Even more Python love, Security Hotspot review on New Code joins built-in Quality Gate and
XSS detection in Java & C#
April 30th, 2020
The Python Analysis Good Vibes continue…
For several releases now, we’ve continued to bring more value to Python analysis and v8.3 is
no exception. For some, Python isn’t their first language and it’s easy to make common
mistakes. We added new rules to help ensure these common errors don’t slip into your code
base by checking for issues related to exceptions, operand type incompatibility and defining
methods/functions. Support for Python v3.8 is added as well.
Vulnerabilities related to arbitrary code injection/execution are the second most common
issue in Python OSS projects. To counter this, we’ve added detection for issues stemming
from OS commands, dynamic code execution and de-serialization (unpickling). Additional
rules extend taint analysis coverage to keyword arguments and data passed to dictionaries.
Enforce Security Hotspot review as part of Clean as You Code
At SonarSource, we firmly believe that developers own the security of their code. Merging
with un-reviewed Security Hotspots violates clean coding best practices. When we dogfooded
Security Hotspots, compliance was inconsistent - sometimes doing the right thing isn’t easy!
To that end, the built-in SonarWay Quality Gate now includes the Security Hotspots Reviewed
metric on New Code so you can’t ‘green light’ your merge without addressing them.
Back in v7.7, we added the ability to decorate analysis results right in your ALM. Since
then, we’ve continued to add features so you can easily see what needs fixing, right when
you’re working on it. The latest release takes more steps toward that goal.
Clear Security Hotspot metric decoration
The Security Hotspot review metric gets is its own, clear metric for GitHub and GitLab.
Previously, Security Hotspots were presented as part of the Vulnerability metric and that
sent mixed messages. Now, the Security Hotspot review metric stands alongside the Bug,
Code Smell and Vulnerabilities metrics so you get a clear picture.
Analysis results in GitHub Conversation tab
SonarQube already decorates analysis results in the GitHub Checks. Back by popular demand,
we’re also including the metrics in the Conversation tab for increased visibility.