February 2024 Summaries
14 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
An XSS vulnerability was found in OpenNMS, a popular enterprise-grade monitoring solution. The issue is tracked as CVE-2023-0846 and allows an unauthenticated attacker to inject a JavaScript payload into the admin dashboard by exploiting another vulnerability in the application. This can lead to arbitrary code execution on the OpenNMS server once an admin views the dashboard. The vulnerabilities were fixed in OpenNMS 31.0.4.
Feb 29, 2024
1,945 words in the original blog post.
The White House Office has urged the technical community to adopt memory safe programming languages and code analysis techniques, aiming to enhance security in technology systems. Memory safety vulnerabilities are coding errors that can lead to severe bugs affecting stability, productivity, application performance, and software security. Memory-safe languages such as C#, Java, Python, Go, Rust, and Swift prevent developers from introducing these vulnerabilities. The report also recommends formal methods like static code analysis and measurability of software for mitigating risks. Organizations should incorporate rigorous analysis methods into their development workflow to ensure the quality of output. Memory-safe languages are crucial in reducing tech debt, preventing security incidents, and improving application availability.
Feb 29, 2024
782 words in the original blog post.
Sonar has achieved ISO27001:2022 certification for its information security management system (ISMS), demonstrating a commitment to preventing cyber events and reducing risk. The latest version of the standard includes new controls for areas such as Threat Intelligence, cloud services, and Secure coding. This achievement reflects Sonar's dedication to quality and security, providing customers with confidence in their ability to protect sensitive data.
Feb 27, 2024
349 words in the original blog post.
The text discusses how transparent communication is crucial for timely delivery in outsourced software development projects. It highlights the challenges faced due to poor communication and emphasizes the importance of establishing clear project requirements, code quality standards, and regular progress updates. The article suggests tactics such as fostering feedback-driven continuous improvement, leveraging reporting to monitor development activities, and focusing on proactive risk management to ensure successful collaboration between internal and outsourced teams.
Feb 27, 2024
1,000 words in the original blog post.
This article discusses the creation of objects in Java, focusing on immutable objects which are easier to maintain and safer for multithreaded applications. Two approaches to creating such objects are presented: Builders and Withers. The Builder approach involves using an inner class to build a new instance while the Wither approach creates a new instance with each property change. Both methods can be made more efficient by using libraries that generate code or reduce boilerplate. Additionally, Java 16 introduced Records, which are struct definitions focused on immutability and reducing boilerplate code. The choice between Builders and Withers depends on the specific requirements of an application, while Records are recommended for representing data with an immutable state.
Feb 21, 2024
927 words in the original blog post.
Sonar's Vulnerability Research Team discovered multiple XSS vulnerabilities in the popular Content Management System (CMS) Joomla. The issue, tracked as CVE-2024-21726, affects Joomla’s core filter component and can be exploited by attackers to gain remote code execution by tricking an administrator into clicking on a malicious link. The underlying PHP bug is an inconsistency in how PHP's mbstring functions handle invalid multibyte sequences. This issue was fixed with PHP versions 8.3 and 8.4, but not backported to older PHP versions. Joomla released version 5.0.3/4.4.3, which mitigates the vulnerability.
Feb 20, 2024
1,259 words in the original blog post.
The introduction of new Set functions in JavaScript is set to enhance its functionality. These include union, intersection, difference, symmetricDifference, isSubsetOf, isSupersetOf, and isDisjointFrom. While the ES2015 version of JavaScript Sets focused on creating, adding to, removing from, and checking membership, these new functions allow for operations between sets such as finding common elements or determining differences. The proposal for these methods is currently at stage 3 in TC39's process with Chrome 122 (February 2024) and Safari 17 (September 2023) having shipped implementations of these methods. Polyfills are available for older JavaScript engine support, allowing developers to upgrade to spec-compliant implementations of these functions.
Feb 15, 2024
1,280 words in the original blog post.
