time at Hexacon 2022, here's what we enjoyed!

This series is dedicated to the small, but common pitfalls and errors you can encounter when writing React code.Whether an experienced JavaScript | TypeScript developer or just starting out, the results can be surprising.

Check out what’s new in SonarQube Server 9.7 in this quick video.

We come back on a critical deserialization vulnerability identified by our SAST engine in the software Melis Platform. Let’s look at how it works under the hood and how we confirmed its exploitability.

Bad code doesn’t just disappear and the consequences of overlooking it can be costly.

The Rule of Three was coined back in 1991. That expanded to the Rule of Five with C++11's move semantics - and even that was then subsumed by The Rule of Zero. But what are all these rules? And do we have to follow them?

Whether you’re working on a new project or an existing one, you might think of Clean Code as an ideal, somewhere far out of reach. Let’s go over 5 key features that make SonarQube Cloud the perfect tool for developers and development teams to deliver Clean Code consistently and efficiently, without disrupting the existing development workflow.

What is your worst supply chain nightmare and why is it somebody that could take over all the PHP packages at once? Let's deep dive into how we could demonstrate it!

When you think about your typical workday, how much time do you spend working on a computer? How hard would it be for you to perform your job if you did not have access to a computer?

We recently discovered several vulnerabilities in OneDev 7.2.9 that allowed attackers to fully compromise a server and even break out of a Docker environment.

Curious about life as a Developer at SonarSource? Join us as we discuss changes in the world of programming, the importance of Security, and writing code with SonarQube Cloud Backend Developer Claire Villard.

Clean Code—a term you may have casually used or heard before but may not have synthesized or internalized its true essence. In this post, learn what Clean Code is and why it matters.

Our security researchers were surprised to discover a low-hanging code vulnerability in WordPress Core that we will discuss in this blog post.

In this blog, we demonstrate how you can get started with SonarQube Cloud in less than 3 minutes and ensure all new Java pull requests are clean, every time.

Knowing if your latest release candidate is built with clean code doesn’t have to be a guessing game. With Sonar at your side, you’ll know that every new line, every PR and every build is clean.

In the third part of our Securing Developer Tools series, we look at a critical vulnerability that affects one of the most popular code editors: Visual Studio Code.

Our security research led to the discovery of a flaw in a popular Apache2 authentication module. We come back on this case of parsing differential and how various languages behave when working with URLs.

We recently found a vulnerability in Django that allows us to disclose sensitive information. Let’s review the root cause, exploiting technique, and patch.

We recently discovered a Prototype Pollution vulnerability in Blitz.js leading to Remote Code Execution. Learn about this bug class and how to avoid it in your code!

We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar.

We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts.

We've finally defined our own performance goals for analysis - so that we're no longer subjecting ourselves to apples-to-oranges comparisons with tools that may not have the same goals or outcomes. Now, we can clearly state what you can expect from analysis, and how long analysis of a project should take under standardized conditions.

We discovered vulnerabilities in Horde Webmail that allow an attacker to execute arbitrary code on Horde instances by having a victim open an email

We recently discovered two critical vulnerabilities in the IT monitoring dashboard Icinga Web. Let’s review their respective root cause and their patches!

VS Code has been gaining popularity for C and C++ development. We are happy to announce that finally, we will be able to help you write clean C and C++ code in VS Code.

We recently discovered a critical code vulnerability in RainLoop Webmail that allows attackers to steal all emails by sending a malicious mail.

For the second time in a year, we identified critical code vulnerabilities in a central component of the PHP supply chain. Let's dive into it!

The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solution for safeguarding your IaC invoked infrastructure.

With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s article revisits Git integrations.

Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers.

When talking about static analysis and/or SAST performance comparisons - or really, comparisons of any kind of performance - what criteria do you consider? Maybe it was fast, but what did it accomplish? Here's what you ought to look at when you compare performance.

We’re happy to announce that SonarQube Cloud integrates with GitHub code scanning! It’s available to everyone with a GitHub repository - private or public - independently of your SonarQube Cloud plan. If you have access to the feature on GiHub and your organization admin already accepted the update for the SonarQube Cloud app permissions, you’re all set! You should be able to start using the feature during your next code review.

We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email.

In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix.

We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS.

In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution.

Today XML External Entities (XXE) vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, we will try to demystify XXE vulnerabilities and present the rule we put in place to help you detect and prevent them.

We reported a Stored XSS vulnerability in WordPress (CVE-2022-21662) which remained unpatched for more than 3 years and affected the wordpress.org website.

Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2021.

C++20 is here! It's a big release with many features designed to make your code easier, faster and safer. Let's see how the latest C++ analysis rules in SonarQube for IDE, SonarQube Server and SonarQube Cloud can help us modernize our code to take advantage of some of the new features.

We recently discovered three interesting code vulnerabilities in NodeBB 1.18.4, allowing attackers to compromise servers. Find out about the details in this article!

Our code security advent calendar is back for the sixth consecutive year. We will release daily challenges until December 24th, get ready to fill your bag of tricks!

In this blog post, we share 10 security pitfalls for Python developers that we encountered in real-world projects.

We discovered 3 more code vulnerabilities in the popular GoCD CI/CD system that can be chained by attackers to leak or modify internal code. Learn more in this blog post.

Check out the details of a Cross-Site Scripting bug in the BBCode processing in SmartStoreNET and how it can be chained into arbitrary code execution!

We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers

We are very pleased to announce that we have released a new project experience. It’s now available in SonarQube Cloud for all users. You’ll notice a few improvements the next time you open SonarQube Cloud.

We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox.

This article talks about the powerful capabilities of the C++ analyzer with SonarQube for IDE and highlights some unique and interesting quality and security rules you might find useful. Through that lens, we demonstrate how you can leverage these rules to elevate your CLion built-in static analysis capabilities for your C++ projects.

Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarQube for IDE.

We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!

We've recently opened up product portals on Productboard. You'll find them for SonarQube Server, SonarQube Cloud, and SonarQube for IDE. Each one shows the features we're currently working on, the ones we've released recently, and the ones we're planning.

We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!

Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool to automate the extraction of this information, called the build wrapper. Recently we introduced another way to configure your analysis, the compilation database. Learn more about the pros and cons of each option.

Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them.

If you're using 3rd-party plugins for SonarQube Server, you're obviously already aware of the benefits. With this blog post, we want to make sure you're also aware of the risks. Because there are risks.

Learn how developers can safeguard their cloud 'secrets' from publicly leaking and take charge of their Code Security with SonarQube for IDE.

It can be challenging to maintain good coding vibes when your team or company often prioritizes feature delivery over code quality. If your developers are never allowed the time to work on new and exciting things they may eventually find somewhere else to bring their coding talents to.

We discovered critical code issues in Zimbra, a popular enterprise webmail solution, that could lead to a compromise of all emails by an unauthenticated attacker.

Learn how the functionality of Quality Profiles and Quality Gates come together to enable the SonarSource Clean As You Code methodology.

We discovered two code execution vulnerabilities that affected Etherpad servers and data. Learn more about the technical details and how to avoid such coding issues.

Discover how SonarQube Server can integrate with your existing enterprise setup (LDAP, SSO & co.) for user authentication and authorization.

We discovered critical code vulnerabilities in CiviCRM, a popular CRM plugin for Wordpress, Joomla and Drupal. Learn more about how to find and patch these issues.

SonarQube Server 8.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LTS Ever.

With SonarQube Server 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. But with great power comes ... well, you know. In this post you'll learn what went into the decision to make this available and what you'll want to watch out for when you use it.

We responsibly disclosed two code execution vulnerabilities in Grav CMS, one of the most popular flat-file PHP CMS in the market. Let’s see what we can learn from them and discuss their patches!

We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances.

In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did in the past for these languages. With this post, we’re going to tell you what you can expect for these languages, and more specifically which vulnerabilities can be detected.

SonarQube Server 8.9 Long Term Support (LTS) is officially here! Check out this list of tips & tricks on how to upgrade your environment from start to finish.

We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.org.

In this blog post we analyze a XXE vulnerability that our analyzers discovered in WordPress, the most popular CMS, and what PHP 8 developers can learn from it.

Our security research team discovered multiple code vulnerabilities in the NSA's Java application Emissary. Find out more about these issues and related attacks.

Last September, we announced that mono-repository support was added for GitHub and Azure DevOps Services. The good news is: mono-repository support is now also available for Bitbucket Cloud! See what it brings and how you can configure it in SonarQube Cloud.

What does a Support Engineer do and how could it ever be interesting? Here we share more about a unique and rewarding journey in this role at SonarSource that will help you understand more about the job and opportunity.

Today SonarSource is pleased to share a guest contribution to our Code Security blog series about learnings from a chain of serious vulnerabilities in MyBB.

Our vulnerability researchers found critical code vulnerabilities in a popular Python application that can be exploited remotely, even when the application instance is hosted locally.

Due to the way regular expression matching is implemented in Java (and many other languages/libraries), matching a pattern may - depending on the regex - require stack space proportional to the length of the input. This means large inputs could cause the program to crash with a `StackOverflowException` when you try to use the regex.

Regular expressions pack a lot of power into terse little packages and unfortunately that introduces a lot of room for error. This post talks about regex boundaries, another feature that can lead to bugs when used incorrectly, and a rule of ours that can help you avoid such issues. it also covers about complexity and maintainability in regular expressions and our rule to help you find regular expressions that are too complex.

Regular expressions are a concise and powerful tool for processing text. However, they also come with a steep learning curve and plenty of opportunities to make mistakes. This is the first in a series of posts about some specific regex pitfalls.

Hey SonarQube Server and SonarQube Cloud users! You now have a tool to own Code Security! SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We're glad to say that today you have at your fingertips unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.

It's time to have some December fun! We have 24 little challenge gifts awaiting you that hide security vulnerabilities in real-world Java, C#, PHP and Python code. Can you spot the vulnerability?

SonarQube Server Developer Edition overlays Code Quality and Security™ right onto your projects. Your pull requests are automatically analyzed and decorated with a clear Go/No Go Quality Gate so you only merge clean, quality code! 👏

As developers, there always comes a time when we find a bug in production and wonder how it passed all our quality checks. Let's go over a few Bugs we found with SonarQube Cloud and see why it is able to detect them when popular linters don't .

Recently, we discovered several code vulnerabilities in OpenEMR 5.0.2.1. A combination of these vulnerabilities allowed remote attackers to execute arbitrary system commands on any OpenEMR server that uses the Patient Portal component. This can lead to the compromise of sensitive patient data, or worse, to a compromise of critical infrastructure.

Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I'm proud to announce a step forward for defenders with a new rule to detect a literal race condition: TOCTOU (or TOCTTOU) vulnerabilities, known in long-form as Time Of Check (to) Time Of Use.

Take a tour of SonarQube Cloud's integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gates per project and receive multiple results in your pull requests.

How code vulnerabilities in your web application can be the single point of failure for your IT infrastructure’s security.

When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. Learn how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help.

We analyze the root cause of three critical security vulnerabilities that enabled a complete board take over, and how to correctly prevent these in your code.

On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our public response to the incident.

How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Server Pull Request Decoration gets you there!

We discovered a severe command injection vulnerability in Apache Kylin that allows malicious users to execute arbitrary OS commands.

Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.

Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.

In large systems, finding the bad actors is easier said than done. First you have to find all the places you accept data from users, and then you have to sanitize the data before you use it. The hard part is making sure you've found all the sources of user data and intervened before any kind of use. That's where taint analysis comes in.

This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress core in versions prior to 5.2.4

Analyzing a legacy project can be overwhelming. Learn how to Clean as You Code to make sure that the code you release into production tomorrow is at least as good as - and probably better than! - the code that's in production today.

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at a few vulnerabilities we have detected in the codebase of BigTree.

In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands.

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).

In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any adversary.

We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few seconds - all on default configurations.

In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbitrary PHP code on the underlying system as authenticated user.

This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high severe exploit chain. This chain can be abused by an unauthenticated attacker to fully takeover certain Magento stores and to redirect payments.

In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how we escalated it to execute code remotely.

