Commercial editions add taint analysis rules that follow user-supplied data through your code’s execution flow to detect tricky injection vulnerabilities. Community Edition includes all our Security Hotspots plus important Security Vulnerability rules that are foundational to a secure code base. What is the differentiation between SAST Coverage in Community and Commercial Editions.Ī. However pushing SAST even further can lead to interesting opportunities to uncover vulnerabilities in the dependencies themselves and that’s something we’re exploring. Nor is traditional SCA (database of vulnerable against dependencies). At SonarSource we do static analysis, so SAST is natural for us, and our focus and determination have very much been on offering the best possible SAST engine possible! DAST AND IAST just aren’t in scope for us. Besides your SAST analysis, do you have plans to cover other aspects of security such as DAST, IAST, and SCA?Ī. We encourage you to make a suggestion via our Community ( ) and our Roadmap page. While we are continually improving our capabilities, additional SAST languages aren’t on our short-term roadmap. Are there plans for adding Scala SAST rules?Ī. We develop in Scala and would like to use SonarQube for SAST analysis of our Scala projects. If you feel a Hotspot is a true vulnerability you should make a code change and then mark it as “Fixed” in the UI. Security Hotspots require a review and Vulnerabilities require a code fix. Changing the category can confuse the action developers need to take to resolve a Security Hotspot, so that’s not available. Can I move a Security Hotspot to the Vulnerability category?Ī. We believe it’s the only way to keep control over what we deliver and drive the innovation Was your SAST solution developed internally ?Ī. A high-level overview of Code Security support across various languages (divided by OWASP Top 10 category) is available here: SonarQube covers the OWASP Top 10 | SonarQube Some advanced issues (like injection vulnerabilities) require a SonarQube/SonarCloud analysis. All our products share the same analysis engine (and when connecting SonarLint to SonarQube or SonarCloud, the exact same versions of analyzers). What’s the difference in breadth (language coverage) and depth (CWEs) between SonarSource products (SonarQube, SonarCloud, SonarLint)?Ī. For the OWASP Top 10 2021, work has already started, and we’re hoping to begin delivering in early 2022. The CWE was published in late July and the very next version of SonarQube, 9.1, included that report. Do you have a roadmap for mapping the new items?Ī. (See What's New in latest releases | SonarQube for details.) Python support should come in 9.2. Starting in SonarQube 9.1 we offer taint analysis for AWS Lambdas written in JavaScript. Does the SAST scan understand Azure Functions /AWS Lambdas ?Ī. There’s a lot here, so I’ll start with a table of contents: It has taken a little longer this time because we wanted to include the questions from all three editions of the City Tour, but now we’re finally ready. Our usual practice is to post the consolidated Q&A from a webinar here in the community afterward. Social Gathering: 5pm - 6pm CEST (10am - 11am CDT)Īfterward, we’ll break out for a meet & greet with SonarSourcers!.Presentations: 3pm - 5pm CEST (8am - 10am CDT).Social Gathering: 12pm - 1pm CDT (7pm - 8pm CEST).Presentations: 10am - 12pm CDT (5pm - 8pm CEST).Join us for this year’s Virtual City Tour on the following dates: A recap of our SonarQube LTS offering & a sneak peek at our 9-series roadmap.Technical Demo: Integration with GitHub, GitLab, Bitbucket, and Azure DevOps.Technical Demo: SAST by SonarSource: Dev-first, precise and lightning fast.Where we stand on our SonarSource Mission to Empower developers globally.In this virtual event, you’ll learn more about the improvements and new features available to you and your teams, including: This year we’re happy to continue the tradition in a safe virtual setting, and we’re excited to be able to open it up to our entire user and customer community.Ĭity Tour is a great opportunity to learn first hand about our product functionality, to understand the benefits it can bring to your teams, and to meet and chat with SonarSourcers. After every LTS release, SonarSource goes on a City Tour to share the details of what we’ve delivered and insight into what we’re planning for the future.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |