Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-28038: SonarSource Blog

WordPress before 5.5.2 allows stored XSS via post slugs.

CVE
#sql#xss#csrf#vulnerability#web#ios#mac#apple#google#microsoft#apache#nodejs#js#git#java#wordpress#intel#php#c++#rce#ldap#buffer_overflow#auth#jira#bitbucket#maven

Unrar Path Traversal Vulnerability affects Zimbra Mail

We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar…

By simon scannell | June 28, 2022

Reflections upon the We Are Developers 2022 World Congress

Reflections upon the We Are Developers 2022 World Congress - Berlin…

By andrew osborne | June 21, 2022

Sign up today & never miss an update from SonarSource

We have received your subscription request. Please click on the confirmation link that was sent to your email. If you don’t see an email, check your spam/junk folder. Thank you!

We respect your privacy.

Zimbra Email - Stealing Clear-Text Credentials via Memcache injection

We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts…

By simon scannell | June 14, 2022

SonarQube 9.5 is here!

Check out what’s new in SonarQube 9.5 in this quick video…

By lauren cranford | June 13, 2022

Sonar’s analysis performance targets

We’ve finally defined our own performance goals for analysis - so that we’re no longer subjecting ourselves to apples-to-oranges comparisons with tools that m…

By alexandre gigleux | June 07, 2022

Horde Webmail - Remote Code Execution via Email

We discovered vulnerabilities in Horde Webmail that allow an attacker to execute arbitrary code on Horde instances by having a victim open an email…

By simon scannell | May 31, 2022

A new and refreshed website for Sonar

Earlier this year we launched our new brand and website. Read more in this post by Sonar CEO and Co-founder, Olivier Gaudin…

By olivier gaudin | May 24, 2022

Reflections from PyCon US 2022

Reflections and Key Takeaways from PyCon US 2022…

By andrea guarino and guillaume dequenne | May 16, 2022

Path Traversal Vulnerabilities in Icinga Web

We recently discovered two critical vulnerabilities in the IT monitoring dashboard Icinga Web. Let’s review their respective root cause and their patches!..

By thomas chauchefoin | May 10, 2022

A C&C++ tour of SonarLint for VS Code

VS Code has been gaining popularity for C and C++ development. We are happy to announce that finally, we will be able to help you write clean C and C++ code i…

By abbas sabra and geoffray adde | May 03, 2022

RainLoop Webmail - Emails at Risk due to Code Flaw

We recently discovered a critical code vulnerability in RainLoop Webmail that allows attackers to steal all emails by sending a malicious mail…

By simon scannell | April 19, 2022

SonarQube 9.4 is here!

Check out what’s new in SonarQube 9.4 in this 10-minute video brought to you by our Community Managers!..

By elsa dithmer | April 07, 2022

PHP Supply Chain Attack on PEAR

For the second time in a year, we identified critical code vulnerabilities in a central component of the PHP supply chain. Let’s dive into it!..

By thomas chauchefoin | March 29, 2022

Clean Your Infrastructure Code with Sonar

The norm for setting up your cloud-native app infrastructure is quickly becoming Infrastructure as Code (IaC). In this blog, we’ll cover how Sonar is the solu…

By clint cameron | March 22, 2022

Securing Developer Tools: Git Integrations

With this series, we present the results of our research on the security of popular developer tools with the goal of making this ecosystem safer: today’s arti…

By thomas chauchefoin | March 15, 2022

How Productboard helps us prioritize features and build great roadmaps

It’s been a year and a half now since we started using Productboard at SonarSource to manage features. During this time, we switched from Jira to this new too…

By christophe havard | March 10, 2022

Securing Developer Tools: Package Managers

Yarn, Pip, Composer & friends: Learn about 3 types of vulnerabilities we found in popular package managers that can be used by attackers to target developers…

By paul gerste | March 08, 2022

5 things to consider in performance comparisons

Most people can probably relate to asking a child to handle a chore, only to have the kid come back way too soon, saying it’s done. Or maybe you can relate to…

By g. ann campbell | March 01, 2022

Review your security vulnerabilities in GitHub with code scanning alerts

We’re happy to announce that SonarCloud integrates with GitHub code scanning! It’s available to everyone with a GitHub repository - private or public - indepe…

By thomas olivier | February 24, 2022

Horde Webmail 5.2.22 - Account Takeover via Email

We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email…

By simon scannell | February 22, 2022

Zabbix - A Case Study of Unsafe Session Storage

In this article we discuss the security of client-side session storages and analyze a vulnerable implementation in the IT monitoring solution Zabbix…

By thomas chauchefoin | February 16, 2022

WordPress < 5.8.3 - Object Injection Vulnerability

We discovered an interesting code vulnerability that could be used to bypass hardening mechanisms in the popular WordPress CMS…

By simon scannell | February 08, 2022

How to restrict XXE resolving?

In this post, we’ll wrap it up by discussing a more flexible solution by limiting entities resolving to those you consider safe…

By eric therond | February 01, 2022

How to disable XXE processing?

In this post, we will see how to completely disable external entities declaration and expansion, offering a quick and safe solution…

By eric therond | January 25, 2022

Don’t be afraid of XXE vulnerabilities: understand the beast and how to detect them

Today XML External Entities (XXE) vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral pa…

By eric therond | January 18, 2022

WordPress 5.8.2 Stored XSS Vulnerability

We reported a Stored XSS vulnerability in WordPress (CVE-2022-21662) which remained unpatched for more than 3 years and affected the wordpress.org website…

By karim el ouerghemmi | January 11, 2022

Vulnerability Research Highlights 2021

Our research team looks back at a great year and summarizes the highlights of their vulnerability research in 2021…

By johannes dahse | January 06, 2022

‘Quick Fix’ your C++ issues with SonarLint

‘Quick fixes’ with SonarLint bring value to the C++ community by providing more than what they have today. Let’s take a peek at how some of these rules equip …

By geoffray adde and kirti joshi | December 14, 2021

Modernizing your code with C++20

C++20 is here! It’s a big release with many features designed to make your code easier, faster and safer. Let’s see how the latest C++ analysis rules in Sonar…

By phil nash | December 07, 2021

NodeBB 1.18.4 - Remote Code Execution With One Shot

We recently discovered three interesting code vulnerabilities in NodeBB 1.18.4, allowing attackers to compromise servers. Find out about the details in this a…

By paul gerste | November 30, 2021

Code Security Advent Calendar 2021

Our code security advent calendar is back for the sixth consecutive year. We will release daily challenges until December 24th, get ready to fill your bag of …

By thomas chauchefoin | November 29, 2021

10 Unknown Security Pitfalls for Python

In this blog post, we share 10 security pitfalls for Python developers that we encountered in real-world projects…

By dennis brinkrolf | November 16, 2021

Agent 008: Chaining Vulnerabilities to Compromise GoCD

We discovered 3 more code vulnerabilities in the popular GoCD CI/CD system that can be chained by attackers to leak or modify internal code. Learn more in thi…

By simon scannell and thomas chauchefoin | November 11, 2021

SmartStoreNET - Malicious Message leading to E-Commerce Takeover

Check out the details of a Cross-Site Scripting bug in the BBCode processing in SmartStoreNET and how it can be chained into arbitrary code execution!..

By thomas chauchefoin | November 02, 2021

Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD

We recently discovered critical security issues in the popular CI/CD solution GoCD that can be exploited by unauthenticated attackers…

By simon scannell | October 27, 2021

Meet the new project experience for SonarCloud

We are very pleased to announce that we have released a new project experience. It’s now available in SonarCloud for all users. You’ll notice a few improvemen…

By thomas olivier | October 21, 2021

Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services

We discovered and reported a vulnerability in the Squirrel VM, written in C, that allows an attacker to escape the sandbox…

By simon scannell and niklas breitfeld | October 19, 2021

Supercharge your C++ analysis with SonarLint for CLion

This article talks about the powerful capabilities of the C++ analyzer with SonarLint and highlights some unique and interesting quality and security rules yo…

By phil nash and geoffray adde | September 28, 2021

Modernize Code Quality with ‘Quick Fixes’

Boost your productivity by automatically applying fixes to repair code quality issues in your IDE with SonarLint…

By kirti joshi | September 23, 2021

Cachet 2.4: Code Execution via Laravel Configuration Injection

We responsibly disclosed three vulnerabilities in the open-source status page Cachet, allowing attackers to take over instances. Here are all the details!..

By thomas chauchefoin | September 21, 2021

Product portals open: we want your input

SonarSource was born from open source software and most of what we do remains FLOSS, so openness and transparency have always been fundamental principles. Wit…

By g. ann campbell | September 14, 2021

Ghost CMS 4.3.2 - Cross-Origin Admin Takeover

We recently discovered an XSS vulnerability in the admin frontend of Ghost CMS 4.3.2. Find out the details and learn how to avoid such issues in your code!..

By paul gerste | August 31, 2021

Compilation database: An alternative way to configure your C or C++ analysis

Analyzing your C or C++ code requires, in addition to the source code, the configuration that is used to build the code. Historically we have provided a tool …

By loic joly | August 24, 2021

elFinder - A Case Study of Web File Manager Vulnerabilities

Our case study of elFinder 2.1.57 describes several critical code vulnerabilities commonly found in web file managers and how to patch them…

By thomas chauchefoin | August 17, 2021

Use 3rd-party plugins at your own risk

SonarQube has always had a rich plugin Marketplace, with much of SonarQube’s functionality originally delivered as plugins and many additional needs being met…

By g. ann campbell | August 10, 2021

Launching ‘Secret Detection’ to keep your Cloud ‘Secrets’ safe

Learn how developers can safeguard their cloud ‘secrets’ from publicly leaking and take charge of their Code Security with SonarLint…

By kirti joshi | August 03, 2021

Zimbra 8.8.15 - Webmail Compromise via Email

We discovered critical code issues in Zimbra, a popular enterprise webmail solution, that could lead to a compromise of all emails by an unauthenticated attac…

By simon scannell | July 27, 2021

Clean As You Code essentials - What are Quality Profiles and Quality Gates?

Learn how the functionality of Quality Profiles and Quality Gates come together to enable the SonarSource Clean As You Code methodology…

By clint cameron | July 21, 2021

Etherpad 1.8.13 - Code Execution Vulnerabilities

We discovered two code execution vulnerabilities that affected Etherpad servers and data. Learn more about the technical details and how to avoid such coding …

By paul gerste | July 13, 2021

Know where your project stands with the new project overview!

In late April, I introduced the new project experience for SonarCloud, which has already been adopted by a lot of you. Today, we’re adding a brand new project…

By thomas olivier | July 06, 2021

Enterprise-ready: Authentication & Authorization with SonarQube (LDAP, SSO & more)

Discover how SonarQube can integrate with your existing enterprise setup (LDAP, SSO & co.) for user authentication and authorization…

By nicolas bontoux | June 28, 2021

CiviCRM 5.22.0 - Code Execution Vulnerability Chain Explained

We discovered critical code vulnerabilities in CiviCRM, a popular CRM plugin for Wordpress, Joomla and Drupal. Learn more about how to find and patch these is…

By dennis brinkrolf | June 22, 2021

7 more reasons to upgrade to SonarQube 8.9 LTS

SonarQube 8.9 LTS is here! Not every improvement could be mentioned in the release announcement, so check out these LTS easter eggs that make this the Best LT…

By colin mueller | June 15, 2021

Broken pipelines for everyone!

With SonarQube 8.9 LTS, SonarSource has made failing the pipeline available for everyone, using any CI you want. But with great power comes … well, you know…

By christophe havard | June 08, 2021

Grav CMS 1.7.10 - Code Execution Vulnerabilities

We responsibly disclosed two code execution vulnerabilities in Grav CMS, one of the most popular flat-file PHP CMS in the market. Let’s see what we can learn …

By thomas chauchefoin | June 01, 2021

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket

We recently discovered vulnerabilities in Rocket.Chat, a popular team communications solution, that could be used to take over Rock.Chat instances…

By paul gerste | May 18, 2021

What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop

In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It no…

By alexandre gigleux | May 12, 2021

SonarQube 8.9 LTS: 3 steps to a smooth upgrade

SonarQube 8.9 Long Term Support (LTS) is officially here! Check out this list of tips & tricks on how to upgrade your environment from start to finish…

By brian cipollone | May 05, 2021

PHP Supply Chain Attack on Composer

We recently discovered a vulnerability in Composer, the main package manager for PHP, and were able to use it to take over the central repository, packagist.o…

By thomas chauchefoin | April 29, 2021

WordPress 5.7 XXE Vulnerability

In this blog post we analyze a XXE vulnerability that our analyzers discovered in WordPress, the most popular CMS, and what PHP 8 developers can learn from it…

By karim el ouerghemmi | April 27, 2021

SonarQube 8.9 LTS: standby for launch

The new SonarQube 8.9 LTS is just around the corner. With a release planned for early May; this will be a must-have for our entire community. Come read why, a…

By nicolas bontoux | April 20, 2021

Discover SonarCloud’s new project experience. Join the beta today!

SonarCloud’s interface has received a nice refresh! We’re happy to invite you to join our beta program, which is just three clicks away! It’s open to all exis…

By thomas olivier | April 20, 2021

Code Vulnerabilities in NSA Application Revealed

Our security research team discovered multiple code vulnerabilities in the NSA’s Java application Emissary. Find out more about these issues and related attac…

By dennis brinkrolf | April 06, 2021

Mono-repository support for Bitbucket Cloud now available for SonarCloud!

Last September, we announced that mono-repository support was added for GitHub and Azure DevOps Services. The good news is: mono-repository support is now als…

By thomas olivier | March 29, 2021

My Support Engineer Journey at SonarSource

What does a support engineer do?..

By joe tingsanchali | March 23, 2021

MyBB Remote Code Execution Chain

Today SonarSource is pleased to share a guest contribution to our Code Security blog series about learnings from a chain of serious vulnerabilities in MyBB…

By simon scannell carl smith | March 18, 2021

Hack the Stack with LocalStack: Code Vulnerabilities Explained

Our vulnerability researchers found critical code vulnerabilities in a popular Python application that can be exploited remotely, even when the application in…

By dennis brinkrolf | March 02, 2021

Crafting regexes to avoid stack overflows

Due to the way regular expression matching is implemented in Java (and many other languages/libraries), matching a pattern may - depending on the regex - requ…

By sebastian hungerecker | February 23, 2021

Setting the right (regex) boundaries is important

Regular expressions pack a lot of power into terse little packages and unfortunately that introduces a lot of room for error. This post talks about regex boun…

By sebastian hungerecker | February 16, 2021

Regular expressions present challenges even for not-so-regular developers

Regular expressions are a concise and powerful tool for processing text. However, they also come with a steep learning curve and plenty of opportunities to ma…

By sebastian hungerecker | February 09, 2021

Security auditors - the Cinderella story of SAST

By g. ann campbell | February 02, 2021

Security Hotspots maintain engagement in developer-led security

By g. ann campbell | January 26, 2021

Blazing a trail on the SAST road less traveled by

By g. ann campbell | January 19, 2021

Taking the angst out of SAST analysis

By g. ann campbell | January 14, 2021

Code security: now there’s a tool for developers

Hey SonarQube and SonarCloud users! You now have a tool to own Code Security! SonarSource has been hard at work for the last year to give you the tooling to…

By g. ann campbell | December 11, 2020

Code Security Advent Calendar 2020

It’s time to have some December fun! We have 24 little challenge gifts awaiting you that hide security vulnerabilities in real-world Java, C#, PHP and Python …

By johannes dahse | November 26, 2020

Make Code Quality & Security™ an integral part of your workflow

SonarQube Developer Edition overlays Code Quality and Security™ right onto your projects. Your pull requests are automatically analyzed and decorated with a c…

By clint cameron | November 10, 2020

How SonarCloud finds bugs in high-quality Python projects

By nicolas harraudeau | November 03, 2020

Code vulnerabilities put health records at risk

OpenEMR is the most popular open source software for electronic health record and medical practice management. It is used world-wide to manage sensitive patie…

By dennis brinkrolf | October 28, 2020

For secure code, maintainability matters

By g. ann campbell | October 20, 2020

Lay a strong foundation by writing secure C and C++ utilities

By g. ann campbell | October 14, 2020

Winning the race against TOCTOU vulnerabilities in C & C++

Security is an eternal race between the techniques and technologies of attackers and those of the defenders. Today, I’m proud to announce a step forward for d…

By g. ann campbell | October 07, 2020

Mono-repository support for GitHub and Azure DevOps Services available now!

Take a tour of SonarCloud’s integration with mono-repositories in GitHub and Azure DevOps Services. This new feature allows you to define multiple Quality Gat…

By thomas olivier | September 29, 2020

Pandora FMS 742: Critical Code Vulnerabilities Explained

How code vulnerabilities in your web application can be the single point of failure for your IT infrastructure’s security…

By dennis brinkrolf | September 22, 2020

False positives are our enemies, but may still be your friends

When writing a rule for static analysis, it’s possible that in some cases, the rule does not give the results that were expected. Unfortunately, naming a fals…

By loic joly | September 15, 2020

Build World-Class Apps with SonarQube Enterprise Edition

Don’t sacrifice code quality and security just because what you’re building is big & bold. SonarQube Enterprise Edition gives you the tools to deliver clean, …

By clint cameron | September 09, 2020

Getting timely, accurate feedback on your C++ from the SonarQube ecosystem

Late feedback is a pain in the butt. Regardless of how it comes, hearing “that thing you did two weeks ago was wrong” is unwelcome at best. Good feedback is i…

By g. ann campbell | September 08, 2020

Codoforum 4.8.7: Critical Code Vulnerabilities Explained

We analyze the root cause of three critical security vulnerabilities that enabled a complete board take over, and how to correctly prevent these in your code…

By dennis brinkrolf | August 26, 2020

What’s worse than coding without tests? Coding with bad tests

By g. ann campbell | August 10, 2020

About the recent code leaks from SonarQube instances

On July 27th 2020 we learned through media coverage that Till Kottmann was able to access non open-source source code from various companies. This is our publ…

By olivier gaudin | July 31, 2020

From Community post to a new feature: a brief history of Mono-repository support in SonarCloud

It all started a few months ago, with a message on our Community forum. One of our users wrote a post in the “Suggest new features” section of the forum… Le…

By thomas olivier | July 30, 2020

Security Hotspots bring a new approach to C++ SAST

A lot of people associate Static Application Security Testing (SAST) with false positives, but it doesn’t have to be that way. The fact is that there are real…

By g. ann campbell | July 30, 2020

Take Control of Code Quality with SonarQube Pull Request Decoration in Your Workflow

How do you write super clean code without disrupting your workflow? Join me as I show you how SonarQube Pull Request Decoration gets you there!..

