Headline
CVE-2020-28038: SonarSource Blog
WordPress before 5.5.2 allows stored XSS via post slugs.
Unrar Path Traversal Vulnerability affects Zimbra Mail
We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar…
By simon scannell | June 28, 2022
Reflections upon the We Are Developers 2022 World Congress
Reflections upon the We Are Developers 2022 World Congress - Berlin…
By andrew osborne | June 21, 2022
Sign up today & never miss an update from SonarSource
We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!
We respect your privacy.
Zimbra Email - Stealing Clear-Text Credentials via Memcache injection
We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts…
By simon scannell | June 14, 2022
SonarQube 9.5 is here!
Check out what’s new in SonarQube 9.5 in this quick video…
By lauren cranford | June 13, 2022
Sonar’s analysis performance targets
We’ve finally defined our own performance goals for analysis - so that we’re no longer subjecting ourselves to apples-to-oranges comparisons with tools that m…
By alexandre gigleux | June 07, 2022
Horde Webmail - Remote Code Execution via Email
We discovered vulnerabilities in Horde Webmail that allow an attacker to execute arbitrary code on Horde instances by having a victim open an email…
By simon scannell | May 31, 2022
A new and refreshed website for Sonar
Earlier this year we launched our new brand and website. Read more in this post by Sonar CEO and Co-founder, Olivier Gaudin…
By olivier gaudin | May 24, 2022
Reflections from PyCon US 2022
Reflections and Key Takeaways from PyCon US 2022…
By andrea guarino and guillaume dequenne | May 16, 2022
Path Traversal Vulnerabilities in Icinga Web
We recently discovered two critical vulnerabilities in the IT monitoring dashboard Icinga Web. Let’s review their respective root cause and their patches!..
By thomas chauchefoin | May 10, 2022
A C&C++ tour of SonarLint for VS Code
VS Code has been gaining popularity for C and C++ development. We are happy to announce that finally, we will be able to help you write clean C and C++ code i…
By abbas sabra and geoffray adde | May 03, 2022
RainLoop Webmail - Emails at Risk due to Code Flaw
We recently discovered a critical code vulnerability in RainLoop Webmail that allows attackers to steal all emails by sending a malicious mail…
By simon scannell | April 19, 2022
SonarQube 9.4 is here!
Check out what’s new in SonarQube 9.4 in this 10-minute video brought to you by our Community Managers!..
By elsa dithmer | April 07, 2022
PHP Supply Chain Attack on PEAR
For the second time in a year, we identified critical code vulnerabilities in a central component of the PHP supply chain. Let’s dive into it!..
By thomas chauchefoin | March 29, 2022
Clean Your Infrastructure Code with Sonar
The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solu…
By clint cameron | March 22, 2022
Securing Developer Tools: Git Integrations
With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s arti…
By thomas chauchefoin | March 15, 2022
How Productboard helps us prioritize features and build great roadmaps
It’s been a year and a half now since we started using Productboard at SonarSource to manage features. During this time, we switched from Jira to this new too…
By christophe havard | March 10, 2022
Securing Developer Tools: Package Managers
Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers…
By paul gerste | March 08, 2022
5 things to consider in performance comparisons
Most people can probably relate to asking a child to handle a chore, only to have the kid come back way too soon, saying it’s done. Or maybe you can relate to…
By g. ann campbell | March 01, 2022
Review your security vulnerabilities in GitHub with code scanning alerts
We’re happy to announce that SonarCloud integrates with GitHub code scanning! It’s available to everyone with a GitHub repository - private or public - indepe…
By thomas olivier | February 24, 2022
Horde Webmail 5.2.22 - Account Takeover via Email
We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email…
By simon scannell | February 22, 2022
Zabbix - A Case Study of Unsafe Session Storage
In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix…
By thomas chauchefoin | February 16, 2022
WordPress < 5.8.3 - Object Injection Vulnerability
We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS…
By simon scannell | February 08, 2022
How to restrict XXE resolving?
In this post, we’ll wrap it up by discussing a more flexible solution by limiting entities resolving to those you consider safe…
By eric therond | February 01, 2022
How to disable XXE processing?
In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution…
By eric therond | January 25, 2022
Don’t be afraid of XXE vulnerabilities: understand the beast and how to detect them
Today XML External Entities (XXE) vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral pa…
By eric therond | January 18, 2022
WordPress 5.8.2 Stored XSS Vulnerability
We reported a Stored XSS vulnerability in WordPress (CVE-2022-21662) which remained unpatched for more than 3 years and affected the wordpress.org website…
By karim el ouerghemmi | January 11, 2022
Vulnerability Research Highlights 2021
Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2021…
By johannes dahse | January 06, 2022
‘Quick Fix’ your C++ issues with SonarLint
‘Quick fixes’ with SonarLint bring value to the C++ community by providing more than what they have today. Let’s take a peek at how some of these rules equip …
By geoffray adde and kirti joshi | December 14, 2021
Modernizing your code with C++20
C++20 is here! It’s a big release with many features designed to make your code easier, faster and safer. Let’s see how the latest C++ analysis rules in Sonar…
By phil nash | December 07, 2021
NodeBB 1.18.4 - Remote Code Execution With One Shot
We recently discovered three interesting code vulnerabilities in NodeBB 1.18.4, allowing attackers to compromise servers. Find out about the details in this a…
By paul gerste | November 30, 2021
Code Security Advent Calendar 2021
Our code security advent calendar is back for the sixth consecutive year. We will release daily challenges until December 24th, get ready to fill your bag of …
By thomas chauchefoin | November 29, 2021
10 Unknown Security Pitfalls for Python
In this blog post, we share 10 security pitfalls for Python developers that we encountered in real-world projects…
By dennis brinkrolf | November 16, 2021
Agent 008: Chaining Vulnerabilities to Compromise GoCD
We discovered 3 more code vulnerabilities in the popular GoCD CI/CD system that can be chained by attackers to leak or modify internal code. Learn more in thi…
By simon scannell and thomas chauchefoin | November 11, 2021
SmartStoreNET - Malicious Message leading to E-Commerce Takeover
Check out the details of a Cross-Site Scripting bug in the BBCode processing in SmartStoreNET and how it can be chained into arbitrary code execution!..
By thomas chauchefoin | November 02, 2021
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD
We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers…
By simon scannell | October 27, 2021
Meet the new project experience for SonarCloud
We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvemen…
By thomas olivier | October 21, 2021
Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services
We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox…
By simon scannell and niklas breitfeld | October 19, 2021
Supercharge your C++ analysis with SonarLint for CLion
This article talks about the powerful capabilities of the C++ analyzer with SonarLint and highlights some unique and interesting quality and security rules yo…
By phil nash and geoffray adde | September 28, 2021
Modernize Code Quality with ‘Quick Fixes’
Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarLint…
By kirti joshi | September 23, 2021
Cachet 2.4: Code Execution via Laravel Configuration Injection
We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!..
By thomas chauchefoin | September 21, 2021
Product portals open: we want your input
SonarSource was born from open source software and most of what we do remains FLOSS, so openness and transparency have always been fundamental principles. Wit…
By g. ann campbell | September 14, 2021
Ghost CMS 4.3.2 - Cross-Origin Admin Takeover
We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!..
By paul gerste | August 31, 2021
Compilation database: An alternative way to configure your C or C++ analysis
Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool …
By loic joly | August 24, 2021
elFinder - A Case Study of Web File Manager Vulnerabilities
Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them…
By thomas chauchefoin | August 17, 2021
Use 3rd-party plugins at your own risk
SonarQube has always had a rich plugin Marketplace, with much of SonarQube’s functionality originally delivered as plugins and many additional needs being met…
By g. ann campbell | August 10, 2021
Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe
Learn how developers can safeguard their cloud ‘secrets’ from publicly leaking and take charge of their Code Security with SonarLint…
By kirti joshi | August 03, 2021
Zimbra 8.8.15 - Webmail Compromise via Email
We discovered critical code issues in Zimbra, a popular enterprise webmail solution, that could lead to a compromise of all emails by an unauthenticated attac…
By simon scannell | July 27, 2021
Clean As You Code essentials - What are Quality Profiles and Quality Gates?
Learn how the functionality of Quality Profiles and Quality Gates come together to enable the SonarSource Clean As You Code methodology…
By clint cameron | July 21, 2021
Etherpad 1.8.13 - Code Execution Vulnerabilities
We discovered two code execution vulnerabilities that affected Etherpad servers and data. Learn more about the technical details and how to avoid such coding …
By paul gerste | July 13, 2021
Know where your project stands with the new project overview!
In late April, I introduced the new project experience for SonarCloud, which has already been adopted by a lot of you. Today, we’re adding a brand new project…
By thomas olivier | July 06, 2021
Enterprise-ready: Authentication & Authorization with SonarQube (LDAP, SSO & more)
Discover how SonarQube can integrate with your existing enterprise setup (LDAP, SSO & co.) for user authentication and authorization…
By nicolas bontoux | June 28, 2021
CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained
We discovered critical code vulnerabilities in CiviCRM, a popular CRM plugin for Wordpress, Joomla and Drupal. Learn more about how to find and patch these is…
By dennis brinkrolf | June 22, 2021
7 more reasons to upgrade to SonarQube 8.9 LTS
SonarQube 8.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LT…
By colin mueller | June 15, 2021
Broken pipelines for everyone!
With SonarQube 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. But with great power comes … well, you know…
By christophe havard | June 08, 2021
Grav CMS 1.7.10 - Code Execution Vulnerabilities
We responsibly disclosed two code execution vulnerabilities in Grav CMS, one of the most popular flat-file PHP CMS in the market. Let’s see what we can learn …
By thomas chauchefoin | June 01, 2021
NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket
We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances…
By paul gerste | May 18, 2021
What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop
In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It no…
By alexandre gigleux | May 12, 2021
SonarQube 8.9 LTS: 3 steps to a smooth upgrade
SonarQube 8.9 Long Term Support (LTS) is officially here! Check out this list of tips & tricks on how to upgrade your environment from start to finish…
By brian cipollone | May 05, 2021
PHP Supply Chain Attack on Composer
We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.o…
By thomas chauchefoin | April 29, 2021
WordPress 5.7 XXE Vulnerability
In this blog post we analyze a XXE vulnerability that our analyzers discovered in WordPress, the most popular CMS, and what PHP 8 developers can learn from it…
By karim el ouerghemmi | April 27, 2021
SonarQube 8.9 LTS: standby for launch
The new SonarQube 8.9 LTS is just around the corner. With a release planned for early May; this will be a must-have for our entire community. Come read why, a…
By nicolas bontoux | April 20, 2021
Discover SonarCloud’s new project experience. Join the beta today!
SonarCloud’s interface has received a nice refresh! We’re happy to invite you to join our beta program, which is just three clicks away! It’s open to all exis…
By thomas olivier | April 20, 2021
Code Vulnerabilities in NSA Application Revealed
Our security research team discovered multiple code vulnerabilities in the NSA’s Java application Emissary. Find out more about these issues and related attac…
By dennis brinkrolf | April 06, 2021
Mono-repository support for Bitbucket Cloud now available for SonarCloud!
Last September, we announced that mono-repository support was added for GitHub and Azure DevOps Services. The good news is: mono-repository support is now als…
By thomas olivier | March 29, 2021
My Support Engineer Journey at SonarSource
What does a support engineer do?..
By joe tingsanchali | March 23, 2021
MyBB Remote Code Execution Chain
Today SonarSource is pleased to share a guest contribution to our Code Security blog series about learnings from a chain of serious vulnerabilities in MyBB…
By simon scannell carl smith | March 18, 2021
Hack the Stack with LocalStack: Code Vulnerabilities Explained
Our vulnerability researchers found critical code vulnerabilities in a popular Python application that can be exploited remotely, even when the application in…
By dennis brinkrolf | March 02, 2021
Crafting regexes to avoid stack overflows
Due to the way regular expression matching is implemented in Java (and many other languages/libraries), matching a pattern may - depending on the regex - requ…
By sebastian hungerecker | February 23, 2021
Setting the right (regex) boundaries is important
Regular expressions pack a lot of power into terse little packages and unfortunately that introduces a lot of room for error. This post talks about regex boun…
By sebastian hungerecker | February 16, 2021
Regular expressions present challenges even for not-so-regular developers
Regular expressions are a concise and powerful tool for processing text. However, they also come with a steep learning curve and plenty of opportunities to ma…
By sebastian hungerecker | February 09, 2021
Security auditors - the Cinderella story of SAST
By g. ann campbell | February 02, 2021
Security Hotspots maintain engagement in developer-led security
By g. ann campbell | January 26, 2021
Blazing a trail on the SAST road less traveled by
By g. ann campbell | January 19, 2021
Taking the angst out of SAST analysis
By g. ann campbell | January 14, 2021
Code security: now there’s a tool for developers
Hey SonarQube and SonarCloud users! You now have a tool to own Code Security! SonarSource has been hard at work for the last year to give you the tooling to…
By g. ann campbell | December 11, 2020
Code Security Advent Calendar 2020
It’s time to have some December fun! We have 24 little challenge gifts awaiting you that hide security vulnerabilities in real-world Java, C#, PHP and Python …
By johannes dahse | November 26, 2020
Make Code Quality & Security™ an integral part of your workflow
SonarQube Developer Edition overlays Code Quality and Security™ right onto your projects. Your pull requests are automatically analyzed and decorated with a c…
By clint cameron | November 10, 2020
How SonarCloud finds bugs in high-quality Python projects
By nicolas harraudeau | November 03, 2020
Code vulnerabilities put health records at risk
OpenEMR is the most popular open source software for electronic health record and medical practice management. It is used world-wide to manage sensitive patie…
By dennis brinkrolf | October 28, 2020
For secure code, maintainability matters
By g. ann campbell | October 20, 2020
Lay a strong foundation by writing secure C and C++ utilities
By g. ann campbell | October 14, 2020
Winning the race against TOCTOU vulnerabilities in C & C++
Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I’m proud to announce a step forward for d…
By g. ann campbell | October 07, 2020
Mono-repository support for GitHub and Azure DevOps Services available now!
Take a tour of SonarCloud’s integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gat…
By thomas olivier | September 29, 2020
Pandora FMS 742: Critical Code Vulnerabilities Explained
How code vulnerabilities in your web application can be the single point of failure for your IT infrastructure’s security…
By dennis brinkrolf | September 22, 2020
False positives are our enemies, but may still be your friends
When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a fals…
By loic joly | September 15, 2020
Build World-Class Apps with SonarQube Enterprise Edition
Don’t sacrifice code quality and security just because what you’re building is big & bold. SonarQube Enterprise Edition gives you the tools to deliver clean, …
By clint cameron | September 09, 2020
Getting timely, accurate feedback on your C++ from the SonarQube ecosystem
Late feedback is a pain in the butt. Regardless of how it comes, hearing “that thing you did two weeks ago was wrong” is unwelcome at best. Good feedback is i…
By g. ann campbell | September 08, 2020
Codoforum 4.8.7: Critical Code Vulnerabilities Explained
We analyze the root cause of three critical security vulnerabilities that enabled a complete board take over, and how to correctly prevent these in your code…
By dennis brinkrolf | August 26, 2020
What’s worse than coding without tests? Coding with bad tests
By g. ann campbell | August 10, 2020
About the recent code leaks from SonarQube instances
On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our publ…
By olivier gaudin | July 31, 2020
From Community post to a new feature: a brief history of Mono-repository support in SonarCloud
It all started a few months ago, with a message on our Community forum. One of our users wrote a post in the “Suggest new features” section of the forum… Le…
By thomas olivier | July 30, 2020
Security Hotspots bring a new approach to C++ SAST
A lot of people associate Static Application Security Testing (SAST) with false positives, but it doesn’t have to be that way. The fact is that there are real…
By g. ann campbell | July 30, 2020
Take Control of Code Quality with SonarQube Pull Request Decoration in Your Workflow
How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Pull Request Decoration gets you there!..
By clint cameron | July 27, 2020
Driving continuous improvement for Python security
Our goal for Python analysis this year is to Kick Asp & Take Names, and we’re making good on that promise, with regular deposits of new functionality. Our nex…
By g. ann campbell | June 09, 2020
Shift left for higher quality pull requests with Code Insights for Bitbucket Cloud
Atlassian officially released its new feature Code Insights for Bitbucket Cloud. With SonarCloud, discover what it brings for Code Quality and Security…
By thomas olivier | June 03, 2020
Apache Kylin 3.0.1 Command Injection Vulnerability
We discovered a severe command injection vulnerability (CVE-2020-1956) in Apache Kylin that allows malicious users to execute arbitrary OS commands and to tak…
By johannes dahse | June 02, 2020
Detect C++ buffer overflows in POSIX functions
By g. ann campbell | May 20, 2020
SonarSource acquires RIPS Technologies
Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliv…
By olivier gaudin | May 13, 2020
More security rules injected into Python analysis
I’ve talked before about SonarSource’s commitment to helping developers improve their Code Quality and Security in Python. Today I can say that we’re making p…
By g. ann campbell | May 06, 2020
SonarCloud or SonarQube? - Guidance on Choosing One for Your Team
Learn about the similarities and key differences between SonarCloud and SonarQube and which one is best for your use case…
By clint cameron | April 28, 2020
My Consulting Journey at SonarSource
Join me as I share my 1st-year experience as an Enterprise Technical Consultant for SonarSource. You’ll learn about my role, my team and how we fit into the b…
By jeff zapotoczny | March 19, 2020
SonarSource is taking Python analysis by storm in 2020
By g. ann campbell | March 16, 2020
Security Hotspot review - are your doors locked?
By some quirk of fate or architecture, there are four doors into my moderately-sized ranch house. That’s four distinct points where an attacker or thief could…
By g. ann campbell | March 09, 2020
Exploiting Hibernate Injections
Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post …
By robin peraglie | February 25, 2020
What is ‘taint analysis’ and why do I care?
