July 2020 Summaries
3 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
SonarQube, an on-premise product for analyzing code quality and security, was vulnerable to unauthorized access due to misconfiguration of certain instances, allowing a user to collect snapshots of non-open-source code. The issue arose from the fact that these instances were accessible online without proper configuration. SonarSource has provided guidance on securing a SonarQube instance, including setting up 'Force user authentication' and considering project visibility settings. Although there is no software vulnerability in SonarQube itself, improvements have been made to guide users through necessary settings for new instances, limiting the use of default credentials and enforcing authenticated access.
Jul 31, 2020
451 words in the original blog post.
SonarQube is a code quality tool that helps catch bugs, code smells, and vulnerabilities in pull requests. It's part of the Clean as You Code methodology, which aims to make developers take ownership of code quality and security by providing the right information at the right time, delivering it in the right place. SonarLint in IDEs catches issues as code is written, and when a pull request is opened, it triggers a CI workflow that analyzes the PR in SonarQube. The Quality Gate profile ensures clean code acceptance criteria, enabling developers to confidently merge their code with fewer issues to refactor later on. By adopting Clean as You Code and SonarQube, developers can improve their coding skills, solve problems efficiently, and feel confident they're not leaving teammates future headaches.
Jul 27, 2020
1,050 words in the original blog post.
The Google monorepo is a single repository that stores all internal source code, allowing teams to work on software written by one team and used by many other teams. This approach also benefits the consumption and use of open source, with several key benefits including single version management, ease of updates, dependency clarity, simplified licensing review, and confidence in maintenance. However, not all organizations can replicate this level of expertise and resources, which is where a managed open source platform like Subscription comes in, providing customized catalogs of open source components that offer similar benefits without the need for maintaining a monorepo or investing in creating one from scratch. The platform also partners with open source maintainers to ensure projects are well maintained and provides flexibility for organizations to customize their use of open source.
Jul 23, 2020
931 words in the original blog post.