SonarQube 9.2

CloudFormation & Terraform, Python Lambda taint analysis; Android rules and more

November 22nd, 2021

CloudFormation & Terraform, Python Lambda taint analysis; Android rules and more

IaC support: analyze CloudFormation, Terraform security

In the 9.2 release, SonarQube adds support for analyzing CloudFormation and Terraform files. With these two new languages, SonarQube helps developers secure not just their code, but also their deployments. Because just moving to the cloud doesn't make your application secure. While AWS manages the security of the cloud; it's still up to you to manage what you're putting there. And that means securing not just the code but also how it's deployed. Among the domains for both CloudFormation and Terraform are the security of your AWS S3 Buckets, permissions, traceability, and encryption at rest and at transit. Additionally import is supported for reports from Cfn-Lint, Amazon's official CloudFormation linter.

Taint analysis for Python AWS Lambdas DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

As more and more business logic moves to cloud-native architecture, protecting it becomes increasingly urgent. After securing your configuration with CloudFormation and Terraform analysis, you'll still need to make sure the code you deploy to the cloud is secure. That's why we're providing groundbreaking taint analysis of your AWS Lambdas. SonarQube 9.1 added taint analysis for AWS Lambdas written in JavaScript. With 9.2 SonarQube detects a full range of taint analysis issues for Python Lambdas configured for both AWS SAM and Serverless framework applications to help you keep your users and your assets safe.

Android development easier, more secure across languages

Android developers have a lot to look forward to in 9.2, with a slew of new rules across languages and better support in the underlying development workflow. Starting with rules...

There are a lot of security-sensitive configurations in an Android application, and it's not always obvious how they should be set. Four new rules implemented for Kotlin and Java, and five new rules for XML help developers ensure their users' data is properly secured.

With 9.1, SonarQube added rules to help Kotlin developers meet MASVS' Data Storage and Privacy Requirements. Now the same rules bring parity for Java Android developers.

On the topic of parity, two Vulnerability rules and two Security Hotspot rules previously implemented for Java to ensure Android or general JVM security have been ported to Kotlin for better Android security across languages. Another two Code Smell rules and five new Bug rules were also ported from Java to Kotlin since the pitfalls they cover have a 1:1 correspondence across languages.

Finally, to round out support for mobile developers, we worked with Codemagic to support "auto(code)magic" detection of branches and PRs in that CI/CD platform. From now on, there's no complex YAML logic, just magically easy analysis.

Advanced regex rules for Kotlin & Python

Last winter we developed novel regex rules for Java and talked a lot about how much easier it is to mess up regular expressions than anyone ever realized. Since then we've extended these important new rules to PHP and JavaScript/TypeScript in SonarQube 9.1 and now to Kotlin and Python in 9.2. With these new rules, now more than ever, SonarQube helps Kotlin and Python developers write the code they intended.

Taint analysis accuracy, clarity improve DE Available on Developer Edition EE Available on Enterprise Edition DCE Available on Data Center Edition

Accuracy in all facets of analysis is SonarSource's guiding star, and nowhere more so than for security-related rules. With 9.2 we've subtly updated several aspects of taint analysis for a better overall experience. First, false negatives were eliminated by differentiating between validators (sanitize the argument and return a boolean), and sanitizers (return a single, sanitized argument). Additional updates include

  • distinguishing between OS command injection and OS argument injection
  • splitting detection of reflection injection from detection of code injection
In both cases, approximately the same issues are raised in 9.2 as previously, but now by potentially different rules. The advantage is clarity for developers trying to understand the problem based on the rule description. Now a more appropriate description will be presented in each case.
Additionally, the rule to detect HTTP response splitting, S5167, has been deprecated since it's no longer relevant in modern web contexts. In its place, rules protecting HTTP request redirections and HTTP responses have been implemented.

Automatically find - and fix! - issues in-IDE

SonarLint gives you an early warning on your SonarQube analysis by raising the same issues in-IDE. And now the free IDE extension even offers quick fixes for some Java issues in Eclipse, VSCode and JetBrains' IDEs and for some C and C++ issues in CLion. (More languages & IDEs coming soon!) Just look for the SonarLint icon in issues raised after the upgrade: SonarLint

Badges for private projects and other long-awaited features

SonarQube 9.2 includes a number of long-awaited features to help you better integrate SonarQube into your organization. First, with this version we've finally been able to deliver badges for private projects. Next, is the new functionality to delegate administration of a single Quality Gate. Previously, administrators could delegate permissions for all Quality Gates; now they can be more selective. Speaking of delegation, delegating authentication to Bitbucket Cloud is now built in.

Another item on the highly-anticipated list is branch handling in Enterprise Edition Portfolios. Users will be able to create new portfolios to track project branches and even track multiple branches within the same project. Also for the benefit of Enterprise Edition users, we've added the ability to export projects from any instance - Community Edition and up - for import into Enterprise Edition. That will make it easier to get all the right projects into your portfolios in the first place.

SonarQube upgrade notifications

Last but very much not least, we've added in-application prompting when it's time to upgrade SonarQube itself. We know SonarQube runs so well that it's easy to lose sight of how long you've been using a particular version. But to get the latest features - and fixes - it's important to stay on a supported version: either the LTS or Latest. So starting from 9.2, we'll keep an eye out for you and let you know when it's time to schedule your next upgrade.

Language Updates

language C#
  • Parsing support for C#10
  • Improved analysis of C#9
  • 3 new Code Smell rules

language C++
  • 7 new rules to make the best use of C++20 features
language JavaScript
  • 8 new rules to write better Mocha and Chai tests
language Python
  • Support Python 3.10
language Java
  • Parsing support for Java 17

Time to enjoy all the
new version features!

Get SonarQube