By clint cameron | July 27, 2020

Driving continuous improvement for Python security

Our goal for Python analysis this year is to Kick Asp & Take Names, and we’re making good on that promise, with regular deposits of new functionality. Our nex…

By g. ann campbell | June 09, 2020

Shift left for higher quality pull requests with Code Insights for Bitbucket Cloud

Atlassian officially released its new feature Code Insights for Bitbucket Cloud. With SonarCloud, discover what it brings for Code Quality and Security…

By thomas olivier | June 03, 2020

Apache Kylin 3.0.1 Command Injection Vulnerability

We discovered a severe command injection vulnerability (CVE-2020-1956) in Apache Kylin that allows malicious users to execute arbitrary OS commands and to tak…

By johannes dahse | June 02, 2020

Detect C++ buffer overflows in POSIX functions

By g. ann campbell | May 20, 2020

SonarSource acquires RIPS Technologies

Teams will be joining forces in building best-in-class Static Application Security Testing (SAST) products that help development teams and organizations deliv…

By olivier gaudin | May 13, 2020

More security rules injected into Python analysis

I’ve talked before about SonarSource’s commitment to helping developers improve their Code Quality and Security in Python. Today I can say that we’re making p…

By g. ann campbell | May 06, 2020

SonarCloud or SonarQube? - Guidance on Choosing One for Your Team

Learn about the similarities and key differences between SonarCloud and SonarQube and which one is best for your use case…

By clint cameron | April 28, 2020

My Consulting Journey at SonarSource

Join me as I share my 1st-year experience as an Enterprise Technical Consultant for SonarSource. You’ll learn about my role, my team and how we fit into the b…

By jeff zapotoczny | March 19, 2020

SonarSource is taking Python analysis by storm in 2020

By g. ann campbell | March 16, 2020

Security Hotspot review - are your doors locked?

By some quirk of fate or architecture, there are four doors into my moderately-sized ranch house. That’s four distinct points where an attacker or thief could…

By g. ann campbell | March 09, 2020

Exploiting Hibernate Injections

Hibernate is among one of the most commonly found database libraries used in Java web applications, shipping with its own query language. This technical post …

By robin peraglie | February 25, 2020

What is ‘taint analysis’ and why do I care?

By g. ann campbell | February 10, 2020

WordPress <= 5.2.3: Hardening Bypass

This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability …

By simon scannell | January 21, 2020

Clean as You Code: How to win at Code Quality without even trying

The first time you analyze a legacy project the results are usually truly overwhelming. The usual emotional response is fear, sadness… even despair. And the…

By g. ann campbell | January 20, 2020

Backend SQL Injection in BigTree CMS 4.4.6

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog…

By robin peraglie | November 05, 2019

Drive By RCE Exploit in Pimcore 6.2.0

In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands by tricking an authe…

By robin peraglie | October 22, 2019

Takeaways from building a developer-led SAST tool…

Why effectiveness doesn’t mean achieving a perfect OWASP score. The quest to make the ultimate SAST tool while staying true to our developer roots meant forgi…

By alexandre gigleux | October 16, 2019

WooCommerce 3.6.4 - CSRF Bypass to Stored XSS

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce han…

By dennis brinkrolf | October 08, 2019

Bitbucket 6.1.1 Path Traversal to RCE

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397)…

By johannes dahse | September 03, 2019

SuiteCRM 7.11.4 - Breaking Into Your Internal Network

In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any ad…

By robin peraglie | August 20, 2019

Pre-Auth Takeover of OXID eShops

We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few …

By robin peraglie | July 29, 2019

TYPO3 9.5.7: Overriding the Database to Execute Code

In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbi…

By robin peraglie | July 16, 2019

Magento 2.3.1: Unauthenticated Stored XSS to RCE

This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high s…

By simon scannell | July 02, 2019

dotCMS 5.1.5: Exploiting H2 SQL injection to RCE

In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content man…

By johannes moritz | June 25, 2019

MyBB <= 1.8.20: From Stored XSS to RCE

This blog post shows how an attacker can take over any board hosted with MyBB prior to version 1.8.21 by sending a malicious private message to an administrat…

By simon scannell | June 11, 2019

The Hidden Flaws of Archives in Java

Archives such as Zip, Tar, Jar or 7z are useful formats to collect and compress multiple files or directories in a container-like structure. However, the extr…

By johannes moritz | May 29, 2019

MISRA C++ 2008 support is on its way

By alexandre gigleux | May 27, 2019

The NeverEnding Story of writing a rule for argument passing in C++

Here is a story of a rule, from concept to production. While the selected rule is for C++, this story contains interesting insight on the craft of rule develo…

By loic joly | May 15, 2019

WordPress 5.1 CSRF to Remote Code Execution

This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution (CVE-2019-9787)…

By simon scannell | March 13, 2019

Announcing the SonarCloud Pipe for Bitbucket Cloud users!

SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarCloud Scan Pipe, you can configure code analysis in your Bitb…

By nicolas bontoux | February 28, 2019

WordPress 5.0.0 Remote Code Execution

This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2…

By simon scannell | February 19, 2019

CTF Writeup: Complex Drupal POP Chain

A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate o…

By simon scannell | January 29, 2019

Pragmatic Application Security - The SonarSource Way

At SonarSource, we’ve taken a pragmatic approach to application security. The best security tools are the ones that get used and not abandonded. Learn how you…

By clint cameron | January 08, 2019

WordPress Privilege Escalation through Post Types

A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lea…

By simon scannell | December 17, 2018

phpBB 3.2.3: Phar Deserialization to RCE

A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to e…

By simon scannell | November 20, 2018

Pydio 8.2.1 Unauthenticated Remote Code Execution

Pydio, a popular file sharing solution used by enterprises and governments around the world, suffered from a highly critical vulnerability that allowed unauth…

By simon scannell | November 13, 2018

Continuously Improving Analysis of C/C++/Objective-C Code

Today we have improved the functionality of SonarCloud centered around the analysis of C/C++/Objective-C code. It’s an important change and we’d like to take …

By nicolas bontoux | November 12, 2018

WordPress Design Flaw Leads to WooCommerce RCE

A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular…

By simon scannell | November 06, 2018

PHP Object Injection

A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full si…

By simon scannell | October 09, 2018

Fully Automated Promotion Pipelines with SonarQube and Artifactory

Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube…

By fabrice bellingard | September 25, 2018

My Journey Interviewing with SonarSource…

What’s it like to interview with SonarSource? Read on and find out!..

By clint cameron | August 21, 2018

What is Phar Deserialization

Last week a new exploitation technique for PHP applications was announced at the BlackHat USA conference. Find out everything you need to know in this blog po…

By johannes dahse | August 14, 2018

The Tweets You Missed in July

Here are the tweets you likely missed last month!..

By fabrice bellingard | August 07, 2018

Protect your code against injection vulnerabilities with SonarCloud!

Injection security vulnerabilities (OWASP-A1) can run scared, as latest SonarCloud updates now provide advanced security checks to continuously detect them…

By alexandre gigleux | July 10, 2018

The Tweets You Missed in June

Here are the tweets you likely missed last month!..

By fabrice bellingard | July 03, 2018

WordPress File Delete to Code Execution

In this blog post we introduce an authenticated arbitrary file deletion vulnerability (CVE-2018-20714) in the WordPress core that can lead to attackers execut…

By karim el ouerghemmi | June 26, 2018

Evil Teacher: Code Injection in Moodle

In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release (CVE-2018-1133)…

By robin peraglie | June 12, 2018

Celebrating SonarCloud 1 year anniversary!

Since its inception, SonarSource has been committed to Continuous Code Quality, i.e. to providing teams with the best products to analyze the quality of their…

By fabrice bellingard | June 12, 2018

Import issues of your favorite linters in SonarCloud!

Over the past 2 weeks, the following new features were deployed on SonarCloud: import of issues from external linters with built-in support for TypeScript pro…

By fabrice bellingard | June 04, 2018

Integrate SonarCloud with VSTS to boost code quality

The SonarCloud extension now brings the missing piece on VSTS to have everything in hand to write clean code: the automatic analysis of pull requests…

By fabrice bellingard | May 09, 2018

A Salesmans Code Execution: PrestaShop 1.7.2.4

PrestaShop is one of the most popular e-commerce solutions. We detected a highly critical vulnerability that allows to execute arbitrary code on any installat…

By robin peraglie | May 07, 2018

LimeSurvey 2.72.3 - Persistent XSS to Code Execution

We detected two vulnerabilities in LimeSurvey < 2.72.3: An unauthenticated persistent cross-site scripting vulnerability (CVE-2017-18358) and an authenticated…

By robin peraglie | April 10, 2018

SonarCloud loves your build pipelines

Over the past 2 weeks, the following new features were deployed on SonarCloud: pull requests as first class citizen, a dedicated webhooks console, and new rul…

By fabrice bellingard | April 06, 2018

The Tweets You Missed in March

Here are the tweets you likely missed last month!..

By fabrice bellingard | April 05, 2018

The Tweets You Missed in February

Here are the tweets you likely missed last month!..

By fabrice bellingard | March 06, 2018

Joomla! 3.8.3: Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems and the second most used CMS on the web. We discovered a second-order SQL in…

By karim el ouerghemmi | February 06, 2018

The Tweets You Missed in January

Here are the tweets you likely missed last month!..

By fabrice bellingard | February 06, 2018

In-Depth Linting of Your TypeScript While Coding

Last year we started development on SonarTS, a static code analyser for TypeScript. So far it has only been available in 2 flavors: as a SonarQube language pl…

By elena vilchik | January 31, 2018

Why did my coverage just drop?!

After an upgrade people are sometimes surprised to find that the next analysis of a project with no real changes shows a significant drop in coverage. Believe…

By g. ann campbell | January 23, 2018

CubeCart 6.1.12 - Admin Authentication Bypass

CubeCart is an open source e-commerce solution. In one of our latest security analysis we found two flaws in this web application that allow an attacker to ci…

By robin peraglie | January 17, 2018

Supporting analysis of .NET Core projects

Support for SonarQube analysis of projects in the new MSBuild v15 format has been one of the features most requested by the Microsoft community, now it’s done…

By duncan pocklington | January 10, 2018

Changing our pricing model to boost adoption

With the new LTS and its ecosystem, are coming many new features and improvements that were highly expected since the previous LTS. For example TypeScript sup…

By olivier gaudin | January 09, 2018

The Tweets You Missed in November

Here are the tweets you likely missed last month!..

By fabrice bellingard | December 05, 2017

The Tweets You Missed in October

Here are the tweets you likely missed last month!..

By fabrice bellingard | November 09, 2017

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Shopware is a popular e-commerce software that bases on Symfony, Doctrine and the Zend Framework. In this blog post we investigate the exploitation of a rare …

By karim el ouerghemmi | November 08, 2017

SonarQube 6.7 (LTS) in Screenshots

The SonarSource team is proud to announce the release of 6.7, the new LTS, which features many long-awaited features…

By | November 08, 2017

5 Puzzling JavaScript Bugs

Let’s play a game: you see a piece of JavaScript and try to find a bug there. It could be for example a dead code, a runtime error or some unexpected behaviou…

By elena vilchik | November 07, 2017

SonarQube 6.6 in Screenshots

By g. ann campbell | October 20, 2017

The Tweets You Missed in September

Here are the tweets you likely missed last month!..

By fabrice bellingard | October 16, 2017

SonarTS, a strange beast

Embarking on the creation of a new language analyzer is often a complex decision, with many variables to consider, most of them hard to quantify. For TypeScri…

By carlo bottiglieri | October 05, 2017

Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller that coul…

By robin peraglie | September 20, 2017

SugarCRM’s Security Diet - Multiple Vulnerabilities

SugarCRM is one of the most popular customer relationship management solutions. We uncovered critical security issues that could allow attackers to steal cust…

By robin peraglie | September 14, 2017

The Tweets You Missed in August

Here are the tweets you likely missed last month!..

By fabrice bellingard | September 05, 2017

SonarQube 6.5 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.5, which brings more usable project measure history charts, and significant changes to th…

By g. ann campbell | August 10, 2017

The Tweets You Missed in July

Here are the tweets you likely missed last month!..

By fabrice bellingard | August 01, 2017

How security flaws in PHP’s core can affect your application

Learn how memory corruption bugs in the PHP core itself can affect your PHP application…

By johannes dahse | July 20, 2017

The Tweets You Missed in June

Here are the tweets you likely missed last month!..

By fabrice bellingard | July 04, 2017

SonarQube 6.4 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.4, which brings significant new features to the Projects page and compelling new function…

By g. ann campbell | June 29, 2017

SonarCFamily Now Supports ARM Compilers

For those not familiar with ARM (Advanced RISC Machine), let’s start by sharing some numbers: in 2011, the 32-bit ARM architecture was the most widely used ar…

By massimo paladin | June 15, 2017

The Tweets You Missed in May

Here are the tweets you likely missed last month!..

By fabrice bellingard | June 09, 2017

Kill the Noise! to Change Gear in our Code Analyzers

Over the past few weeks, you may have noticed that most of our product news about code analyzers contained a mention of a “Kill The Noise!” project. We initia…

By freddy mallet | June 01, 2017

Accelerate Products Development at SonarSource

We founded SonarSource 8 years ago with a dream to one day provide every developer the ability to measure the code quality of his projects. And we had a motto…

By olivier gaudin | May 10, 2017

The Tweets You Missed in April

Here are the tweets you likely missed last month!..

By fabrice bellingard | May 05, 2017

Why mail() is dangerous in PHP

Recently, many critical security vulnerabilities were fixed in popular PHP applications such as Roundcube, Wikimedia and Zend Framework that based on insecure…

By robin peraglie | May 03, 2017

SonarJS 3.0: Being Lean and Mean in JavaScript

All through 2016 SonarJS has become richer and more powerful thanks to new rules and its new data flow engine, to the point of being able to find pretty inter…

By carlo bottiglieri | May 01, 2017

Breaking the SonarQube Analysis with Jenkins Pipelines

One of the most requested feature regarding SonarQube Scanners is the ability to fail the build when quality level is not at the expected level. We have this …

By julien henry | April 19, 2017

SonarQube 6.3 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.3, which brings both interface and analysis improvements…

By g. ann campbell | April 12, 2017

SonarCfamily For C/C++ Now Plays With The Big Kids

Version 4.6 of our SonarCfamily for C/C++ has just been released with a shiny new Buffer Overflow detection mechanism. To get an idea of what bugs we can now …

By massimo paladin | March 28, 2017

The Tweets You Missed in February

Here are the tweets you likely missed last month!..

By fabrice bellingard | March 09, 2017

Eating The Dog Food… In Public

At SonarSource, we’ve always eaten our own dog food, but that hasn’t always been visible outside the company. I talked about how dogfooding works at SonarSour…

By g. ann campbell | February 16, 2017

The Tweets You Missed in January

Here are the tweets you likely missed last month!..

By fabrice bellingard | February 06, 2017

Detecting Type Issues in JavaScript

JavaScript is very flexible and tries as much as possible to run code without raising an error. This is both a blessing and a curse. It’s a blessing for begin…

By pierre yves nicolas | January 11, 2017

SonarQube 6.2 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.2, which brings a lot of significant changes, both to the interface and underlying mechan…

By g. ann campbell | January 05, 2017

The Tweets You Missed in December

Here are the tweets you likely missed last month!..

By fabrice bellingard | January 02, 2017

osClass 3.6.1: Remote Code Execution via Image File

In this blog post, we present a beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code in the open so…

By robin peraglie | December 19, 2016

Cognitive Complexity, Because Testability != Understandability

Cyclomatic Complexity works very well for measuring testability, but not for maintainability. That’s why we’re introducing Cognitive Complexity, which you’ll …

By g. ann campbell | December 07, 2016

Roundcube 1.2.2: Command Execution via Email

In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube…

By robin peraglie | December 06, 2016

The Tweets You Missed in November

Here are the tweets you likely missed last month!..

By fabrice bellingard | December 05, 2016

Putting It All Together: End-to-end Quality With SonarEcosystem

The question is typically phrased like this: how do I keep developers from checking in bad code? Usually the asker has in mind some automated check that preve…

By g. ann campbell | November 15, 2016

The Tweets You Missed in October

Here are the tweets you likely missed last month!..

By fabrice bellingard | November 08, 2016

SonarQube 6.x series: Focused and Efficient

At the beginning of the summer, we announced the long-awaited new “Long Term Support” version, SonarQube 5.6. It comes packed with great features to highlight…

By fabrice bellingard | November 03, 2016

SonarQube Embraces the .NET Ecosystem

In the last couple months, we have worked on further improving our already-good support for the .NET ecosystem. In this blog post, I’ll summarize the changes …

By | October 28, 2016

SonarQube 6.1 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.1, which brings an improved interface and the first baby steps toward SonarQube clusters…

By g. ann campbell | October 25, 2016

The Tweets You Missed in September

Here are the tweets you likely missed last month!..

