Expanded OWASP Top 10 coverage; faster analysis; hot backups & faster startup
July 7th, 2020
Share
XSS, XXE, and insecure deserialization detection added
Python adds XSS detection, 4 more OWASP Top 10 categories
Cross-Site Scripting (XSS) is the most common vulnerability type fixed by open-source Python
developers. It puts your sites and your users at risk. So in this version we've added
another XSS-related Security Hotspot.
S5247
finds all the places where auto-escaping has been turned off in template engines. Cross-Site
Scripting is A7 in the OWASP Top 10, and we've added coverage in four other categories as
well: A2 - Broken Authentication; A3 - Sensitive Data Exposure; A4 - XML External Entities
(XXE), and A6 - Security Misconfiguration.
In commercial editions, we've added detection of XSS vulnerabilities in DTL and Jinja2
templates, the HTML files that are used by Django and Flask to generate output to the
user. We've also beefed up the existing taint analysis rules to properly recognize Flask
endpoints (Django was already covered) as sources of user-provided data. Additionally,
those rules now also recognize types declared in Django, Flask, the Python standard
library, and the other libraries that Django and Flask depend on, as well as being able to
accurately track user-provided data when it's passed into collections.
Python isn't the only language that added XXE detection; we now find those vulnerabilities
in C and C++ too. C also got detection of the use of insecure functions. Many of these
functions are so commonly used that they're taken for granted, and it's easy for
developers to lose sight of the fact that the functions can lead to exploitable
vulnerabilities.
Insecure deserialization detection for Java and C#
Also in this version, we've added detection of deserialization vulnerabilities for C# and
Java. Insecure deserialization is
A8 in the OWASP Top 10, which says that "[t]he impact of deserialization flaws cannot be overstated. These
flaws can lead to remote code execution attacks, one of the most serious attacks
possible." For Java this is a commercial feature.
Additionally, in commercial editions XSS detection for C# has been extended to .NET Core
and .NET Framework solutions that rely on the Razor template engine.
Rules for better Python, faster analysis
22 new Python rules, better type handling, Flake8 support
Python adds 14 new Bug rules and eight new Code Smells, including four rules about type
checking. Additionally, Python analysis now understands TypeShed types, so existing rules
get smarter. And finally, Flake8 users can now easily import those issues.
Faster analysis for C#, C, C++ & Objective-C
Analysis speeds up in this version for C, C++, Objective-C and C# by eliminating
unnecessary and redundant work during the analysis. For C, C++ and Objective-C our testing
showed reductions of up to 80% depending on the number of external dependencies used by
the project. For C# analysis time improved an average of 25%.
Setting up new projects from Bitbucket Server and GitHub Enterprise instances is a snap now
with a project onboarding wizard that walks you through selecting the projects to analyze.
In the background, it auto-configures the project for PR decoration. Then for Bitbucket
Server users, the new in-app tutorial walks you through the minimal configuration required
Jenkins-side to set up your pipeline.
Hot backups, faster startups
Operating your SonarQube instance just got a lot easier. Now you can take database backups
without shutting SonarQube down with no fear of data corruption. And when you do have to
shut SonarQube down, like in an upgrade or disaster recovery scenario, it'll be available
again faster than ever. SonarQube accepts and processes analysis reports before issue
indexing is complete. That means that even before the interface is fully available,
Quality Gate statuses will be updated, webhooks sent and pull requests decorated.
Meanwhile, each project becomes browsable once its issues have been indexed. In short,
your development lifecycle can continue as normal while startup progresses in the
background.
Language Updates
With every release, we add more rules and capabilities so you can find more issues: