Sonar's latest blog posts

Featured Post

State of Code Developer Survey report: The current reality of AI coding

Sonar analyzes over 750 billion lines of code every day. This gives us a unique, high-level view of the state of code quality and security across the globe.

Read article
https://assets-eu-01.kc-usercontent.com:443/ef593040-b591-0198-9506-ed88b30bc023/7ab133c1-b3f7-4652-82a1-3376b953d6bd/soc_survey_report_featured_blog_article_2x.webp
The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solution for safeguarding your Ia...
Blog post

Clean Your Infrastructure Code with Sonar

The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solution for safeguarding your IaC invoked infrastructure.

Read Blog >

With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s article revisits Git integrations.
Blog post

Securing Developer Tools: Git Integrations

With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s article revisits Git integrations.

Read Blog >

Get new blog posts delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

I do not wish to receive promotional emails about upcoming SonarQube updates, new releases, news and events.

By clicking “Sign up”, you consent to receive email communications from SonarSource containing blog updates, product news, and other relevant content. We will store and process your personal data for this purpose as described in our Privacy Policy. You can withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting us in accordance with the Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers.
Blog post

Securing Developer Tools: Package Managers

Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers.

Read Blog >

Image for 5 things to consider in performance comparisons
Blog post

5 things to consider in performance comparisons

When talking about static analysis and/or SAST performance comparisons - or really, comparisons of any kind of performance - what criteria do you consider? Maybe it was fast, but what did it accomplish? Here's what you ought to look at when you compare performance.

Read Blog >

Image for Evaluating an ethical license for corporate use
Blog post

Evaluating an ethical license for corporate use

The next most common evaluation will be a simple check against a list of accepted licenses, usually the list from the Open Source Initiative, a license-scanner vendor, or from counsel.

Read article >

Image of GitHub Code Scanning false positives, unit tests and fixes with SonarCloud.
Blog post

Review your security vulnerabilities in GitHub with code scanning alerts

We’re happy to announce that SonarQube Cloud integrates with GitHub code scanning! It’s available to everyone with a GitHub repository - private or public - independently of your SonarQube Cloud plan. If you have access to the feature on GiHub and your organization admin already accepted the update for the SonarQube Cloud app permissions, you’re all set! You should be able to start using the feature during your next code review.

Read Blog >

We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email.
Blog post

Horde Webmail 5.2.22 - Account Takeover via Email

We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email.

Read Blog >

In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix.
Blog post

Zabbix - A Case Study of Unsafe Session Storage

In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix.

Read Blog >

Image for Dependency management and your software health
Blog post

Dependency management and your software health

The specific mechanisms for tracking dependencies vary across open source communities, making it challenging to compare across languages or package managers.

Read article >

We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS.
Blog post

WordPress < 5.8.3 - Object Injection Vulnerability

We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS.

Read Blog >

In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution.
Blog post

How to disable XXE processing?

In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution.

Read Blog >