SonarQube 10.4 has released 48 new rules and one updated rule to help developers write clean code in React applications. The latest update focuses on avoiding deprecated methods, bad practices, and writing accessible applications. New rules include checking for deprecated APIs, usage of unknown properties and attributes, and ensuring accessibility features such as keyboard events, ARIA roles, and language attributes. Using SonarQube or its related tools can help developers maintain consistent, intentional, adaptable, and responsible code in their React projects.
Feb 13, 2024
1,163 words in the original blog post.
SonarQube is transitioning from its Web API V1 to a new API V2 due to limitations and consistency issues in the former. The new API aims to improve discoverability, adhere to REST guidelines, and support HATEOAS for better programmatic discovery. It will leverage Spring WEB MVC framework and follow an incremental delivery approach during migration. Deprecated endpoints will follow SonarQube's general deprecation policy, with the complete set of API V2 endpoints expected in version 11.X LTS. The new API aims to enhance interoperability between SonarQube and SonarCloud by ensuring both products adhere to the same API contracts for their API V2 endpoints.
Feb 08, 2024
935 words in the original blog post.
The National Institute for Standards and Technology (NIST) has established the U.S. Artificial Intelligence Safety Institute Consortium (AISIC), aiming to create safe and trustworthy AI systems. Sonar, a leading Clean Code company, is participating in this effort alongside other major players in AI development. AISIC will bring together various stakeholders in the AI field to establish a sustainable foundation for responsible AI development. Ensuring code quality and security is crucial in this framework, as AI-generated code often contains bugs and errors. Sonar's expertise can help address these challenges and contribute to the safe development of AI technologies.
Feb 08, 2024
466 words in the original blog post.
The global IT outsourcing market is expected to grow to $1.149 billion by 2032, offering strategic advantages such as lower costs and increased delivery speed. However, navigating the outsourcing landscape requires awareness of potential risks. This article discusses five critical risks of outsourcing software development: quality assurance concerns, data security and confidentiality issues, communication challenges, lack of control and oversight, and hidden costs and budget overruns. Tactics to reduce risk in delivered software include establishing clear standards for writing code, leveraging advanced SAST capabilities, scheduling regular meetings, creating detailed budgets, and fostering transparency in discussions. By addressing these risks, organizations can forge successful and collaborative partnerships that help sustain the performance of their software.
Feb 07, 2024
1,281 words in the original blog post.
SonarQube 10.4 release introduces faster scan times, improved integration with GitLab, and smoother upgrades. The Clean as You Code methodology is showcased through pull request decorations and branch summaries that display resolved issues before merging. Scan times are optimized by downloading only required analyzers. Easy onboarding for GitLab has been introduced, automating user setup and maintenance. A new deprecated web API log improves upgrade experience. SonarQube's integration with SonarLint is simplified, allowing users to fix issues directly in their IDE. Support for Helm Charts and various language updates are also included in the release.
Feb 06, 2024
665 words in the original blog post.
Researchers have identified a dangerous coding pattern called Desanitization that can lead to numerous impactful XSS vulnerabilities in prominent software. This pattern involves potentially harmful user input being sanitized and then altered afterward, negating the sanitization process and making the input dangerous again. An example of this is a Cross-Site Scripting (XSS) vulnerability found in osTicket, an open-source helpdesk software used by companies to provide solutions to customers seeking help. The issue has been fixed in osTicket versions v1.18.1 and v1.17.5.
Feb 06, 2024
1,991 words in the original blog post.
In 2023, Sonar's teams worked on improving their SAST benchmarks coverage, including Juliet C# 1.3 from the National Institute of Standards and Technology of the USA. The SecureString test case in Juliet C# showcases an issue where sensitive data is written unprotected in an unsafe location. Microsoft discourages using SecureStrings due to various security vulnerabilities. However, when properly used, they can add some additional security to an application. The idea of tracking sensitive data usage inside a program could represent a nice addition to Sonar's engines.
Feb 01, 2024
1,413 words in the original blog post.