Sonar Blog

Home

BLOG

Sonar's latest blog posts

Featured Post

Building Confidence and Trust in AI-Generated Code

To tackle the accountability and ownership challenge accompanying AI-generated code, we are introducing Sonar AI Code Assurance

Read More
https://assets-eu-01.kc-usercontent.com:443/9981c199-4ebb-0151-68f2-9ac0f679bab9/0bd6c0bc-c921-485b-8570-8de7e1384983/AI%20Code%20Assurance_square-index%402x.png
Image shows various elements of code security, languages and bugs
Blog post

Supporting analysis of .NET Core projects

Support for SonarQube Server analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it's done !

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/9981c199-4ebb-0151-68f2-9ac0f679bab9/e735ea2e-b5be-42e7-b491-050d72711136/shopware_exploit.jpg
Blog post

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare PHP object instantiation vulnerability (CVE-2017-18357).

Read Blog post >

Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to l...
Blog post

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that could allow remote attackers to leak the super user password and to fully take over any Joomla! installation.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/9981c199-4ebb-0151-68f2-9ac0f679bab9/480d06ea-3df3-43e0-93c0-15256c00cc2e/SugarCRM_security.png
Blog post

SugarCRM's Security Diet - Multiple Vulnerabilities

SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal customer data or sensitive files from the server.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/9981c199-4ebb-0151-68f2-9ac0f679bab9/4ba7774f-9f96-48ec-a70c-d5819140a8d0/ca5a7ab4-6eca-4203-9eac-34cff3a67d59_php_core_security.png
Blog post

How security flaws in PHP's core can affect your application

Learn how memory corruption bugs in the PHP core itself can affect your PHP application.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

SonarCFamily Now Supports ARM Compilers

For those not familiar with ARM (Advanced RISC Machine), let's start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used architecture in mobile devices and the most popular 32-bit one in embedded systems (see). Moreover in 2013, 10 billion were produced (see) and "ARM-based chips are found in nearly 60 percent of the world’s mobile devices" (see).

Read Blog post >

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() func...
Blog post

Why mail() is dangerous in PHP

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure usage of the PHP mail() function. In this post, we have a look at the common ground of these vulnerabilities and how to use mail() securely.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Breaking the SonarQube Server Analysis with Jenkins Pipelines

One of the most requested feature regarding SonarQube Server Scanners is the ability to fail the build when quality level is not at the expected level. We have this built-in concept of quality gate in SonarQube Server, and we used to have a BuildBreaker plugin for this exact use case. But starting from version 5.2, aggregation of metrics is done asynchronously on SonarQube Server side. It means build/scanner process would finish successfully just after publishing raw data to the SonarQube Server, without waiting for the aggregation to complete.

Read Blog post >

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osC...
Blog post

osClass 3.6.1: Remote Code Execution via Image File

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Cognitive Complexity, Because Testability != Understandability

Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That's why we're introducing Cognitive Complexity, which you'll begin seeing in upcoming versions of our language analyzers.

Read Blog post >

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnera...
Blog post

Roundcube 1.2.2: Command Execution via Email

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected.

Read Blog post >

  • Legal documentation
  • Trust center
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.