Even more Python love, Security Hotspot review on New Code joins built-in Quality Gate and
XSS detection in Java & C#
April 30th, 2020
Share
The Python Analysis Good Vibes continue…
For several releases now, we’ve continued to bring more value to Python analysis and v8.3 is
no exception. For some, Python isn’t their first language and it’s easy to make common
mistakes. We added new rules to help ensure these common errors don’t slip into your code
base by checking for issues related to exceptions, operand type incompatibility and defining
methods/functions. Support for Python v3.8 is added as well.
Vulnerabilities related to arbitrary code injection/execution are the second most common
issue in Python OSS projects. To counter this, we’ve added detection for issues stemming
from OS commands, dynamic code execution and de-serialization (unpickling). Additional
rules extend taint analysis coverage to keyword arguments and data passed to dictionaries.
Enforce Security Hotspot review as part of Clean as You Code
At SonarSource, we firmly believe that developers own the security of their code. Merging
with un-reviewed Security Hotspots violates clean coding best practices. When we dogfooded
Security Hotspots, compliance was inconsistent - sometimes doing the right thing isn’t easy!
To that end, the built-in SonarWay Quality Gate now includes the Security Hotspots Reviewed
metric on New Code so you can’t ‘green light’ your merge without addressing them.
Back in v7.7, we added the ability to decorate analysis results right in your ALM. Since
then, we’ve continued to add features so you can easily see what needs fixing, right when
you’re working on it. The latest release takes more steps toward that goal.
Clear Security Hotspot metric decoration
The Security Hotspot review metric gets is its own, clear metric for GitHub and GitLab.
Previously, Security Hotspots were presented as part of the Vulnerability metric and that
sent mixed messages. Now, the Security Hotspot review metric stands alongside the Bug,
Code Smell and Vulnerabilities metrics so you get a clear picture.
Analysis results in GitHub Conversation tab
SonarQube already decorates analysis results in the GitHub Checks. Back by popular demand,
we’re also including the metrics in the Conversation tab for increased visibility.
SonarQube v8.3 extends XSS injection flaw detection to several common frameworks. JSP and
Spring are covered for Java; Razor and ASP.NET Core MVC are added for C#.
Buffer overflows haven’t gone away, so let’s find them! Version 8.3 adds rules to detect
the majority of buffer overflow vulnerabilities in C/C++ POSIX APIs.
Modern coding practices depend on the creation of branches and pull requests. For folks
that rely on Jenkins, SonarQube now auto-detects your environment variables so analysis is
fast and hands-free.
Write clean code in your IDE with SonarLint
SonarLint + SonarQube is a great clean coding combo and now you can find issues in Java
with SonarLint for VS Code!
If C++ is your language, you’ll want to pair SonarQube with
SonarLint for Visual Studio. The
last several releases focused on C++ functionality and performance.
Language Updates
With every release, we add more rules and capabilities so you can find more issues:
Performance Tuning, Custom Rules and Public API improvements
.NET analyzers push branch coverage data to SonarQube