Commercial editions add taint analysis rules that follow user-supplied data through your code’s execution flow to detect tricky injection vulnerabilities. Community Edition includes all our Security Hotspots plus important Security Vulnerability rules that are foundational to a secure code base. What is the differentiation between SAST Coverage in Community and Commercial Editions.Ī. However pushing SAST even further can lead to interesting opportunities to uncover vulnerabilities in the dependencies themselves and that’s something we’re exploring. Nor is traditional SCA (database of vulnerable against dependencies). At SonarSource we do static analysis, so SAST is natural for us, and our focus and determination have very much been on offering the best possible SAST engine possible! DAST AND IAST just aren’t in scope for us. Besides your SAST analysis, do you have plans to cover other aspects of security such as DAST, IAST, and SCA?Ī. We encourage you to make a suggestion via our Community ( ) and our Roadmap page. While we are continually improving our capabilities, additional SAST languages aren’t on our short-term roadmap. Are there plans for adding Scala SAST rules?Ī. We develop in Scala and would like to use SonarQube for SAST analysis of our Scala projects. If you feel a Hotspot is a true vulnerability you should make a code change and then mark it as “Fixed” in the UI. Security Hotspots require a review and Vulnerabilities require a code fix. Changing the category can confuse the action developers need to take to resolve a Security Hotspot, so that’s not available. Can I move a Security Hotspot to the Vulnerability category?Ī. We believe it’s the only way to keep control over what we deliver and drive the innovation Was your SAST solution developed internally ?Ī. A high-level overview of Code Security support across various languages (divided by OWASP Top 10 category) is available here: SonarQube covers the OWASP Top 10 | SonarQube Some advanced issues (like injection vulnerabilities) require a SonarQube/SonarCloud analysis. All our products share the same analysis engine (and when connecting SonarLint to SonarQube or SonarCloud, the exact same versions of analyzers). What’s the difference in breadth (language coverage) and depth (CWEs) between SonarSource products (SonarQube, SonarCloud, SonarLint)?Ī. For the OWASP Top 10 2021, work has already started, and we’re hoping to begin delivering in early 2022. The CWE was published in late July and the very next version of SonarQube, 9.1, included that report. Do you have a roadmap for mapping the new items?Ī. (See What's New in latest releases | SonarQube for details.) Python support should come in 9.2. Starting in SonarQube 9.1 we offer taint analysis for AWS Lambdas written in JavaScript. Does the SAST scan understand Azure Functions /AWS Lambdas ?Ī. There’s a lot here, so I’ll start with a table of contents: It has taken a little longer this time because we wanted to include the questions from all three editions of the City Tour, but now we’re finally ready. Our usual practice is to post the consolidated Q&A from a webinar here in the community afterward.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |