Good coverage for OWASP Top 10 and CWE Top 25 vulnerabilities
With every release, we’re adding more value add to keep your code secure. Now, for Java,
JavaScript, C & C++ you can expect 80+% detection of OWASP Top 10 and CWE Top 25
vulnerabilities.
JavaScript SAST analysis - Round 2!
In SonarQube 8.6, we introduced SAST analysis for JavaScript and this latest release
continues the good vibes and brings broader detection covering more issue types!
Yes, it’s popular and flexible and it’s everywhere AND let’s keep it safe! SonarQube 8.7
includes new functionality to help you find vulnerabilities in PHP Core and the popular
frameworks Symfony and Laravel.
For Laravel-based applications, the routing system is the most used entry point for
attackers and their payload. SonarQube correctly understands this routing system and can
identify vulnerabilities that could exploit these entry points.
Type information isn’t just making your code more maintainable, it helps make it more
secure! The SonarQube security engine uses developer provided type info (Type Hint,
PHPDoc) to enhance receiver resolving in control flows. Being declarative gets you more
readable code and better security analysis accuracy too!
Improved taint analysis precision makes you more efficient
Finding tricky security vulnerabilities with SonarQube taint analysis is
awesome! Finding out a flagged location in the taint flow is actually
irrelevant is not efficient. We set an objective to reduce the number of
irrelevant flags and came up with a Flow Path annotation
technique that more accurately tracks the relationship between variable assignments and
where they’re used.
More integration flexibility for where your code lives
SonarQube fits the way your projects are organized. Branch analysis and Pull/Merge Request
decoration just came to your mono-repo living in GitHub, GitLab, Azure DevOps and
Bitbucket Server.
Support for Bitbucket Cloud and Bitbucket Pipelines
In the past, there might have been some entrepreneurial folks that hooked SonarQube to
Azure DevOps Services 😉. While not ‘officially’ condoned, we understood the reasons. We
listened and NOW support for DevOps Services is official! 🍾
Project onboarding in CE - Less configuration; more analysis!
If you’re new to SonarQube, we’ve got you covered getting started. Now included with
Community Edition, a wizard helps you feel at home and guides you in adding and analyzing
all your projects.
Are you taking full advantage of the new C++17 features? SonarQube is your coding buddy
catching issues as you learn and experiment with the new C++17 functionality. Make sure
you’re getting the most from the new features and avoiding the common pitfalls.
Some Java ❤️
Java Regex rules Message:
Regex - So powerful, so easy to mess up! 😎 SonarQube helps you write clean, error-free
regex. We added more rules!
Help for secondary locations Message:
Fixing an issue in your code can be tricky and it’s probably not at the top of your joy
list - SonarQube gives helpful hints even in secondary locations.
Detect cryptography-related issues in C#
Keep the adversaries at bay and your web app users safe. There’s no doubt, encryption is a
complex topic so we’ve brought several new rules to check for issues that could compromise
private user data.
SonarLint & SonarQube for the Win!
Fix vulnerabilities right in Visual Studio and IntelliJ
No sense in letting vulnerabilities get caught by a security audit when you can find and
fix them yourself! With SonarLint running in
Connected Mode, as soon
as SonarQube has analyzed your project, you can investigate any taint vulnerabilities
discovered right in your IDE.
SonarLint notifications now come as part of Community Edition
With SonarQube 8.7, we’re moving SonarLint Smart Notifications to Community Edition
(previously DE+). Now all developers can benefit from getting important analysis
notifications right in their IDE.