By fabrice bellingard | October 05, 2016

We Are Adjusting Rules Severities

With the release of SonarQube 5.6, we introduced the SonarQube Quality Model, which pulls Bugs and Vulnerabilities out into separate categories to give them t…

By g. ann campbell | September 08, 2016

The Tweets You Missed in August

Here are the tweets you likely missed last month!..

By fabrice bellingard | September 06, 2016

SonarAnalyzer for C#: The Rule Engine You Want to Use

If you’ve been following the releases of the Scanner for MsBuild and the C# plugin over the last two years, you must have noticed that we significantly improv…

By | September 01, 2016

SonarQube 6.0 in Screenshots

The SonarSource team is proud to announce the release of SonarQube 6.0, which features support of file renaming, and better UIs for admins at every level…

By g. ann campbell | August 18, 2016

The Tweets You Missed in July

Here are the tweets you likely missed last month!..

By fabrice bellingard | August 01, 2016

The Tweets You Missed in June

Here are the tweets you likely missed last month!..

By fabrice bellingard | July 06, 2016

JavaScript Plugin Finds Tricky Bugs, Thanks to Execution Flow

Over the last few months, the SonarAnalyzer for JavaScript has made major advances in bug detection. Until recently, it only caught rather simple bugs, like f…

By pierre yves nicolas | June 29, 2016

Language Plugins Rock SonarQube Life!

SonarAnalyzers are fundamental pillars of our ecosystem. The language analyzers play a central role, but the value they bring isn’t always obvious. The aim of…

By jean denis coffre | June 23, 2016

Sonar ecosystem upgrades to Java 8

With the release of SonarQube version 5.6, the entire Sonar ecosystem will drop support for Java 7. This means you won’t be able to run new versions of the So…

By g. ann campbell | June 14, 2016

SonarQube 5.6 (LTS) in Screenshots:

The wait is over! The new SonarQube Long Term Support (LTS) version is out, and it’s packed with new features to help you better manage your technical debt an…

By g. ann campbell | June 08, 2016

Bugs and Vulnerabilities are 1st Class Citizens in SonarQube Quality Model along with Code Smells

In SonarQube 5.5 we adopted an evolved quality model, the SonarQube Quality Model, that takes the best from SQALE and adds what was missing. In doing so, we’v…

By g. ann campbell | June 02, 2016

SonarLint 2.0 Is Now Available

SonarLint is a pretty recent product that we released for the first time a few months ago for Eclipse, IntelliJ and Visual Studio. We have recently released t…

By julien henry | May 25, 2016

SonarQube 5.5 in Screenshots

The team is proud to announce the release of 5.5, which features simplified concepts for easier triage and management of issues:…

By g. ann campbell | May 19, 2016

What’s New in SonarEcosystem - April 2016

By olivier gaudin | May 11, 2016

SonarSource City Tour, We Are Coming Near You

Since we love touring and meeting our community of users, we’re setting out on the road once again, this time to more cities than ever! Over the next 6 months…

By meryll moreau | April 27, 2016

SonarAnalyzer for Java: Tricky Bugs are Running Scared

For the past year, the SonarSource team behind the SonarAnalyzer for Java has invested most of its time in developing a Symbolic Execution engine in order to …

By freddy mallet | April 13, 2016

Stop planning; fix the leak!

So there you are: you’ve finally decided to install the SonarQube platform and run a couple of analyses on your projects, but it unveiled so many issues that …

By fabrice bellingard | April 06, 2016

SonarQube 5.4 in Screenshots

The team is proud to announce the release of 5.4, a more usable and informative version than ever before:…

By g. ann campbell | April 01, 2016

ECMAScript 2015: With Great Power Comes Great Responsibility

Last summer a revolutionary version of ECMAScript was released with native classes, modules, arrow functions and many other long-awaited features. According…

By elena vilchik | March 16, 2016

Why You Shouldn’t Use Build Breaker

There have been some heated discussions recently about the Build Breaker plugin… SonarSource doesn’t want to continue the feature. The community has come to…

By olivier gaudin | February 25, 2016

SonarLint for Visual Studio: Let’s Fix Some Real Issues in Code!

By | February 10, 2016

SonarQube 5.3 in Screenshots

The team is proud to announce the release of 5.3, another paradigm-shifting version, with the addition of significant new features, and the return of popular …

By g. ann campbell | January 28, 2016

SonarQube 5.2 in Screenshots

The team is proud to announce the biggest release ever of the SonarQube server, version 5.2, which includes the second-most-anticipated feature ever: code sca…

By g. ann campbell | November 26, 2015

Analysis of Visual Studio Solutions with the SonarQube Scanner for MSBuild

At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube integration with MSBuild and Team Build. Today, half a yea…

By | November 19, 2015

SonarQube Enters the Security Realm and Makes a Good First Showing

For the last year, we’ve been quietly working to add security-related rules in SonarQube’s language plugins. At September’s SonarQube Geneva User Conference w…

By g. ann campbell | November 12, 2015

SonarLint: Fixing Issues Before They Exist

I’m very happy to announce the launch of a new product series at SonarSource: SonarLint, which will help you fix code quality issues before they even exist. …

By julien henry | October 22, 2015

Mainstream: Noun. The principal or dominant course, tendency, or trend

At the SonarQube Geneva User Conference last week I learned that 7 of the Fortune 10 companies and 47 of the Fortune 100 use the SonarQube platform. We’ve got…

By g. ann campbell | September 30, 2015

The Agenda for the Geneva Conference is Available

The Geneva SonarQube is going to take place on 23rd-24th of September in Geneva and it is still possible to register…

By olivier gaudin | September 11, 2015

SonarLint for Visual Studio 1.2.0 Brings Code Fixes to the IDE

SonarLint for Visual Studio version 1.2.0 was released this week. In this version we focused on improving the user experience by adding code fading and fixes…

By | September 03, 2015

MSBuild SonarQube Runner now available on Visual Studio Online

By | September 02, 2015

Call for Papers is Open for Geneva SonarQube Conference

A few weeks ago, I announced a free SonarQube User Conference in Geneva on the 23rd and 24th of September. More than 100 people have already registered…

By olivier gaudin | July 31, 2015

SonarLint brings SonarQube rules to Visual Studio

We are happy to announce the release of SonarLint for Visual Studio version 1.0. SonarLint is a Visual Studio 2015 extension that provides on-the-fly feedback…

By | July 24, 2015

Geneva SonarQube Conference – Sept. 23 & 24.

We are very happy to announce the first SonarQube European User Conference! This two-day free event will take place in Geneva on September 23rd and 24th, righ…

By olivier gaudin | July 17, 2015

SonarQube Swift Plugin Offers Mature Functionality for Young Language

The Swift programming language is only a year old, but the SonarQube plugin for code written in this “green” language has already been out for six months and …

By elena vilchik | July 10, 2015

GitHub pull request analysis helps fix the leak

If you follow SonarSource, you are probably aware of a simple and yet powerful paradigm that we’re using internally: the water leak concept. That is how we’ve…

By fabrice bellingard | July 08, 2015

Water Leak Changes the Game for Technical Debt Management

A few months ago, at the end of a customer presentation about “The Code Quality Paradigm Change”, I was approached by an attendee who said, “I have been follo…

By olivier gaudin | July 03, 2015

Quality Gates Work - If You Let Them

Some people see rules - standards - requirements - as a way to hem in the unruly, limit bad behavior, and restrict rowdiness. But others see reasonable rules …

By g. ann campbell | June 11, 2015

The SonarQube COBOL Plugin Tracks Sneaky Bugs in Conditions

Not long ago, I wrote that COBOL is not a dead language and there are still billions lines of COBOL code in production today. At COBOL’s inception back in 195…

By freddy mallet | May 21, 2015

SonarQube User Conference in Paris

By olivier gaudin | May 11, 2015

Announcing SonarQube integration with MSBuild and Team Build

This is a cross-post of Microsoft ALM web site. Technical debt is the set of problems in a development effort that make forward progress on customer value in…

By aaron hallberg | April 28, 2015

SonarQube 5.1 in Screenshots

The team is proud to announce the release of SonarQube 5.1, which includes many new features:…

By g. ann campbell | April 23, 2015

SonarQube User Conference - U.S. West (Santa Clara, CA)

We are very happy to announce that the second SonarQube user conference will take place on April 27th at the Santa Clara Convention Center, in Santa Clara, Ca…

By olivier gaudin | April 08, 2015

Codehaus & Ben: Thank You and Good Bye

It seems very natural today that SonarQube is hosted at Codehaus, but there was a time when it was not! In fact joining Codehaus was a big achievement for us;…

By olivier gaudin | March 26, 2015

The speed of a caravan in the desert

“What is the speed of a caravan in the desert?” Language Team Technical Lead Evgeny Mandrikov posed that question recently to illustrate a point about develop…

By g. ann campbell | March 12, 2015

Eating the dog food

The SonarQube platform includes an increasing powerful lineup of tools to manage technical debt. So why don’t you ever see SonarSourcers using Nemo, the offic…

By g. ann campbell | February 25, 2015

SonarQube Java Analyzer : The Only Rule Engine You Need

If you have been following the releases of the Java plugin, you might have noticed that we work on two major areas for each release: we improve our semantic a…

By nicolas peru | February 12, 2015

C/C++/Objective-C: Dark past, bright future

We’ve just released version 3.3 of the C/C++/Objective-C plugin, which features an increased scope and precision of analysis for C, as well as detection of re…

By evgeny mandrikov | February 05, 2015

SonarQube 5.0 in Screenshots

The team is proud to announce the release of SonarQube 5.0, which includes many new features…

By g. ann campbell | January 28, 2015

COBOL is… Alive!