This blog post shows how an attacker can take over any board hosted with MyBB prior to version 1.8.21 by sending a malicious private message to an administrator or by creating a malicious post. We use a chain of two security vulnerabilities detected in the code.

Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extraction of archives can introduce security risks which resulted in multiple critical vulnerabilities in popular applications in the past. In this post we explain the risk behind archive extraction and show how to securely extract archives in Java.

Here is a story of a rule, from concept to production. While the selected rule is for C++, this story contains interesting insight on the craft of rule development, no matter the target language.

This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution (CVE-2019-9787).

SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarQube Cloud Scan Pipe, you can configure code analysis in your Bitbucket Pipeline in no time.

This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2019-8943). The vulnerability remained uncovered in the WordPress core for over 6 years.

A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.

A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.

A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board (CVE-2018-19274).

WordPress Design Flaw Leads to WooCommerce RCEA flaw in the way WordPress handles privileges can lead to a privilege escalation in plugins. This affects for example the popular WooCommerce.

A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.

Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube Server.

What's it like to interview with SonarSource? Read on and find out!

Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog post.

Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarQube Cloud updates now provide advanced security checks to continuously detect them.

In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers executing arbitrary code.

In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133).

Over the past 2 weeks, the following new features were deployed on SonarQube Cloud: import of issues from external linters with built-in support for TypeScript projects, support for the Go language, graceful handling of username change, first version of the GitHub Application, new rules for Python, Java and Swift

PrestaShop is one of the most popular e-commerce solutions. We detected a highly critical vulnerability that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have been misused by attackers (CVE-2018-20717).

We detected two vulnerabilities in LimeSurvey < 2.72.3: An unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated arbitrary file write vulnerability which can be chained.

Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL injection (CVE-2018-6376) that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions on Joomla! prior version 3.8.4.

After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe it or not, that really is a feature, not a bug, and it's called Executable Lines.

CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to circumvent the authentication mechanism required to login as an administrator (CVE-2018-20716).

Support for SonarQube Server analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it's done !

Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to leak the super user password and to fully take over any Joomla! installation.

SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal customer data or sensitive files from the server.

Learn how memory corruption bugs in the PHP core itself can affect your PHP application.

For those not familiar with ARM (Advanced RISC Machine), let's start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used architecture in mobile devices and the most popular 32-bit one in embedded systems (see). Moreover in 2013, 10 billion were produced (see) and "ARM-based chips are found in nearly 60 percent of the world’s mobile devices" (see).

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() function. In this post, we have a look at the common ground of these vulnerabilities and how to use mail() securely.

One of the most requested feature regarding SonarQube Server Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube Server, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube Server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube Server, without waiting for the aggregation to complete.

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.

Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.

With the release of SonarQube Server 5.6, we introduced the SonarQube Server Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them the prominence they deserve. Now we're tackling the other half of the job: "sane-itizing" rule severities, because not every bug is Critical.

If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improved our integration with the build tool and at the same time added a lot of new rules. Also, we introduced SonarQube for IDE: Visual Studio, a new tool to analyze code inside the IDE. With these steps completed we are deprecating the SonarQube Server ReSharper plugin to be able to provide a consistent, high-level experience among our tools.

In SonarQube Server 5.5 we adopted an evolved quality model, the SonarQube Server Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we've highlighted project risks while retaining technical debt.

There have been some heated discussions recently about the Build Breaker plugin... SonarSource doesn't want to continue the feature. The community has come to see it as a must have... So I'd like to explain why at SonarSource we no longer think it should be used.

At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube Server integration with MSBuild and Team Build. Today, half a year later, we’re releasing the SonarQube Server Scanner for MSBuild 1.0.2. But what exactly is the SonarQube Server Scanner for MSBuild? Let’s find out!

A few months ago, at the end of a customer presentation about “The Code Quality Paradigm Change”, I was approached by an attendee who said, “I have been following SonarQube Server & SonarSource for the last 4-5 years and I am wondering how I could have missed the stuff you just presented. Where do you publish this kind of information?”. I told him that it was all on our blog and wiki and that I would send him the links. Well...