By g. ann campbell | February 10, 2020
WordPress <= 5.2.3: Hardening Bypass
This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability …
By simon scannell | January 21, 2020
Clean as You Code: How to win at Code Quality without even trying
The first time you analyze a legacy project the results are usually truly overwhelming. The usual emotional response is fear, sadness… even despair. And the…
By g. ann campbell | January 20, 2020
Backend SQL Injection in BigTree CMS 4.4.6
BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog…
By robin peraglie | November 05, 2019
Drive By RCE Exploit in Pimcore 6.2.0
In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands by tricking an authe…
By robin peraglie | October 22, 2019
Takeaways from building a developer-led SAST tool…
Why effectiveness doesn’t mean achieving a perfect OWASP score. The quest to make the ultimate SAST tool while staying true to our developer roots meant forgi…
By alexandre gigleux | October 16, 2019
WooCommerce 3.6.4 - CSRF Bypass to Stored XSS
WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce han…
By dennis brinkrolf | October 08, 2019
Bitbucket 6.1.1 Path Traversal to RCE
In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397)…
By johannes dahse | September 03, 2019
SuiteCRM 7.11.4 - Breaking Into Your Internal Network
In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any ad…
By robin peraglie | August 20, 2019
Pre-Auth Takeover of OXID eShops
We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few …
By robin peraglie | July 29, 2019
TYPO3 9.5.7: Overriding the Database to Execute Code
In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbi…
By robin peraglie | July 16, 2019
Magento 2.3.1: Unauthenticated Stored XSS to RCE
This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high s…
By simon scannell | July 02, 2019
dotCMS 5.1.5: Exploiting H2 SQL injection to RCE
In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content man…
By johannes moritz | June 25, 2019
MyBB <= 1.8.20: From Stored XSS to RCE
This blog post shows how an attacker can take over any board hosted with MyBB prior to version 1.8.21 by sending a malicious private message to an administrat…
By simon scannell | June 11, 2019
The Hidden Flaws of Archives in Java
Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extr…
By johannes moritz | May 29, 2019
MISRA C++ 2008 support is on its way
By alexandre gigleux | May 27, 2019
The NeverEnding Story of writing a rule for argument passing in C++
Here is a story of a rule, from concept to production. While the selected rule is for C++, this story contains interesting insight on the craft of rule develo…
By loic joly | May 15, 2019
WordPress 5.1 CSRF to Remote Code Execution
This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution (CVE-2019-9787)…
By simon scannell | March 13, 2019
Announcing the SonarCloud Pipe for Bitbucket Cloud users!
SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarCloud Scan Pipe, you can configure code analysis in your Bitb…
By nicolas bontoux | February 28, 2019
WordPress 5.0.0 Remote Code Execution
This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2…
By simon scannell | February 19, 2019
CTF Writeup: Complex Drupal POP Chain
A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate o…
By simon scannell | January 29, 2019
Pragmatic Application Security - The SonarSource Way
At SonarSource, we’ve taken a pragmatic approach to application security. The best security tools are the ones that get used and not abandonded. Learn how you…
By clint cameron | January 08, 2019
WordPress Privilege Escalation through Post Types
A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lea…
By simon scannell | December 17, 2018
phpBB 3.2.3: Phar Deserialization to RCE
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to e…
By simon scannell | November 20, 2018
Pydio 8.2.1 Unauthenticated Remote Code Execution
Pydio, a popular file sharing solution used by enterprises and governments around the world, suffered from a highly critical vulnerability that allowed unauth…
By simon scannell | November 13, 2018
Continuously Improving Analysis of C/C++/Objective-C Code
Today we have improved the functionality of SonarCloud centered around the analysis of C/C++/Objective-C code. It’s an important change and we’d like to take …
By nicolas bontoux | November 12, 2018
WordPress Design Flaw Leads to WooCommerce RCE
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular…
By simon scannell | November 06, 2018
PHP Object Injection
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full si…
By simon scannell | October 09, 2018
Fully Automated Promotion Pipelines with SonarQube and Artifactory
Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube…
By fabrice bellingard | September 25, 2018
My Journey Interviewing with SonarSource…
What’s it like to interview with SonarSource? Read on and find out!..
By clint cameron | August 21, 2018
What is Phar Deserialization
Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog po…
By johannes dahse | August 14, 2018
The Tweets You Missed in July
Here are the tweets you likely missed last month!..
By fabrice bellingard | August 07, 2018
Protect your code against injection vulnerabilities with SonarCloud!
Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarCloud updates now provide advanced security checks to continuously detect them…
By alexandre gigleux | July 10, 2018
The Tweets You Missed in June
Here are the tweets you likely missed last month!..
By fabrice bellingard | July 03, 2018
WordPress File Delete to Code Execution
In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers execut…
By karim el ouerghemmi | June 26, 2018
Evil Teacher: Code Injection in Moodle
In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133)…
By robin peraglie | June 12, 2018
Celebrating SonarCloud 1 year anniversary!
Since its inception, SonarSource has been committed to Continuous Code Quality, i.e. to providing teams with the best products to analyze the quality of their…
By fabrice bellingard | June 12, 2018
Import issues of your favorite linters in SonarCloud!
Over the past 2 weeks, the following new features were deployed on SonarCloud: import of issues from external linters with built-in support for TypeScript pro…
By fabrice bellingard | June 04, 2018
Integrate SonarCloud with VSTS to boost code quality
The SonarCloud extension now brings the missing piece on VSTS to have everything in hand to write clean code: the automatic analysis of pull requests…
By fabrice bellingard | May 09, 2018
A Salesmans Code Execution: PrestaShop 1.7.2.4
PrestaShop is one of the most popular e-commerce solutions. We detected a highly critical vulnerability that allows to execute arbitrary code on any installat…
By robin peraglie | May 07, 2018
LimeSurvey 2.72.3 - Persistent XSS to Code Execution
We detected two vulnerabilities in LimeSurvey < 2.72.3: An unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated…
By robin peraglie | April 10, 2018
SonarCloud loves your build pipelines
Over the past 2 weeks, the following new features were deployed on SonarCloud: pull requests as first class citizen, a dedicated webhooks console, and new rul…
By fabrice bellingard | April 06, 2018
The Tweets You Missed in March
Here are the tweets you likely missed last month!..
By fabrice bellingard | April 05, 2018
The Tweets You Missed in February
Here are the tweets you likely missed last month!..
By fabrice bellingard | March 06, 2018
Joomla! 3.8.3: Privilege Escalation via SQL Injection
Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL in…
By karim el ouerghemmi | February 06, 2018
The Tweets You Missed in January
Here are the tweets you likely missed last month!..
By fabrice bellingard | February 06, 2018
In-Depth Linting of Your TypeScript While Coding
Last year we started development on SonarTS, a static code analyser for TypeScript. So far it has only been available in 2 flavors: as a SonarQube language pl…
By elena vilchik | January 31, 2018
Why did my coverage just drop?!
After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe…
By g. ann campbell | January 23, 2018
CubeCart 6.1.12 - Admin Authentication Bypass
CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to ci…
By robin peraglie | January 17, 2018
Supporting analysis of .NET Core projects
Support for SonarQube analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it’s done…
By duncan pocklington | January 10, 2018
Changing our pricing model to boost adoption
With the new LTS and its ecosystem, are coming many new features and improvements that were highly expected since the previous LTS. For example TypeScript sup…
By olivier gaudin | January 09, 2018
The Tweets You Missed in November
Here are the tweets you likely missed last month!..
By fabrice bellingard | December 05, 2017
The Tweets You Missed in October
Here are the tweets you likely missed last month!..
By fabrice bellingard | November 09, 2017
Shopware 5.3.3: PHP Object Instantiation to Blind XXE
Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare …
By karim el ouerghemmi | November 08, 2017
SonarQube 6.7 (LTS) in Screenshots
The SonarSource team is proud to announce the release of 6.7, the new LTS, which features many long-awaited features…
By | November 08, 2017
5 Puzzling JavaScript Bugs
Let’s play a game: you see a piece of JavaScript and try to find a bug there. It could be for example a dead code, a runtime error or some unexpected behaviou…
By elena vilchik | November 07, 2017
SonarQube 6.6 in Screenshots
By g. ann campbell | October 20, 2017
The Tweets You Missed in September
Here are the tweets you likely missed last month!..
By fabrice bellingard | October 16, 2017
SonarTS, a strange beast
Embarking on the creation of a new language analyzer is often a complex decision, with many variables to consider, most of them hard to quantify. For TypeScri…
By carlo bottiglieri | October 05, 2017
Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that coul…
By robin peraglie | September 20, 2017
SugarCRM’s Security Diet - Multiple Vulnerabilities
SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal cust…
By robin peraglie | September 14, 2017
The Tweets You Missed in August
Here are the tweets you likely missed last month!..
By fabrice bellingard | September 05, 2017
SonarQube 6.5 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.5, which brings more usable project measure history charts, and significant changes to th…
By g. ann campbell | August 10, 2017
The Tweets You Missed in July
Here are the tweets you likely missed last month!..
By fabrice bellingard | August 01, 2017
How security flaws in PHP’s core can affect your application
Learn how memory corruption bugs in the PHP core itself can affect your PHP application…
By johannes dahse | July 20, 2017
The Tweets You Missed in June
Here are the tweets you likely missed last month!..
By fabrice bellingard | July 04, 2017
SonarQube 6.4 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.4, which brings significant new features to the Projects page and compelling new function…
By g. ann campbell | June 29, 2017
SonarCFamily Now Supports ARM Compilers
For those not familiar with ARM (Advanced RISC Machine), let’s start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used ar…
By massimo paladin | June 15, 2017
The Tweets You Missed in May
Here are the tweets you likely missed last month!..
By fabrice bellingard | June 09, 2017
Kill the Noise! to Change Gear in our Code Analyzers
Over the past few weeks, you may have noticed that most of our product news about code analyzers contained a mention of a “Kill The Noise!” project. We initia…
By freddy mallet | June 01, 2017
Accelerate Products Development at SonarSource
We founded SonarSource 8 years ago with a dream to one day provide every developer the ability to measure the code quality of his projects. And we had a motto…
By olivier gaudin | May 10, 2017
The Tweets You Missed in April
Here are the tweets you likely missed last month!..
By fabrice bellingard | May 05, 2017
Why mail() is dangerous in PHP
Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure…
By robin peraglie | May 03, 2017
SonarJS 3.0: Being Lean and Mean in JavaScript
All through 2016 SonarJS has become richer and more powerful thanks to new rules and its new data flow engine, to the point of being able to find pretty inter…
By carlo bottiglieri | May 01, 2017
Breaking the SonarQube Analysis with Jenkins Pipelines
One of the most requested feature regarding SonarQube Scanners is the ability to fail the build when quality level is not at the expected level. We have this …
By julien henry | April 19, 2017
SonarQube 6.3 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.3, which brings both interface and analysis improvements…
By g. ann campbell | April 12, 2017
SonarCfamily For C/C++ Now Plays With The Big Kids
Version 4.6 of our SonarCfamily for C/C++ has just been released with a shiny new Buffer Overflow detection mechanism. To get an idea of what bugs we can now …
By massimo paladin | March 28, 2017
The Tweets You Missed in February
Here are the tweets you likely missed last month!..
By fabrice bellingard | March 09, 2017
Eating The Dog Food… In Public
At SonarSource, we’ve always eaten our own dog food, but that hasn’t always been visible outside the company. I talked about how dogfooding works at SonarSour…
By g. ann campbell | February 16, 2017
The Tweets You Missed in January
Here are the tweets you likely missed last month!..
By fabrice bellingard | February 06, 2017
Detecting Type Issues in JavaScript
JavaScript is very flexible and tries as much as possible to run code without raising an error. This is both a blessing and a curse. It’s a blessing for begin…
By pierre yves nicolas | January 11, 2017
SonarQube 6.2 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.2, which brings a lot of significant changes, both to the interface and underlying mechan…
By g. ann campbell | January 05, 2017
The Tweets You Missed in December
Here are the tweets you likely missed last month!..
By fabrice bellingard | January 02, 2017
osClass 3.6.1: Remote Code Execution via Image File
In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open so…
By robin peraglie | December 19, 2016
Cognitive Complexity, Because Testability != Understandability
Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That’s why we’re introducing Cognitive Complexity, which you’ll …
By g. ann campbell | December 07, 2016
Roundcube 1.2.2: Command Execution via Email
In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube…
By robin peraglie | December 06, 2016
The Tweets You Missed in November
Here are the tweets you likely missed last month!..
By fabrice bellingard | December 05, 2016
Putting It All Together: End-to-end Quality With SonarEcosystem
The question is typically phrased like this: how do I keep developers from checking in bad code? Usually the asker has in mind some automated check that preve…
By g. ann campbell | November 15, 2016
The Tweets You Missed in October
Here are the tweets you likely missed last month!..
By fabrice bellingard | November 08, 2016
SonarQube 6.x series: Focused and Efficient
At the beginning of the summer, we announced the long-awaited new “Long Term Support” version, SonarQube 5.6. It comes packed with great features to highlight…
By fabrice bellingard | November 03, 2016
SonarQube Embraces the .NET Ecosystem
In the last couple months, we have worked on further improving our already-good support for the .NET ecosystem. In this blog post, I’ll summarize the changes …
By | October 28, 2016
SonarQube 6.1 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.1, which brings an improved interface and the first baby steps toward SonarQube clusters…
By g. ann campbell | October 25, 2016
The Tweets You Missed in September
Here are the tweets you likely missed last month!..
By fabrice bellingard | October 05, 2016
We Are Adjusting Rules Severities
With the release of SonarQube 5.6, we introduced the SonarQube Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them t…
By g. ann campbell | September 08, 2016
The Tweets You Missed in August
Here are the tweets you likely missed last month!..
By fabrice bellingard | September 06, 2016
SonarAnalyzer for C#: The Rule Engine You Want to Use
If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improv…
By | September 01, 2016
SonarQube 6.0 in Screenshots
The SonarSource team is proud to announce the release of SonarQube 6.0, which features support of file renaming, and better UIs for admins at every level…
By g. ann campbell | August 18, 2016
The Tweets You Missed in July
Here are the tweets you likely missed last month!..
By fabrice bellingard | August 01, 2016
The Tweets You Missed in June
Here are the tweets you likely missed last month!..
By fabrice bellingard | July 06, 2016
JavaScript Plugin Finds Tricky Bugs, Thanks to Execution Flow
Over the last few months, the SonarAnalyzer for JavaScript has made major advances in bug detection. Until recently, it only caught rather simple bugs, like f…
By pierre yves nicolas | June 29, 2016
Language Plugins Rock SonarQube Life!
SonarAnalyzers are fundamental pillars of our ecosystem. The language analyzers play a central role, but the value they bring isn’t always obvious. The aim of…
By jean denis coffre | June 23, 2016
Sonar ecosystem upgrades to Java 8
With the release of SonarQube version 5.6, the entire Sonar ecosystem will drop support for Java 7. This means you won’t be able to run new versions of the So…
By g. ann campbell | June 14, 2016
SonarQube 5.6 (LTS) in Screenshots:
The wait is over! The new SonarQube Long Term Support (LTS) version is out, and it’s packed with new features to help you better manage your technical debt an…
By g. ann campbell | June 08, 2016
Bugs and Vulnerabilities are 1st Class Citizens in SonarQube Quality Model along with Code Smells
In SonarQube 5.5 we adopted an evolved quality model, the SonarQube Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we’v…
By g. ann campbell | June 02, 2016
SonarLint 2.0 Is Now Available
SonarLint is a pretty recent product that we released for the first time a few months ago for Eclipse, IntelliJ and Visual Studio. We have recently released t…
By julien henry | May 25, 2016
SonarQube 5.5 in Screenshots
The team is proud to announce the release of 5.5, which features simplified concepts for easier triage and management of issues:…
By g. ann campbell | May 19, 2016
What’s New in SonarEcosystem - April 2016
By olivier gaudin | May 11, 2016
SonarSource City Tour, We Are Coming Near You
Since we love touring and meeting our community of users, we’re setting out on the road once again, this time to more cities than ever! Over the next 6 months…
By meryll moreau | April 27, 2016
SonarAnalyzer for Java: Tricky Bugs are Running Scared
For the past year, the SonarSource team behind the SonarAnalyzer for Java has invested most of its time in developing a Symbolic Execution engine in order to …
By freddy mallet | April 13, 2016
Stop planning; fix the leak!
So there you are: you’ve finally decided to install the SonarQube platform and run a couple of analyses on your projects, but it unveiled so many issues that …
By fabrice bellingard | April 06, 2016
SonarQube 5.4 in Screenshots
The team is proud to announce the release of 5.4, a more usable and informative version than ever before:…
By g. ann campbell | April 01, 2016
ECMAScript 2015: With Great Power Comes Great Responsibility
Last summer a revolutionary version of ECMAScript was released with native classes, modules, arrow functions and many other long-awaited features. According…
By elena vilchik | March 16, 2016
Why You Shouldn’t Use Build Breaker
There have been some heated discussions recently about the Build Breaker plugin… SonarSource doesn’t want to continue the feature. The community has come to…
By olivier gaudin | February 25, 2016
SonarLint for Visual Studio: Let’s Fix Some Real Issues in Code!