Most C, Java, C++, C#, JavaScript… developers reading this blog entry might think that COBOL is dead and that SonarSource should better focus its attention …

By freddy mallet | January 14, 2015

SonarQube 5.x series: It just keeps getting better and better!

We recently wrapped up the 4.x series of the SonarQube platform by announcing its Long Term Support version: 4.5.1. At the same time, we sat down to map out t…

By fabrice bellingard | January 09, 2015

Walking the Tightrope: Balancing Agility and Stability

About a year ago we declared a Long Term Support (LTS) version for the first time ever, and recently, we declared another one (version 4.5.1). But we never ta…

By g. ann campbell | December 12, 2014

New LTS Version Sums Impressive Array of New Features

In November, SonarQube version 4.5.1 was announced as the new Long Term Support (LTS) release of the platform. It’s been nearly a year since the last LTS vers…

By g. ann campbell | December 04, 2014

Do you care about your code? Track code coverage on new code, right now !

A few weeks ago, I had a passionate debate with my old friend Nicolas Frankel about the usefulness of the code coverage metric. We started on Twitter and then…

By freddy mallet | November 27, 2014

What about Microsoft Component Extensions for C++?

After my previous blog entry about the support of Objective-C, you could get the impression that we’re fully focused on Unix-like platforms and have completel…

By evgeny mandrikov | November 19, 2014

SonarQube 4.5 in Screenshots

The team is proud to announce the release of SonarQube 4.5, which includes many new features:…

By g. ann campbell | November 11, 2014

SonarQube supports ECMAScript 6

The 2.1 version of the JavaScript Plugin fully supports ECMAScript 6 (ES6). But what does that mean exactly ?..

By | October 28, 2014

Suggest a Valuable Rule, Win a SonarQubeT-Shirt

Is there a rule you’d like to turn on in SonarQube, but you just can’t find it? Well, wish no more, just tweet your missing rule and if its valuable, we’ll im…

By g. ann campbell | October 08, 2014

Analyzing Objective-C: the World of OS X and iOS within your Grasp

With version 3.0 of the C / C++ plugin in August, 2014, support of the Objective-C language arrived. Support of Objective-C in SonarQube was heavily awaited …

By evgeny mandrikov | September 25, 2014

The Rules Have Changed

If you’ve already taken a look at SonaQube 4.4, the title of this post wasn’t any news to you. The new version introduces two major changes to the way SonarQu…

By g. ann campbell | September 10, 2014

SonarQube 4.4 in Screenshots

The team is proud to announce the release of SonarQube 4.4, which includes many exciting new features:…

By g. ann campbell | August 12, 2014

Unit Test Execution in SonarQube

Starting with Java Ecosystem version 2.2 (compatible with SonarQube version 4.2+), we no longer drive the execution of unit tests during Maven analysis. Dropp…

By g. ann campbell | August 06, 2014

.NET in SonarQube: bright future

A few months ago, we started on an innocuous-seeming task: make the .NET Ecosystem compatible with the multi-language feature in SonarQube 4.2. What followed …

By g. ann campbell | July 10, 2014

With great power comes great configuration

We’ve got an ambitious vision for the C/C++ plugin this year. To fulfill it, we started with some under-the-cover improvements to the parser and the internal …

By g. ann campbell | June 26, 2014

Quality Gates: Shall your projects pass?

With SonarQube 4.3, the concept formerly known as alerts came into its own. No longer, a subset of Quality Profiles (it was always a slightly awkward fit ther…

By g. ann campbell | June 05, 2014

SonarQube 4.3 in Screenshots

The team is proud to announce the release of SonarQube 4.3, which includes many exciting new features:…

By g. ann campbell | May 21, 2014

Sonar Becomes The SonarQube Platform

About a year ago, we changed the name of Sonar to the SonarQube™ platform, but we didn’t talk much about why we made the change, so today I though it would be…

By olivier gaudin | April 25, 2014

SonarQube 4.2 in Screenshots

The team is proud to announce the release of SonarQube 4.2, which includes many exciting new features:…

By olivier gaudin | April 15, 2014

At Long Last, SonarQube Is a True Polyglot

Good taste prevents me from embedding a trumpet fanfare into this post, but it does seem warranted. After all, with the release of SonarQube version 4.2 last …

By g. ann campbell | April 09, 2014

Ducks Make It Look Easy Too

Since I joined SonarSource full time at the beginning of this month, I’ve been thinking a lot about ducks and belly dancers. That seems like an odd combinat…

By g. ann campbell | March 20, 2014

Measures, at your Service!

If there’s a set of data you regularly look up in SonarQube, the Measures Service - and saved filters - are going to be your new favorite SonarQube features…

By g. ann campbell | February 27, 2014

Three options for pre-commit analysis

As a quality-first focus becomes increasingly important in modern software development, more and more developers are asking how to find new issues before they…

By g. ann campbell | February 20, 2014

What’s Coming Up for SonarQube in 2014 ?

I recently wrote a post listing what was accomplished in the SonarQube platform last year. Today, I’ll continue with even more exciting stuff: what we’ll do t…

By freddy mallet | February 06, 2014

5 Years and Counting: SonarSource Has a Lot to Celebrate

SonarSource is celebrating! The last few months have seen some significant milestones for the company. The biggest is that we’re 5 years in now, and still gro…

By g. ann campbell | January 28, 2014

Looking back at 2013 SonarQube Ecosystem Accomplishments

A new year provides a good opportunity to look back at what was achieved the previous year. I’ll do that for the SonarQube platform in this post. Let’s start…

By freddy mallet | January 23, 2014

SQALE models - more than just tiny cities*

This week I want to talk about SQALE - which is commonly pronounced “scale.” Before I joined SonarSource, I tried many times to understand what SQALE was abo…

By g. ann campbell | January 10, 2014

SonarQube 4.1 in Screenshots

The team is proud to announce the release of SonarQube 4.1, which includes many exciting new features:…

By g. ann campbell | December 20, 2013

SonarQube 4.0 in Screenshots

The team is proud to announce the release of SonarQube 4.0. It includes many exciting new features:…

By g. ann campbell | November 20, 2013

SonarQube in Action, the Book - Interview with the Authors

It’s official… “SonarQube in Action” is available in stores - Thanks to the efforts of two community members, fanatics of software quality and advocates of …

By olivier gaudin | November 13, 2013

Take Action to Manage Technical Debt

One of the things I love about SonarQube is that gives you tools to tackle all aspects of your technical debt. I am not just talking here about the Seven Axes…

By g. ann campbell | October 24, 2013

SonarQube JavaScript plugin: why compete with JSLint and JSHint?

This question has been raised several times on the Sonar mailing lists. Indeed since version 1.0, the SonarQube JavaScript plugin hasn’t relied on external ru…

By freddy mallet | October 09, 2013

Already 158 Checkstyle and PMD rules deprecated by SonarQube Java rules

By freddy mallet | October 03, 2013

Everything’s a component

Something occurred to me recently that I wanted to share. Sometimes I’m late to the party, so this may have been obvious to you all along, but it didn’t jump …

By g. ann campbell | September 18, 2013

SonarQube in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | September 08, 2013

SonarQube 3.7 in Screenshots

The team is proud to announce the release of the SonarQube platform version 3.7. This version includes new features that we believe are worth stopping your da…

By simon brandhof | September 04, 2013

Differentials: but wait, there’s more!

In my last two posts I talked about differentials. First, it was the four ways they show you what’s changed in your code from “then” to now, and then why the …

By g. ann campbell | August 02, 2013

Using differentials to move the team in the right direction

In my last post I talked about differentials, which are my favorite feature in SonarQube. I could have - perhaps should have - talked about the philosophy beh…

By g. ann campbell | July 17, 2013

SonarQube in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | July 10, 2013

SonarQube 3.6 in Screenshots

The team is proud to announce the release of SonarQube platform 3.6, the first version with the new name (it had been called Sonar). This version includes new…

By simon brandhof | July 03, 2013

Differentials: Four ways to see what’s changed

After a Sonar analysis, it’s easy to see your project’s current state - just browse to the project dashboard and it’s laid out for you. Want details? Just sta…

By g. ann campbell | June 12, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | June 06, 2013

Consultants, we need you!

