Home / Companies / Sonar / Blog / July 2021

July 2021 Summaries

4 posts from Sonar

Filter
Month: Year:
Post Summaries Back to Blog
Clean Code is a set of best practices that aim to make coding easier, faster and more enjoyable for developers by focusing on writing clean code from the start, rather than fixing issues later. By adopting Clean Code practices, developers can own the quality of their code delivery, innovate with intention, deliver timely high-quality releases, enjoy being part of the team, build career expertise, and ultimately keep their job interesting and fulfilling. This approach helps to reduce the time spent on fixing coding issues and allows developers to focus on exciting projects and challenges, leading to a more positive work environment and increased job satisfaction.
Jul 28, 2021 734 words in the original blog post.
This paragraph provides a neutral and objective summary of the text, highlighting key points about the vulnerabilities discovered in Zimbra's open-source webmail solution. The Zimbra code contains two vulnerabilities: a Cross-Site Scripting (XSS) bug that can be exploited to gain access to an employee's email account and sensitive accounts linked to it, and a Server-Side Request Forgery (SSRF) vulnerability that allows an attacker to extract credentials from instances within cloud infrastructure. The SSRF vulnerability is particularly concerning as it enables attackers to create open redirects, potentially leading to the compromise of sensitive information or even Remote-Code-Execution attacks. The Zimbra team has released patches for both vulnerabilities, and the article concludes by thanking the vendor for their professional responses.
Jul 27, 2021 1,525 words in the original blog post.
SonarQube/SonarCloud offers a clean code strategy through rules, Quality Profiles (QP), and Quality Gates. Rules are basic elements of QPs for each language, with built-in default profiles available or the option to customize. Quality Profiles determine which rules are active during analysis, while Quality Gates set acceptance criteria and dynamically update to provide a pass/fail recommendation. The Quality Gate is used in new code periods and pull/merge requests, ensuring actionable metrics are relevant to code quality and security. Proper QP maintenance involves understanding customization options (copy or extend) and considering the impact on the development team. An effective code quality practice should become second nature and integrate into the team's workflow, with a clear Go/No-Go signal provided by the Quality Gate. Establishing a common code quality playbook is essential for transparency and adherence among team members.
Jul 21, 2021 1,946 words in the original blog post.
The popular online text editor Etherpad has two critical vulnerabilities that can be combined by an attacker to take over an instance and its data, allowing them to steal or manipulate sensitive information. The Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript code into the chat history, while the Argument Injection vulnerability enables arbitrary code execution on the server, potentially leading to full compromise of the installation. An attacker can exploit these vulnerabilities by controlling a user ID in chat messages and installing an attacker-controlled plugin, respectively. The XSS vulnerability has been fixed in version 1.8.14, but the Argument Injection vulnerability remains unpatched, requiring additional measures such as disabling admin users or limiting plugin names to trusted NPM package names. Users hosting Etherpad instances are advised to update to version 1.8.14 and prioritize data validation and sanitization during development.
Jul 13, 2021 1,348 words in the original blog post.