By | February 10, 2016
SonarQube 5.3 in Screenshots
The team is proud to announce the release of 5.3, another paradigm-shifting version, with the addition of significant new features, and the return of popular …
By g. ann campbell | January 28, 2016
SonarQube 5.2 in Screenshots
The team is proud to announce the biggest release ever of the SonarQube server, version 5.2, which includes the second-most-anticipated feature ever: code sca…
By g. ann campbell | November 26, 2015
Analysis of Visual Studio Solutions with the SonarQube Scanner for MSBuild
At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube integration with MSBuild and Team Build. Today, half a yea…
By | November 19, 2015
SonarQube Enters the Security Realm and Makes a Good First Showing
For the last year, we’ve been quietly working to add security-related rules in SonarQube’s language plugins. At September’s SonarQube Geneva User Conference w…
By g. ann campbell | November 12, 2015
SonarLint: Fixing Issues Before They Exist
I’m very happy to announce the launch of a new product series at SonarSource: SonarLint, which will help you fix code quality issues before they even exist. …
By julien henry | October 22, 2015
Mainstream: Noun. The principal or dominant course, tendency, or trend
At the SonarQube Geneva User Conference last week I learned that 7 of the Fortune 10 companies and 47 of the Fortune 100 use the SonarQube platform. We’ve got…
By g. ann campbell | September 30, 2015
The Agenda for the Geneva Conference is Available
The Geneva SonarQube is going to take place on 23rd-24th of September in Geneva and it is still possible to register…
By olivier gaudin | September 11, 2015
SonarLint for Visual Studio 1.2.0 Brings Code Fixes to the IDE
SonarLint for Visual Studio version 1.2.0 was released this week. In this version we focused on improving the user experience by adding code fading and fixes…
By | September 03, 2015
MSBuild SonarQube Runner now available on Visual Studio Online
By | September 02, 2015
Call for Papers is Open for Geneva SonarQube Conference
A few weeks ago, I announced a free SonarQube User Conference in Geneva on the 23rd and 24th of September. More than 100 people have already registered…
By olivier gaudin | July 31, 2015
SonarLint brings SonarQube rules to Visual Studio
We are happy to announce the release of SonarLint for Visual Studio version 1.0. SonarLint is a Visual Studio 2015 extension that provides on-the-fly feedback…
By | July 24, 2015
Geneva SonarQube Conference – Sept. 23 & 24.
We are very happy to announce the first SonarQube European User Conference! This two-day free event will take place in Geneva on September 23rd and 24th, righ…
By olivier gaudin | July 17, 2015
SonarQube Swift Plugin Offers Mature Functionality for Young Language
The Swift programming language is only a year old, but the SonarQube plugin for code written in this “green” language has already been out for six months and …
By elena vilchik | July 10, 2015
GitHub pull request analysis helps fix the leak
If you follow SonarSource, you are probably aware of a simple and yet powerful paradigm that we’re using internally: the water leak concept. That is how we’ve…
By fabrice bellingard | July 08, 2015
Water Leak Changes the Game for Technical Debt Management
A few months ago, at the end of a customer presentation about “The Code Quality Paradigm Change”, I was approached by an attendee who said, “I have been follo…
By olivier gaudin | July 03, 2015
Quality Gates Work - If You Let Them
Some people see rules - standards - requirements - as a way to hem in the unruly, limit bad behavior, and restrict rowdiness. But others see reasonable rules …
By g. ann campbell | June 11, 2015
The SonarQube COBOL Plugin Tracks Sneaky Bugs in Conditions
Not long ago, I wrote that COBOL is not a dead language and there are still billions lines of COBOL code in production today. At COBOL’s inception back in 195…
By freddy mallet | May 21, 2015
SonarQube User Conference in Paris
By olivier gaudin | May 11, 2015
Announcing SonarQube integration with MSBuild and Team Build
This is a cross-post of Microsoft ALM web site. Technical debt is the set of problems in a development effort that make forward progress on customer value in…
By aaron hallberg | April 28, 2015
SonarQube 5.1 in Screenshots
The team is proud to announce the release of SonarQube 5.1, which includes many new features:…
By g. ann campbell | April 23, 2015
SonarQube User Conference - U.S. West (Santa Clara, CA)
We are very happy to announce that the second SonarQube user conference will take place on April 27th at the Santa Clara Convention Center, in Santa Clara, Ca…
By olivier gaudin | April 08, 2015
Codehaus & Ben: Thank You and Good Bye
It seems very natural today that SonarQube is hosted at Codehaus, but there was a time when it was not! In fact joining Codehaus was a big achievement for us;…
By olivier gaudin | March 26, 2015
The speed of a caravan in the desert
“What is the speed of a caravan in the desert?” Language Team Technical Lead Evgeny Mandrikov posed that question recently to illustrate a point about develop…
By g. ann campbell | March 12, 2015
Eating the dog food
The SonarQube platform includes an increasing powerful lineup of tools to manage technical debt. So why don’t you ever see SonarSourcers using Nemo, the offic…
By g. ann campbell | February 25, 2015
SonarQube Java Analyzer : The Only Rule Engine You Need
If you have been following the releases of the Java plugin, you might have noticed that we work on two major areas for each release: we improve our semantic a…
By nicolas peru | February 12, 2015
C/C++/Objective-C: Dark past, bright future
We’ve just released version 3.3 of the C/C++/Objective-C plugin, which features an increased scope and precision of analysis for C, as well as detection of re…
By evgeny mandrikov | February 05, 2015
SonarQube 5.0 in Screenshots
The team is proud to announce the release of SonarQube 5.0, which includes many new features…
By g. ann campbell | January 28, 2015
COBOL is… Alive!
Most C, Java, C++, C#, JavaScript… developers reading this blog entry might think that COBOL is dead and that SonarSource should better focus its attention …
By freddy mallet | January 14, 2015
SonarQube 5.x series: It just keeps getting better and better!
We recently wrapped up the 4.x series of the SonarQube platform by announcing its Long Term Support version: 4.5.1. At the same time, we sat down to map out t…
By fabrice bellingard | January 09, 2015
Walking the Tightrope: Balancing Agility and Stability
About a year ago we declared a Long Term Support (LTS) version for the first time ever, and recently, we declared another one (version 4.5.1). But we never ta…
By g. ann campbell | December 12, 2014
New LTS Version Sums Impressive Array of New Features
In November, SonarQube version 4.5.1 was announced as the new Long Term Support (LTS) release of the platform. It’s been nearly a year since the last LTS vers…
By g. ann campbell | December 04, 2014
Do you care about your code? Track code coverage on new code, right now !
A few weeks ago, I had a passionate debate with my old friend Nicolas Frankel about the usefulness of the code coverage metric. We started on Twitter and then…
By freddy mallet | November 27, 2014
What about Microsoft Component Extensions for C++?
After my previous blog entry about the support of Objective-C, you could get the impression that we’re fully focused on Unix-like platforms and have completel…
By evgeny mandrikov | November 19, 2014
SonarQube 4.5 in Screenshots
The team is proud to announce the release of SonarQube 4.5, which includes many new features:…
By g. ann campbell | November 11, 2014
SonarQube supports ECMAScript 6
The 2.1 version of the JavaScript Plugin fully supports ECMAScript 6 (ES6). But what does that mean exactly ?..
By | October 28, 2014
Suggest a Valuable Rule, Win a SonarQubeT-Shirt
Is there a rule you’d like to turn on in SonarQube, but you just can’t find it? Well, wish no more, just tweet your missing rule and if its valuable, we’ll im…
By g. ann campbell | October 08, 2014
Analyzing Objective-C: the World of OS X and iOS within your Grasp
With version 3.0 of the C / C++ plugin in August, 2014, support of the Objective-C language arrived. Support of Objective-C in SonarQube was heavily awaited …
By evgeny mandrikov | September 25, 2014
The Rules Have Changed
If you’ve already taken a look at SonaQube 4.4, the title of this post wasn’t any news to you. The new version introduces two major changes to the way SonarQu…
By g. ann campbell | September 10, 2014
SonarQube 4.4 in Screenshots
The team is proud to announce the release of SonarQube 4.4, which includes many exciting new features:…
By g. ann campbell | August 12, 2014
Unit Test Execution in SonarQube
Starting with Java Ecosystem version 2.2 (compatible with SonarQube version 4.2+), we no longer drive the execution of unit tests during Maven analysis. Dropp…
By g. ann campbell | August 06, 2014
.NET in SonarQube: bright future
A few months ago, we started on an innocuous-seeming task: make the .NET Ecosystem compatible with the multi-language feature in SonarQube 4.2. What followed …
By g. ann campbell | July 10, 2014
With great power comes great configuration
We’ve got an ambitious vision for the C/C++ plugin this year. To fulfill it, we started with some under-the-cover improvements to the parser and the internal …
By g. ann campbell | June 26, 2014
Quality Gates: Shall your projects pass?