By olivier gaudin | May 22, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | May 09, 2013

Customizing Sonar to Fit Your Needs

Sonar is a super-radiator for code quality and as such, you can expect it brings value to all stakeholders in a development group. To achieve this, Sonar must…

By olivier gaudin | April 26, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | April 11, 2013

End of Java 5 Support at Runtime for Sonar Platform

This is it! After talking about it, internally at SonarSource, for 2 years and after a failed attempt last year, we are discontinuing the support of Java 5 ru…

By fabrice bellingard | March 27, 2013

Sonar 3.5 in Screenshots

The Sonar team is proud to announce the release of Sonar 3.5. This new version includes new features that we believe are worth stopping your daily work for a …

By simon brandhof | March 19, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | March 07, 2013

What is coming up for Sonar in 2013 ?

I recently wrote a post to list what was accomplished on the platform last year. Today, I am doing the continuation with even more exciting stuff: what we are…

By freddy mallet | February 27, 2013

Looking Back at 2012 Sonar Platform Accomplishments

A new year provides a good opportunity to look back at what was achieved the previous year. This is what I am going to do in this post for the Sonar platform…

By freddy mallet | February 14, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | February 05, 2013

Sonar 3.4 in Screenshots

The Sonar team is proud to announce the release of Sonar 3.4. This new version includes new features that we believe are worth stopping your daily work for a …

By simon brandhof | January 17, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | January 14, 2013

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | December 06, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | November 14, 2012

Sonar 3.3 in Screenshots

The Sonar team is proud to announce the release of Sonar 3.3. This new version includes new features that we believe are worth stopping your daily work for a …

By simon brandhof | November 07, 2012

Access Control Management in Sonar

When used out-of-the-box, Sonar is a radiator for code quality continuously accessible by everyone. But of course, there are situations in which adding access…

By olivier gaudin | October 30, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | October 10, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | September 12, 2012

Sonar 3.2 in Screenshots

The Sonar team is proud to announce the release of Sonar 3.2. This new version includes new features that we believe are worth stopping your daily work for a …

By simon brandhof | August 14, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | August 08, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | July 05, 2012

Sonar 3.1 in Screenshots

The Sonar team is proud to announce the release of Sonar 3.1. This new version includes several major features that we believe are worth stopping your daily w…

By simon brandhof | June 20, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | June 05, 2012

Webinar About Sonar 3.0

By | May 21, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | May 10, 2012

Sonar 3.0 in screenshots

The Sonar team is proud to announce the release of Sonar 3.0. The team has been working for the last 2 years on Sonar 2.x versions, adding support for Conti…

By simon brandhof | April 18, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | April 11, 2012

What is coming up for Sonar in 2012 ?

By freddy mallet | March 29, 2012

Sonar 2.14 in screenshots

The Sonar team is proud to announce the release of Sonar 2.14. This new version includes 100+ improvements, bug-fixes and also new features that we believe ar…

By simon brandhof | March 27, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | March 07, 2012

Manage Duplicated Code with Sonar

If you use Sonar already, I am sure that you know already the worse of all 7 developer’s deadly sins: And if you don’t, I would assume you know about duplica…

By evgeny mandrikov | February 29, 2012

Looking Back at 2011 Sonar Platform Accomplishments

By freddy mallet | February 09, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month……

By olivier gaudin | February 07, 2012

Sonar 2.13 in screenshots

The Sonar team is proud to announce the release of Sonar 2.13. This new version includes 60 improvements, bug-fixes and also some new features that we believe…

By simon brandhof | February 02, 2012

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month……

By olivier gaudin | January 11, 2012

Sonar in Thoughtworks Technology Radar

Most IT people know Thoughtworks and its charismatic technical leader / evangelist Martin Fowler. But probably fewer know the Thoughtworks Technology Radar wh…

By freddy mallet | December 23, 2011

Sonar 2.12 in screenshots

The Sonar team is proud to announce the release of Sonar 2.12. This new version includes more than 100 improvements, bug-fixes and also some new features that…

By simon brandhof | December 08, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month……

By olivier gaudin | December 06, 2011

Sonar in the news

By olivier gaudin | November 03, 2011

Effective Code Review with Sonar

At SonarSource, we like eating our own dog food as much as possible. This is not always the case in software development, but in our case since we develop sof…

By fabrice bellingard | October 20, 2011

Sonar 2.11 in screenshots

The Sonar team is proud to announce the release of Sonar 2.11. As usual, this new version includes improvements, bug-fixes and also new features that we belie…

By simon brandhof | October 06, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | October 04, 2011

Sonar… in the Cloud to Bee !

By olivier gaudin | September 27, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | September 07, 2011

Sonar 2.10 in screenshots

The Sonar team is proud to announce the release of Sonar 2.10. As usual, this new version includes improvements, bug-fixes and also new features that we belie…

By olivier gaudin | September 01, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | August 03, 2011

Sonar 2.9 in screenshots

The Sonar team is proud to announce the release of Sonar 2.9. As usual, this new version includes improvements, bug-fixes and also new features that we believ…

By simon brandhof | July 27, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | July 06, 2011

Jean-Louis Letouzey on SQALE Quality Model

By olivier gaudin | June 29, 2011

Sonar Eclipse 2.1 in screenshots

The Sonar team is proud to announce the release of Sonar Eclipse 2.1. This new version is the logical extension of Sonar 2.8 and provides support for Manual C…

By evgeny mandrikov | June 09, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | June 07, 2011

Sonar 2.8 in screenshots

The Sonar team is proud to announce the release of Sonar 2.8. As usual, this new release includes improvements, bug-fixes and also new features that we believ…

By simon brandhof | May 25, 2011

Differential Services in Sonar for a Complete Support of Continuous Inspection

One of the main objective for Sonar in 2011 is to go a step further in the support of Continuous Inspection. Indeed, prior to version 2.5, Sonar could already…

By freddy mallet | May 12, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | May 03, 2011

Running local analysis with Sonar Eclipse 2.0

Have you tried Sonar Eclipse? If you’re a fan of Sonar and you monitor the quality of your code daily, you probably already have installed this set of plugins…

By fabrice bellingard | April 13, 2011

Sonar 2.7 in screenshots

By simon brandhof | April 07, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | April 05, 2011

Sonar SQALE 1.2 in screenshot

You probably remember that 4 months ago, we announced the availability of a SQALE plugin for Sonar. Since them, we have continued to work on it and have rele…

By freddy mallet | March 23, 2011

Sonar Mythbusters

When I joined the Sonar team 6 months ago, I had heard and read - here and there - myths about Sonar. Though I knew some of them were incorrect, I have since …

By fabrice bellingard | March 16, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | March 09, 2011

Sonar 2.6 Adds Continuous Inspection Support for Ant Community

The Sonar team is proud to announce Sonar version 2.6. It is a tradition that we publish screenshots along with such an announce but for this one time, as the…

By simon brandhof | March 01, 2011

What is coming up for Sonar in 2011 ?

After an initial attempt that ended up posting on what was accomplished last year, time has now come to discuss the plans for Sonar in 2011 and the associated…

By freddy mallet | February 16, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | February 09, 2011

Looking Back at 2010 Accomplishments on Sonar Platform

My initial intention was to write a post on the plans for Sonar in 2011 and the associated roadmap. I started by quickly listing what was achieved in 2010. Bu…

By olivier gaudin | February 03, 2011

Sonar at the Lausanne JUG Software Quality “Tournament” !

Cyril Picat asked us a few months ago whether we would be interested to participate to a session at the Lausanne JUG on Software Quality : so far nothing unus…

By olivier gaudin | January 31, 2011

Sonar 2.5 in screenshots

The Sonar team is proud to announce version 2.5, the first release of year 2011 ! As usual, this new release includes numerous improvements, bug-fixes and a…

By simon brandhof | January 25, 2011

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | January 03, 2011

Bridging Internal and External Quality with Sonar

A few weeks ago, Evgeny described how Sonar can be used with its JaCoCo plugin to measure code coverage by Integration Tests. By adding this new feature to So…

By olivier gaudin | December 17, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | December 06, 2010

Sonar 2.4 in screenshots

Only one month after the previous version, Sonar 2.4 has just been released. The new version is full of new features that I will explore today through screens…

By simon brandhof | November 24, 2010

SQALE, the ultimate Quality Model to assess Technical Debt

Six months ago, we would never have believed that one day we would be happy and excited to write about the implementation of a Quality Model in Sonar. Indeed …

By freddy mallet | November 18, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | November 04, 2010

Sonar 2.3 in screenshots

The Sonar team is proud to announce the release of Sonar 2.3. As usual, this new release includes numerous improvements, bug-fixes and also new features that …

By simon brandhof | October 19, 2010

The new “Filters” functionality added in Sonar 2.2

Prior to Sonar 2.2, the home page was simply the list of projects under quality control. Beyond the fact that it did not add much value to the platform, it wa…

By freddy mallet | October 12, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | October 04, 2010

