Blog
Sonar's latest blog posts
What is Clean Code?
If you’ve followed us for a while, you most likely noticed that we changed the way we describe what we do: from “code quality” to “continuous code inspection,” then “code quality and code security”… to Clean Code.
But what is Clean Code, and what does it encompass?
Code vulnerabilities put health records at risk
Recently, we discovered several code vulnerabilities in OpenEMR 5.0.2.1. A combination of these vulnerabilities allowed remote attackers to execute arbitrary system commands on any OpenEMR server that uses the Patient Portal component. This can lead to the compromise of sensitive patient data, or worse, to a compromise of critical infrastructure.
Read Blog post >
Winning the race against TOCTOU vulnerabilities in C & C++
Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I'm proud to announce a step forward for defenders with a new rule to detect a literal race condition: TOCTOU (or TOCTTOU) vulnerabilities, known in long-form as Time Of Check (to) Time Of Use.
Read Blog post >
Mono-repository support for GitHub and Azure DevOps Services available now!
Take a tour of SonarCloud's integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gates per project and receive multiple results in your pull requests.
Read Blog post >
Pandora FMS 742: Critical Code Vulnerabilities Explained
How code vulnerabilities in your web application can be the single point of failure for your IT infrastructure’s security.
Read Blog post >
False positives are our enemies, but may still be your friends
When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a false positive is often far easier than fixing it. Learn how the different types of rules give rise to different types of false positives, which ones are easier to fix than others, and how you can help.
Read Blog post >
Codoforum 4.8.7: Critical Code Vulnerabilities Explained
We analyze the root cause of three critical security vulnerabilities that enabled a complete board take over, and how to correctly prevent these in your code.
Read Blog post >
About the recent code leaks from SonarQube instances
On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our public response to the incident.
Read Blog post >
Take Control of Code Quality with SonarQube Pull Request Decoration in Your Workflow
How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Pull Request Decoration gets you there!
Read Blog post >
Apache Kylin 3.0.1 Command Injection Vulnerability
We discovered a severe command injection vulnerability in Apache Kylin that allows malicious users to execute arbitrary OS commands.
Read Blog post >
SonarSource acquires RIPS Technologies
Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliver more secure software.
Read Blog post >
Exploiting Hibernate Injections
Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post will teach you how to detect and exploit Hibernates very own vulnerability: The HQL Injection.
Read Blog post >