With SonarQube 4.3, the concept formerly known as alerts came into its own. No longer, a subset of Quality Profiles (it was always a slightly awkward fit ther…
By g. ann campbell | June 05, 2014
SonarQube 4.3 in Screenshots
The team is proud to announce the release of SonarQube 4.3, which includes many exciting new features:…
By g. ann campbell | May 21, 2014
Sonar Becomes The SonarQube Platform
About a year ago, we changed the name of Sonar to the SonarQube™ platform, but we didn’t talk much about why we made the change, so today I though it would be…
By olivier gaudin | April 25, 2014
SonarQube 4.2 in Screenshots
The team is proud to announce the release of SonarQube 4.2, which includes many exciting new features:…
By olivier gaudin | April 15, 2014
At Long Last, SonarQube Is a True Polyglot
Good taste prevents me from embedding a trumpet fanfare into this post, but it does seem warranted. After all, with the release of SonarQube version 4.2 last …
By g. ann campbell | April 09, 2014
Ducks Make It Look Easy Too
Since I joined SonarSource full time at the beginning of this month, I’ve been thinking a lot about ducks and belly dancers. That seems like an odd combinat…
By g. ann campbell | March 20, 2014
Measures, at your Service!
If there’s a set of data you regularly look up in SonarQube, the Measures Service - and saved filters - are going to be your new favorite SonarQube features…
By g. ann campbell | February 27, 2014
Three options for pre-commit analysis
As a quality-first focus becomes increasingly important in modern software development, more and more developers are asking how to find new issues before they…
By g. ann campbell | February 20, 2014
What’s Coming Up for SonarQube in 2014 ?
I recently wrote a post listing what was accomplished in the SonarQube platform last year. Today, I’ll continue with even more exciting stuff: what we’ll do t…
By freddy mallet | February 06, 2014
5 Years and Counting: SonarSource Has a Lot to Celebrate
SonarSource is celebrating! The last few months have seen some significant milestones for the company. The biggest is that we’re 5 years in now, and still gro…
By g. ann campbell | January 28, 2014
Looking back at 2013 SonarQube Ecosystem Accomplishments
A new year provides a good opportunity to look back at what was achieved the previous year. I’ll do that for the SonarQube platform in this post. Let’s start…
By freddy mallet | January 23, 2014
SQALE models - more than just tiny cities*
This week I want to talk about SQALE - which is commonly pronounced “scale.” Before I joined SonarSource, I tried many times to understand what SQALE was abo…
By g. ann campbell | January 10, 2014
SonarQube 4.1 in Screenshots
The team is proud to announce the release of SonarQube 4.1, which includes many exciting new features:…
By g. ann campbell | December 20, 2013
SonarQube 4.0 in Screenshots
The team is proud to announce the release of SonarQube 4.0. It includes many exciting new features:…
By g. ann campbell | November 20, 2013
SonarQube in Action, the Book - Interview with the Authors
It’s official… “SonarQube in Action” is available in stores - Thanks to the efforts of two community members, fanatics of software quality and advocates of …
By olivier gaudin | November 13, 2013
Take Action to Manage Technical Debt
One of the things I love about SonarQube is that gives you tools to tackle all aspects of your technical debt. I am not just talking here about the Seven Axes…
By g. ann campbell | October 24, 2013
SonarQube JavaScript plugin: why compete with JSLint and JSHint?
This question has been raised several times on the Sonar mailing lists. Indeed since version 1.0, the SonarQube JavaScript plugin hasn’t relied on external ru…
By freddy mallet | October 09, 2013
Already 158 Checkstyle and PMD rules deprecated by SonarQube Java rules
By freddy mallet | October 03, 2013
Everything’s a component
Something occurred to me recently that I wanted to share. Sometimes I’m late to the party, so this may have been obvious to you all along, but it didn’t jump …
By g. ann campbell | September 18, 2013
SonarQube in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | September 08, 2013
SonarQube 3.7 in Screenshots
The team is proud to announce the release of the SonarQube platform version 3.7. This version includes new features that we believe are worth stopping your da…
By simon brandhof | September 04, 2013
Differentials: but wait, there’s more!
In my last two posts I talked about differentials. First, it was the four ways they show you what’s changed in your code from “then” to now, and then why the …
By g. ann campbell | August 02, 2013
Using differentials to move the team in the right direction
In my last post I talked about differentials, which are my favorite feature in SonarQube. I could have - perhaps should have - talked about the philosophy beh…
By g. ann campbell | July 17, 2013
SonarQube in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | July 10, 2013
SonarQube 3.6 in Screenshots
The team is proud to announce the release of SonarQube platform 3.6, the first version with the new name (it had been called Sonar). This version includes new…
By simon brandhof | July 03, 2013
Differentials: Four ways to see what’s changed
After a Sonar analysis, it’s easy to see your project’s current state - just browse to the project dashboard and it’s laid out for you. Want details? Just sta…
By g. ann campbell | June 12, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | June 06, 2013
Consultants, we need you!
By olivier gaudin | May 22, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | May 09, 2013
Customizing Sonar to Fit Your Needs
Sonar is a super-radiator for code quality and as such, you can expect it brings value to all stakeholders in a development group. To achieve this, Sonar must…
By olivier gaudin | April 26, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | April 11, 2013
End of Java 5 Support at Runtime for Sonar Platform
This is it! After talking about it, internally at SonarSource, for 2 years and after a failed attempt last year, we are discontinuing the support of Java 5 ru…
By fabrice bellingard | March 27, 2013
Sonar 3.5 in Screenshots
The Sonar team is proud to announce the release of Sonar 3.5. This new version includes new features that we believe are worth stopping your daily work for a …
By simon brandhof | March 19, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | March 07, 2013
What is coming up for Sonar in 2013 ?
I recently wrote a post to list what was accomplished on the platform last year. Today, I am doing the continuation with even more exciting stuff: what we are…
By freddy mallet | February 27, 2013
Looking Back at 2012 Sonar Platform Accomplishments
A new year provides a good opportunity to look back at what was achieved the previous year. This is what I am going to do in this post for the Sonar platform…
By freddy mallet | February 14, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | February 05, 2013
Sonar 3.4 in Screenshots
The Sonar team is proud to announce the release of Sonar 3.4. This new version includes new features that we believe are worth stopping your daily work for a …
By simon brandhof | January 17, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | January 14, 2013
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | December 06, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | November 14, 2012
Sonar 3.3 in Screenshots
The Sonar team is proud to announce the release of Sonar 3.3. This new version includes new features that we believe are worth stopping your daily work for a …
By simon brandhof | November 07, 2012
Access Control Management in Sonar
When used out-of-the-box, Sonar is a radiator for code quality continuously accessible by everyone. But of course, there are situations in which adding access…
By olivier gaudin | October 30, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | October 10, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | September 12, 2012
Sonar 3.2 in Screenshots
The Sonar team is proud to announce the release of Sonar 3.2. This new version includes new features that we believe are worth stopping your daily work for a …
By simon brandhof | August 14, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | August 08, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | July 05, 2012
Sonar 3.1 in Screenshots
The Sonar team is proud to announce the release of Sonar 3.1. This new version includes several major features that we believe are worth stopping your daily w…
By simon brandhof | June 20, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | June 05, 2012
Webinar About Sonar 3.0
By | May 21, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | May 10, 2012
Sonar 3.0 in screenshots
The Sonar team is proud to announce the release of Sonar 3.0. The team has been working for the last 2 years on Sonar 2.x versions, adding support for Conti…
By simon brandhof | April 18, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | April 11, 2012
What is coming up for Sonar in 2012 ?
By freddy mallet | March 29, 2012
Sonar 2.14 in screenshots
The Sonar team is proud to announce the release of Sonar 2.14. This new version includes 100+ improvements, bug-fixes and also new features that we believe ar…
By simon brandhof | March 27, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | March 07, 2012
Manage Duplicated Code with Sonar
If you use Sonar already, I am sure that you know already the worse of all 7 developer’s deadly sins: And if you don’t, I would assume you know about duplica…
By evgeny mandrikov | February 29, 2012
Looking Back at 2011 Sonar Platform Accomplishments
By freddy mallet | February 09, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month……
By olivier gaudin | February 07, 2012
Sonar 2.13 in screenshots
The Sonar team is proud to announce the release of Sonar 2.13. This new version includes 60 improvements, bug-fixes and also some new features that we believe…
By simon brandhof | February 02, 2012
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month……
By olivier gaudin | January 11, 2012
Sonar in Thoughtworks Technology Radar
Most IT people know Thoughtworks and its charismatic technical leader / evangelist Martin Fowler. But probably fewer know the Thoughtworks Technology Radar wh…
By freddy mallet | December 23, 2011
Sonar 2.12 in screenshots
The Sonar team is proud to announce the release of Sonar 2.12. This new version includes more than 100 improvements, bug-fixes and also some new features that…
By simon brandhof | December 08, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month……
By olivier gaudin | December 06, 2011
Sonar in the news
By olivier gaudin | November 03, 2011
Effective Code Review with Sonar
At SonarSource, we like eating our own dog food as much as possible. This is not always the case in software development, but in our case since we develop sof…
By fabrice bellingard | October 20, 2011
Sonar 2.11 in screenshots
The Sonar team is proud to announce the release of Sonar 2.11. As usual, this new version includes improvements, bug-fixes and also new features that we belie…
By simon brandhof | October 06, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | October 04, 2011
Sonar… in the Cloud to Bee !
