Expanded OWASP Top 10 coverage; faster analysis; hot backups & faster startup
July 7th, 2020
XSS, XXE, and insecure deserialization detection added
Python adds XSS detection, 4 more OWASP Top 10 categories
Cross-Site Scripting (XSS) is the most common vulnerability type fixed by open-source Python developers. It puts your sites and your users at risk. So in this version we've added another XSS-related Security Hotspot. S5247 finds all the places where auto-escaping has been turned off in template engines. Cross-Site Scripting is A7 in the OWASP Top 10, and we've added coverage in four other categories as well: A2 - Broken Authentication; A3 - Sensitive Data Exposure; A4 - XML External Entities (XXE), and A6 - Security Misconfiguration.
In commercial editions, we've added detection of XSS vulnerabilities in DTL and Jinja2 templates, the HTML files that are used by Django and Flask to generate output to the user. We've also beefed up the existing taint analysis rules to properly recognize Flask endpoints (Django was already covered) as sources of user-provided data. Additionally, those rules now also recognize types declared in Django, Flask, the Python standard library, and the other libraries that Django and Flask depend on, as well as being able to accurately track user-provided data when it's passed into collections.
Python isn't the only language that added XXE detection; we now find those vulnerabilities in C and C++ too. C also got detection of the use of insecure functions. Many of these functions are so commonly used that they're taken for granted, and it's easy for developers to lose sight of the fact that the functions can lead to exploitable vulnerabilities.
Insecure deserialization detection for Java and C#
Also in this version, we've added detection of deserialization vulnerabilities for C# and Java. Insecure deserialization is A8 in the OWASP Top 10, which says that "[t]he impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible." For Java this is a commercial feature.
Additionally, in commercial editions XSS detection for C# has been extended to .NET Core and .NET Framework solutions that rely on the Razor template engine.
Rules for better Python, faster analysis
22 new Python rules, better type handling, Flake8 support
Python adds 14 new Bug rules and eight new Code Smells, including four rules about type checking. Additionally, Python analysis now understands TypeShed types, so existing rules get smarter. And finally, Flake8 users can now easily import those issues.
Faster analysis for C#, C, C++ & Objective-C
Analysis speeds up in this version for C, C++, Objective-C and C# by eliminating unnecessary and redundant work during the analysis. For C, C++ and Objective-C our testing showed reductions of up to 80% depending on the number of external dependencies used by the project. For C# analysis time improved an average of 25%.
Setting up new projects from Bitbucket Server and GitHub Enterprise instances is a snap now with a project onboarding wizard that walks you through selecting the projects to analyze. In the background, it auto-configures the project for PR decoration. Then for Bitbucket Server users, the new in-app tutorial walks you through the minimal configuration required Jenkins-side to set up your pipeline.
Hot backups, faster startups
Operating your SonarQube instance just got a lot easier. Now you can take database backups without shutting SonarQube down with no fear of data corruption. And when you do have to shut SonarQube down, like in an upgrade or disaster recovery scenario, it'll be available again faster than ever. SonarQube accepts and processes analysis reports before issue indexing is complete. That means that even before the interface is fully available, Quality Gate statuses will be updated, webhooks sent and pull requests decorated. Meanwhile, each project becomes browsable once its issues have been indexed. In short, your development lifecycle can continue as normal while startup progresses in the background.
With every release, we add more rules and capabilities so you can find more issues: