Sonar's latest blog posts

Featured Post

Announcing SonarSweep: Improving training data quality for coding LLMs

Recent research from Anthropic has shown that even a small amount of malicious or poor quality training data can have a massively negative impact on a model’s performance, exposing users to significant security and quality issues.

Read More
https://assets-eu-01.kc-usercontent.com:443/55017e37-262d-017b-afd6-daa9468cbc30/c4c32669-0e01-4074-926a-1b257686a90c/sonarsweep_blog_or_press_featured_with_mark__2x.webp
Image shows various elements of code security, languages and bugs
Blog post

Clean as You Code: How to win at Code Quality without even trying

Analyzing a legacy project can be overwhelming. Learn how to Clean as You Code to make sure that the code you release into production tomorrow is at least as good as - and probably better than! - the code that's in production today.

Read Blog >

Image for Bit Rot: the silent killer
Blog post

Bit Rot: the silent killer

Your code is rotting right now. Every day, each one of your production services, internal tools, and open source libraries decays a little bit.

Read article >

Get new blog posts delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

I do not wish to receive promotional emails about upcoming SonarQube updates, new releases, news and events.

By clicking “Sign up”, you consent to receive email communications from SonarSource containing blog updates, product news, and other relevant content. We will store and process your personal data for this purpose as described in our Privacy Policy. You can withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting us in accordance with the Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Image for Package management: a brief history
Blog post

Package management: a brief history

Application developers today are used to relying on and pulling in a number of open source libraries to help them focus on the functionality that’s important to their business.

Read article >

Image for The simple magic of package manifests and lockfiles
Blog post

The simple magic of package manifests and lockfiles

If you aren’t using open source components to build your apps, you’re not living in 2019. Our research suggests 92% of professional applications are built using open source.

Read article >

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at...
Blog post

Backend SQL Injection in BigTree CMS 4.4.6

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at a few vulnerabilities we have detected in the codebase of BigTree.

Read Blog >

Image for How much time do developers spend actually writing code?
Blog post

How much time do developers spend actually writing code?

In this post, we share the third of eight key findings. If you don’t wait to wait for the rest of the results, you can download the full survey report right now at the link below.

Read article >

Image for Drive By RCE Exploit in Pimcore 6.2.0
Blog post

Drive By RCE Exploit in Pimcore 6.2.0

In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands.

Read Blog >

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.
Blog post

WooCommerce 3.6.4 - CSRF Bypass to Stored XSS

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.

Read Blog >

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).
Blog post

Bitbucket 6.1.1 Path Traversal to RCE

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).

Read Blog >

Image for SuiteCRM 7.11.4 - Breaking Into Your Internal Network
Blog post

SuiteCRM 7.11.4 - Breaking Into Your Internal Network

In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any adversary.

Read Blog >

Image for Pre-Auth Takeover of OXID eShops
Blog post

Pre-Auth Takeover of OXID eShops

We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few seconds - all on default configurations.

Read Blog >