By olivier gaudin | September 27, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | September 07, 2011
Sonar 2.10 in screenshots
The Sonar team is proud to announce the release of Sonar 2.10. As usual, this new version includes improvements, bug-fixes and also new features that we belie…
By olivier gaudin | September 01, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | August 03, 2011
Sonar 2.9 in screenshots
The Sonar team is proud to announce the release of Sonar 2.9. As usual, this new version includes improvements, bug-fixes and also new features that we believ…
By simon brandhof | July 27, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | July 06, 2011
Jean-Louis Letouzey on SQALE Quality Model
By olivier gaudin | June 29, 2011
Sonar Eclipse 2.1 in screenshots
The Sonar team is proud to announce the release of Sonar Eclipse 2.1. This new version is the logical extension of Sonar 2.8 and provides support for Manual C…
By evgeny mandrikov | June 09, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | June 07, 2011
Sonar 2.8 in screenshots
The Sonar team is proud to announce the release of Sonar 2.8. As usual, this new release includes improvements, bug-fixes and also new features that we believ…
By simon brandhof | May 25, 2011
Differential Services in Sonar for a Complete Support of Continuous Inspection
One of the main objective for Sonar in 2011 is to go a step further in the support of Continuous Inspection. Indeed, prior to version 2.5, Sonar could already…
By freddy mallet | May 12, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | May 03, 2011
Running local analysis with Sonar Eclipse 2.0
Have you tried Sonar Eclipse? If you’re a fan of Sonar and you monitor the quality of your code daily, you probably already have installed this set of plugins…
By fabrice bellingard | April 13, 2011
Sonar 2.7 in screenshots
By simon brandhof | April 07, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | April 05, 2011
Sonar SQALE 1.2 in screenshot
You probably remember that 4 months ago, we announced the availability of a SQALE plugin for Sonar. Since them, we have continued to work on it and have rele…
By freddy mallet | March 23, 2011
Sonar Mythbusters
When I joined the Sonar team 6 months ago, I had heard and read - here and there - myths about Sonar. Though I knew some of them were incorrect, I have since …
By fabrice bellingard | March 16, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | March 09, 2011
Sonar 2.6 Adds Continuous Inspection Support for Ant Community
The Sonar team is proud to announce Sonar version 2.6. It is a tradition that we publish screenshots along with such an announce but for this one time, as the…
By simon brandhof | March 01, 2011
What is coming up for Sonar in 2011 ?
After an initial attempt that ended up posting on what was accomplished last year, time has now come to discuss the plans for Sonar in 2011 and the associated…
By freddy mallet | February 16, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | February 09, 2011
Looking Back at 2010 Accomplishments on Sonar Platform
My initial intention was to write a post on the plans for Sonar in 2011 and the associated roadmap. I started by quickly listing what was achieved in 2010. Bu…
By olivier gaudin | February 03, 2011
Sonar at the Lausanne JUG Software Quality “Tournament” !
Cyril Picat asked us a few months ago whether we would be interested to participate to a session at the Lausanne JUG on Software Quality : so far nothing unus…
By olivier gaudin | January 31, 2011
Sonar 2.5 in screenshots
The Sonar team is proud to announce version 2.5, the first release of year 2011 ! As usual, this new release includes numerous improvements, bug-fixes and a…
By simon brandhof | January 25, 2011
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | January 03, 2011
Bridging Internal and External Quality with Sonar
A few weeks ago, Evgeny described how Sonar can be used with its JaCoCo plugin to measure code coverage by Integration Tests. By adding this new feature to So…
By olivier gaudin | December 17, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | December 06, 2010
Sonar 2.4 in screenshots
Only one month after the previous version, Sonar 2.4 has just been released. The new version is full of new features that I will explore today through screens…
By simon brandhof | November 24, 2010
SQALE, the ultimate Quality Model to assess Technical Debt
Six months ago, we would never have believed that one day we would be happy and excited to write about the implementation of a Quality Model in Sonar. Indeed …
By freddy mallet | November 18, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | November 04, 2010
Sonar 2.3 in screenshots
The Sonar team is proud to announce the release of Sonar 2.3. As usual, this new release includes numerous improvements, bug-fixes and also new features that …
By simon brandhof | October 19, 2010
The new “Filters” functionality added in Sonar 2.2
Prior to Sonar 2.2, the home page was simply the list of projects under quality control. Beyond the fact that it did not add much value to the platform, it wa…
By freddy mallet | October 12, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | October 04, 2010
Sonar has become a Multi-Languages Platform
At the beginning of this year, Freddy mentioned in the Sonar roadmap for 2010 that after version 2.0 the main objective was to enable other languages on the S…
By olivier gaudin | September 16, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | September 01, 2010
Pick your code coverage tool in Sonar 2.2
By default, Sonar embarks two tools to calculate code coverage by unit tests on java projects : Cobertura and Clover. But last week, we also released plugins …
By evgeny mandrikov | August 05, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | August 02, 2010
Sonar 2.2 in screenshots
The Sonar team is proud to announce the release of Sonar 2.2. As usual, this new release includes numerous improvements, bug-fixes and also brand new features…
By simon brandhof | July 21, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | July 01, 2010
Continuous Inspection Practice Emerges with Sonar
By freddy mallet | June 23, 2010
Eclipse Sonar Plugin 0.1 in screenshots
The Sonar Team is very proud to announce the availability of the first version of the Sonar Eclipse plugin. This plugin is part of the Sonar IDE Project. This…
By evgeny mandrikov | June 07, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month……
By olivier gaudin | June 01, 2010
Detect Dead Code and Calls to Deprecated Methods with Sonar Squid
Up to version 2.1, Sonar was relying only on external coding rules engines such as Checkstyle, PMD and Findbugs to report violations on Java applications. But…
By freddy mallet | May 26, 2010
Sonar 2.1 in screenshots
As usual this new release includes numerous improvements, bug-fixes and also brand new features that we believe are worth stopping your daily work for a few m…
By simon brandhof | May 11, 2010
IntelliJ IDEA Sonar Plugin 0.1 in screenshots
The Sonar Team is very proud to announce the release of the first version of the Sonar IntelliJ IDEA plugin. The Sonar IDE project consists at the moment of t…
By evgeny mandrikov | May 05, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | May 04, 2010
Knowing Better Sonar Users
This is sometimes a bit frustrating, when you are contributing to an Open Source project, to have doubts about who your users are… really. Not knowing them …
By evgeny mandrikov | April 15, 2010
The Flex Plugin for Sonar : a Further Step Toward Multi-Language Support
By olivier gaudin | April 08, 2010
Sonar in the news
Welcome to the roundup of blog posts and pages that mentioned Sonar last month…
By olivier gaudin | April 06, 2010
Sonar Proposals for Google Summer of Code
Codehaus has been officially accepted into Google Summer of Code 2010. Based on the great job done by Ben Walding previous years, we expect that several proje…
By olivier gaudin | March 31, 2010
Fight Back Design Erosion by Breaking Cycles with Sonar
With version 2.0, Sonar now embarks the seventh and last axis of source code quality : Design & Architecture. The objective of this post is to start discussin…
By freddy mallet | March 17, 2010
Sonar 2.0 in screenshots
The Sonar team is very proud to announce Sonar 2.0, the first release of 2010. As announced in a previous post, the main feature in Sonar 2.0 consists of anal…
By simon brandhof | March 11, 2010
Sonar in the news
By olivier gaudin | March 10, 2010
Add CI Build Stability to your Sonar Dashboard
Sonar is known as being the open source platform to evaluate and report continuously on source code quality. Its basic role is to evaluate the code technical …
By freddy mallet | March 03, 2010
Securing access to projects in Sonar
By freddy mallet | February 25, 2010
Sonar 2.0 at Geneva JUG
By olivier gaudin | February 10, 2010
Sonar Gadgets for GateIn and Jira4
By olivier gaudin | February 03, 2010
What does Open Source mean for SonarSource ?
By freddy mallet | January 27, 2010
2009 is over, what is coming up in 2010 for Sonar ?
By freddy mallet | January 13, 2010
Sonar 1.12 in screenshots
Here comes the 8th and last major Sonar release of the year. Like for all previous releases, this post is a summary of the new features through screenshots :…
By simon brandhof | December 09, 2009
Create a plugin to compute custom metrics in Sonar
By olivier gaudin | December 03, 2009
Sonar Radiator plugin to keep an eye on quality all day long !
After the integration of two Google components (Motion Chart and Timeline), we are releasing the last of a series of three nice and sexy plugins : The Sonar R…
By olivier gaudin | November 11, 2009
Put Sonar Gadgets on your JIRA Dashboard !
By olivier gaudin | November 05, 2009
The Sonar Timeline Plugin, a great addition to TimeMachine service
By simon brandhof | November 04, 2009
The most sexy plugin of the Sonar forge
Last week, the most sexy plugin of the Sonar forge was released : the Motion Chart plugin ! This animated bubble chart as I used to call it can handle up to 4…
By simon brandhof | October 28, 2009
How to measure WTFs in Sonar ?
By olivier gaudin | October 22, 2009
Bring a new dimension to Sonar with the Views Plugin
The community has started several months ago to request a plugin to group / aggregate projects in Sonar. This plugin was released a couple of days ago under t…
By | October 14, 2009
Sonar 1.11 in screenshots
We’re happy to announce the release of Sonar 1.11. This new version contains more than 60 issues that have been resolved amongst which improvements, bug fixes…
By simon brandhof | October 06, 2009
A new addition to the Sonar team
By olivier gaudin | October 05, 2009
Sonar to identify security vulnerabilities
During the last few months, Sonar has definitely become the leading Open Source Platform to manage Java code quality. The objective to democratize access to c…
By freddy mallet | September 24, 2009
SonarSource is short listed for Open Innovation Awards
By olivier gaudin | September 18, 2009
Talking about Sonar
By olivier gaudin | August 31, 2009
Sonar invited by Pyxis at Agile 2009
By freddy mallet | August 22, 2009
Sonar 1.10 in screenshots
We’re happy to announce the release of Sonar 1.10. This new version contains more than 40 improvements and bug fixes and also contains several new features. H…
By olivier gaudin | August 14, 2009
Source code analysis is not an end in itself, but a means to an end
By freddy mallet | August 06, 2009
Sonar TV : configuring coding rules
By olivier gaudin | July 15, 2009
Sonar at the Haus
By olivier gaudin | July 09, 2009
Reviewing code quality of Apache Sling using Sonar
A few weeks ago Michael Marth, who runs dev.day.com (Day’s developer portal), asked us if we could put together our impressions on the code quality of Apache …
By freddy mallet | July 01, 2009
Beyond the tool, Sonar is a platform to manage code quality
By freddy mallet | June 25, 2009
Hudson Sonar plugin 1.0 : to industrialize the ultimate build system
A couple of weeks ago, we wrote a post on the "The Ultimate Enterprise Java Build Solution", to show that nowadays the debate on infrastructure has shifted fr…
By olivier gaudin | June 03, 2009
Sonar 1.9 in screenshots
It is almost a tradition now : every month, we release a new version of Sonar. I am sure you are impatient to know which killing functionality is gonna be in …
By simon brandhof | May 28, 2009
Why you should (not?) upgrade to Sonar 1.9
Sonar 1.9 has just been released : installing this new version implies to be aware a few things. I’m not talking here about any technical complexity to upgrad…
By freddy mallet | May 26, 2009
Sonar presented at XpDay France next week
By olivier gaudin | May 22, 2009
The Ultimate Enterprise Java Build Solution
Christopher Judd recently blogged on his “Ultimate Enterprise Java Build System” and places Sonar in this system along with Maven, Hudson, Subversion and Nexu…
By freddy mallet | May 14, 2009
Sonar TV : A short video for every key feature
In the last couple of weeks, we’ve started making short videos on Sonar, each one showing a dedicated feature in 1 or 2 minutes. Those videos are a good start…
By freddy mallet | May 07, 2009
We had a dream : mvn sonar:sonar
About a year ago we started to dream about the possibility to launch a full quality analysis on any Maven projects, with no configuration by simply running a …
By olivier gaudin | April 30, 2009
Sonar 1.8 in screenshots
We’re happy to announce the availability of April’s release : Sonar 1.8. This new version, ready to go into production, contains several improvements and bug …
By simon brandhof | April 21, 2009
The Sonar plugins forge is up and running !
Amongst Sonar built-in strengths, we mentioned extensibility several times without giving many details. Time has come to discuss it further as anyone can now …
By freddy mallet | April 16, 2009
Reuse in Sonar unit test reports generated by other systems
By olivier gaudin | April 09, 2009
Promoting Sonar configuration from staging to production environment
By olivier gaudin | April 01, 2009
Sonar 1.7 in screenshots
By simon brandhof | March 23, 2009
The next major version of JavaNCSS is on its way
By freddy mallet | March 19, 2009
JOLT Awards 2009 : Sonar is a Productivity Winner
By | March 18, 2009
The hunting toolbox in Sonar
Did we ever mention why, two years ago, we chose Sonar as a name for the open source platform to manage quality we wanted to build ? It was obviously to make …
By freddy mallet | March 13, 2009
Using quality profiles in Sonar
Last month, Sonar 1.6 was released. The main feature of the new version is the ability to manage quality profiles. The purpose of this post is to explain what…
By olivier gaudin | March 05, 2009
Sonar team now on Twitter
By simon brandhof | February 26, 2009
SonarSource launches its web site
By | February 24, 2009
What makes Checkstyle, PMD, Findbugs and Macker complementary ?
There is often some misunderstanding when people talk about coding rules engines. Everyone tries to take position in favor of his preferred tool and does his …
By olivier gaudin | February 19, 2009
Sonar 1.6 in screenshots
Sonar 1.6 has been released. On top of various bug-fixes and several improvements, it contains 3 new major features related to the management of quality profi…
By simon brandhof | February 09, 2009
Maven Site, Sonar or both of them ?
As we get more and more questions about possible overlaps between Sonar and Maven Site, I think it is time to explain the clear vision we have on this importa…
By freddy mallet | February 05, 2009
Balsamiq Mockups to design the future of Sonar
I have spent roughly 10 years in software development, continuously aiming to improve team collaboration. Two months ago, I was convinced that we had a comple…
By freddy mallet | January 27, 2009
Sonar is the featured project of the month at Codehaus
2009 starts like 2008 finished, with a good news for Sonar ! :-) Indeed, after being nominated as finalist in 2009 Jolt Awards, Sonar has been declared Codeh…
By freddy mallet | January 21, 2009
Managing cyclomatic complexity to increase maintainability
In a previous post on Cyclomatic Complexity (CC), I discussed two ideas:…
By olivier gaudin | January 15, 2009
Sonar Time Machine : replaying the past
When talking about source code quality, at first you might think that the only data of interest is the result of the last code analysis. However, you realize …
By freddy mallet | January 07, 2009
Sonar nominated as finalist in 2009 JOLT Awards !
By | December 22, 2008
Discussing Cyclomatic Complexity
Googling on Cyclomatic Complexity (CC), gives some interesting results… Among those results, you’ll find the two following definitions :…
By olivier gaudin | December 17, 2008
Sonar 1.5 in screenshots
By simon brandhof | December 09, 2008
Tendencies in Sonar
By olivier gaudin | December 03, 2008
Sonar light: the low-calorie mode for Sonar
When I initially wrote this blog entry, I chose a much more original title : "What is the analogy between a Coke light and Sonar light". But then I realized t…
By olivier gaudin | November 25, 2008
Eclipse, Checkstyle, Sonar : an emerging source code management solution
Having a tool like Sonar to monitor source code and continuously evaluate risks is a good start. Nevertheless, Sonar should not only be considered as a passi…
By freddy mallet | November 19, 2008
SonarSource, a spin-off dedicated to Sonar development
By | November 11, 2008
Using the ‘Reviews’ section on the project dashboard
You might have already paid attention to this little and empty section named “Reviews” at the bottom right of any project dashboard, but what is this section …
By freddy mallet | November 04, 2008
Is 80% of code coverage any good ?
When talking about source code quality, there are always voices to tell you that metrics mean nothing and that plenty of projects have great metrics and poor …
By olivier gaudin | October 29, 2008
Sonar participates to the Valtech Days
Next week, on the 21st on 22nd of October, I am going to participate to the Valtech Days 2008 where I have been invited by Eric Lefevre. More than 300 partici…
By freddy mallet | October 14, 2008
Back from CITCON Europe 2008 in Amsterdam
Last week-end, we attended CITCON Europe 2008 in Amsterdam. We were really curious and impatient to discover the whole experience of technological OpenSpac…
By olivier gaudin | October 08, 2008
A new Hudson plugin for a closer integration with Sonar
Continuous integration (CI) has become a centerpiece of software development lifecycle. Since Sonar is implemented as a maven plugin, it can be easily integra…
By simon brandhof | September 30, 2008
Bug-fix release 1.4.2
By | September 25, 2008
Sonar at CITCON 2008 in Amsterdam
By freddy mallet | September 23, 2008
Does Sonar scale well ?
As Sonar is an enterprise quality tool, it must scale well when number of projects and snapshots by project grow over time. We consider this capability to be …
By freddy mallet | September 15, 2008
Sonar 1.4.1, bug fix release
By | August 25, 2008
Release 1.4
By | August 08, 2008
Release 1.3
By | June 17, 2008
Nemo, public demo of Sonar
By simon brandhof | June 02, 2008
Sonar 1.3 First Release Candidate
By | May 30, 2008
Sonar 1.2.1, bug fix release
By | April 30, 2008
Release 1.2 with new layout and reviews
By | March 27, 2008
Release 1.1
By | February 29, 2008
First release of 1.1 BETA
By | January 24, 2008
Move to Codehaus
By | January 10, 2008
Release 1.0.2
By | December 14, 2007
Sonar 1.0 released
By | November 21, 2007
Release 1.0 BETA
By | October 05, 2007
Related news
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.