Starting with Java Ecosystem version 2.2 (compatible with SonarQube Server version 4.2+), we no longer drive the execution of unit tests during Maven analysis. Dropping this feature seemed like such a natural step to us that we were a little surprised when people asked us why we'd taken it.

As a quality-first focus becomes increasingly important in modern software development, more and more developers are asking how to find new issues before they check their code in. For some of you, it's a point of pride. For others, it's a question of keeping management off your back, and for still others it's simply a matter of not embarrassing yourself publicly. Fortunately, the SonarQube Server developers (being developers themselves) understand the problem and have come up with three different ways of dealing with it: the Eclipse plugin, the IntelliJ plugin, and the Issues Report plugin.

Already 158 Checkstyle and PMD rules deprecated by SonarQube Server Java rules

Something occurred to me recently that I wanted to share. Sometimes I'm late to the party, so this may have been obvious to you all along, but it didn't jump out at me at first, so I thought it might be worth talking about. It's the fact that the Views plugin turns a project into just another component.

After a Sonar analysis, it's easy to see your project's current state - just browse to the project dashboard and it's laid out for you. Want details? Just start clicking. But it's not always enough to know where you are. Sometimes, you need to know where you are in comparison to where you've been.

Sonar is a super-radiator for code quality and as such, you can expect it brings value to all stakeholders in a development group. To achieve this, Sonar must be able to show only relevant information in a certain context and shut off the noise to facilitate investigation and decision making. In this post, I will show how to customize Sonar to fit your needs by:

If you use Sonar already, I am sure that you know already the worse of all 7 developer's deadly sins:And if you don't, I would assume you know about duplicated / cloned / similar code when you talk about quality of code and that you have heard of tools such PMD CPD or Simian.But why does copy paste matters from a code quality point of view? How can you benefit from Sonar to improve this? Let’s try to figure this out.

At SonarSource, we like eating our own dog food as much as possible. This is not always the case in software development, but in our case since we develop software for software companies, we can do it. We therefore have an instance of Sonar that analyses all our products daily.

Six months ago, we would never have believed that one day we would be happy and excited to write about the implementation of a Quality Model in Sonar. Indeed the Quality Models that we knew at the time (most of them are based on ISO 9126 standard) are complex, expensive to implement, can be understood only by an elite of quality experts and are not fun at all.

Up to version 2.1, Sonar was relying only on external coding rules engines such as Checkstyle, PMD and Findbugs to report violations on Java applications. But since version 2.1, Sonar also provides its own rules engine to work on Java dependencies. This rules engine is based on Squid and three rules are currently available :

When used out-of-the-box, Sonar is a code quality radiator accessible by everyone at anytime. Like for JIRA, Hudson, a post-it dashboard or any other piece of the development toolset transparency is a key success factor for adoption. So, by default in Sonar, anyone can access any project under continuous inspection and navigate through it.

During the last few months, Sonar has definitely become the leading Open Source Platform to manage Java code quality. The objective to democratize access to code quality is becoming concrete. However when analyzing source code, quality is only one aspect of things...

Reuse in Sonar unit test reports generated by other systems

Last month, Sonar 1.6 was released. The main feature of the new version is the ability to manage quality profiles. The purpose of this post is to explain what gap the functionality fills, to define what is a quality profile and to explain how to use it.Prior to Sonar 1.6, it was only possible to run analysis with one set of defined coding rules per instance of Sonar. It means that within an instance of Sonar, it was not possible to process differently various types of projects (legacy application, technical libraries, new projects, ...). They were all analyzed with the same set of rules. Therefore there was sometimes unnecessary noise around the quality data that made it difficult to see quickly what real action was required. Sonar 1.6 turns off this noise by allowing to define and simultaneously use several quality profiles.

There is often some misunderstanding when people talk about coding rules engines. Everyone tries to take position in favor of his preferred tool and does his best to explain what are the weaknesses of the other ones.

Googling on Cyclomatic Complexity (CC), gives some interesting results... Among those results, you'll find the two following definitions :

When talking about source code quality, there are always voices to tell you that metrics mean nothing and that plenty of projects have great metrics and poor quality! Let's look at one particular metric: the code coverage by unit tests.