Sonar has become a Multi-Languages Platform

At the beginning of this year, Freddy mentioned in the Sonar roadmap for 2010 that after version 2.0 the main objective was to enable other languages on the S…

By olivier gaudin | September 16, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | September 01, 2010

Pick your code coverage tool in Sonar 2.2

By default, Sonar embarks two tools to calculate code coverage by unit tests on java projects : Cobertura and Clover. But last week, we also released plugins …

By evgeny mandrikov | August 05, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | August 02, 2010

Sonar 2.2 in screenshots

The Sonar team is proud to announce the release of Sonar 2.2. As usual, this new release includes numerous improvements, bug-fixes and also brand new features…

By simon brandhof | July 21, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | July 01, 2010

Continuous Inspection Practice Emerges with Sonar

By freddy mallet | June 23, 2010

Eclipse Sonar Plugin 0.1 in screenshots

The Sonar Team is very proud to announce the availability of the first version of the Sonar Eclipse plugin. This plugin is part of the Sonar IDE Project. This…

By evgeny mandrikov | June 07, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month……

By olivier gaudin | June 01, 2010

Detect Dead Code and Calls to Deprecated Methods with Sonar Squid

Up to version 2.1, Sonar was relying only on external coding rules engines such as Checkstyle, PMD and Findbugs to report violations on Java applications. But…

By freddy mallet | May 26, 2010

Sonar 2.1 in screenshots

As usual this new release includes numerous improvements, bug-fixes and also brand new features that we believe are worth stopping your daily work for a few m…

By simon brandhof | May 11, 2010

IntelliJ IDEA Sonar Plugin 0.1 in screenshots

The Sonar Team is very proud to announce the release of the first version of the Sonar IntelliJ IDEA plugin. The Sonar IDE project consists at the moment of t…

By evgeny mandrikov | May 05, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | May 04, 2010

Knowing Better Sonar Users

This is sometimes a bit frustrating, when you are contributing to an Open Source project, to have doubts about who your users are… really. Not knowing them …

By evgeny mandrikov | April 15, 2010

The Flex Plugin for Sonar : a Further Step Toward Multi-Language Support

By olivier gaudin | April 08, 2010

Sonar in the news

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

By olivier gaudin | April 06, 2010

Sonar Proposals for Google Summer of Code

Codehaus has been officially accepted into Google Summer of Code 2010. Based on the great job done by Ben Walding previous years, we expect that several proje…

By olivier gaudin | March 31, 2010

Fight Back Design Erosion by Breaking Cycles with Sonar

With version 2.0, Sonar now embarks the seventh and last axis of source code quality : Design & Architecture. The objective of this post is to start discussin…

By freddy mallet | March 17, 2010

Sonar 2.0 in screenshots

The Sonar team is very proud to announce Sonar 2.0, the first release of 2010. As announced in a previous post, the main feature in Sonar 2.0 consists of anal…

By simon brandhof | March 11, 2010

Sonar in the news

By olivier gaudin | March 10, 2010

Add CI Build Stability to your Sonar Dashboard

Sonar is known as being the open source platform to evaluate and report continuously on source code quality. Its basic role is to evaluate the code technical …

By freddy mallet | March 03, 2010

Securing access to projects in Sonar

By freddy mallet | February 25, 2010

Sonar 2.0 at Geneva JUG

By olivier gaudin | February 10, 2010

Sonar Gadgets for GateIn and Jira4

By olivier gaudin | February 03, 2010

What does Open Source mean for SonarSource ?

By freddy mallet | January 27, 2010

2009 is over, what is coming up in 2010 for Sonar ?

By freddy mallet | January 13, 2010

Sonar 1.12 in screenshots

Here comes the 8th and last major Sonar release of the year. Like for all previous releases, this post is a summary of the new features through screenshots :…

By simon brandhof | December 09, 2009

Create a plugin to compute custom metrics in Sonar

By olivier gaudin | December 03, 2009

Sonar Radiator plugin to keep an eye on quality all day long !

After the integration of two Google components (Motion Chart and Timeline), we are releasing the last of a series of three nice and sexy plugins : The Sonar R…

By olivier gaudin | November 11, 2009

Put Sonar Gadgets on your JIRA Dashboard !

By olivier gaudin | November 05, 2009

The Sonar Timeline Plugin, a great addition to TimeMachine service

By simon brandhof | November 04, 2009

The most sexy plugin of the Sonar forge

Last week, the most sexy plugin of the Sonar forge was released : the Motion Chart plugin ! This animated bubble chart as I used to call it can handle up to 4…

By simon brandhof | October 28, 2009

How to measure WTFs in Sonar ?

By olivier gaudin | October 22, 2009

Bring a new dimension to Sonar with the Views Plugin

The community has started several months ago to request a plugin to group / aggregate projects in Sonar. This plugin was released a couple of days ago under t…

By | October 14, 2009

Sonar 1.11 in screenshots

We’re happy to announce the release of Sonar 1.11. This new version contains more than 60 issues that have been resolved amongst which improvements, bug fixes…

By simon brandhof | October 06, 2009

A new addition to the Sonar team

By olivier gaudin | October 05, 2009

Sonar to identify security vulnerabilities

During the last few months, Sonar has definitely become the leading Open Source Platform to manage Java code quality. The objective to democratize access to c…

By freddy mallet | September 24, 2009

SonarSource is short listed for Open Innovation Awards

By olivier gaudin | September 18, 2009

Talking about Sonar

By olivier gaudin | August 31, 2009

Sonar invited by Pyxis at Agile 2009

By freddy mallet | August 22, 2009

Sonar 1.10 in screenshots

We’re happy to announce the release of Sonar 1.10. This new version contains more than 40 improvements and bug fixes and also contains several new features. H…

By olivier gaudin | August 14, 2009

Source code analysis is not an end in itself, but a means to an end

By freddy mallet | August 06, 2009

Sonar TV : configuring coding rules

By olivier gaudin | July 15, 2009

Sonar at the Haus

By olivier gaudin | July 09, 2009

Reviewing code quality of Apache Sling using Sonar

A few weeks ago Michael Marth, who runs dev.day.com (Day’s developer portal), asked us if we could put together our impressions on the code quality of Apache …

By freddy mallet | July 01, 2009

Beyond the tool, Sonar is a platform to manage code quality

By freddy mallet | June 25, 2009

Hudson Sonar plugin 1.0 : to industrialize the ultimate build system

A couple of weeks ago, we wrote a post on the "The Ultimate Enterprise Java Build Solution", to show that nowadays the debate on infrastructure has shifted fr…

By olivier gaudin | June 03, 2009

Sonar 1.9 in screenshots

It is almost a tradition now : every month, we release a new version of Sonar. I am sure you are impatient to know which killing functionality is gonna be in …

By simon brandhof | May 28, 2009

Why you should (not?) upgrade to Sonar 1.9

Sonar 1.9 has just been released : installing this new version implies to be aware a few things. I’m not talking here about any technical complexity to upgrad…

By freddy mallet | May 26, 2009

Sonar presented at XpDay France next week

By olivier gaudin | May 22, 2009

The Ultimate Enterprise Java Build Solution

Christopher Judd recently blogged on his “Ultimate Enterprise Java Build System” and places Sonar in this system along with Maven, Hudson, Subversion and Nexu…

By freddy mallet | May 14, 2009

Sonar TV : A short video for every key feature

In the last couple of weeks, we’ve started making short videos on Sonar, each one showing a dedicated feature in 1 or 2 minutes. Those videos are a good start…

By freddy mallet | May 07, 2009

We had a dream : mvn sonar:sonar

About a year ago we started to dream about the possibility to launch a full quality analysis on any Maven projects, with no configuration by simply running a …

By olivier gaudin | April 30, 2009

Sonar 1.8 in screenshots

We’re happy to announce the availability of April’s release : Sonar 1.8. This new version, ready to go into production, contains several improvements and bug …

By simon brandhof | April 21, 2009

The Sonar plugins forge is up and running !

Amongst Sonar built-in strengths, we mentioned extensibility several times without giving many details. Time has come to discuss it further as anyone can now …

By freddy mallet | April 16, 2009

Reuse in Sonar unit test reports generated by other systems

By olivier gaudin | April 09, 2009

Promoting Sonar configuration from staging to production environment

By olivier gaudin | April 01, 2009

Sonar 1.7 in screenshots

By simon brandhof | March 23, 2009

The next major version of JavaNCSS is on its way

By freddy mallet | March 19, 2009

JOLT Awards 2009 : Sonar is a Productivity Winner

By | March 18, 2009

The hunting toolbox in Sonar

Did we ever mention why, two years ago, we chose Sonar as a name for the open source platform to manage quality we wanted to build ? It was obviously to make …

By freddy mallet | March 13, 2009

Using quality profiles in Sonar

Last month, Sonar 1.6 was released. The main feature of the new version is the ability to manage quality profiles. The purpose of this post is to explain what…

By olivier gaudin | March 05, 2009

Sonar team now on Twitter

By simon brandhof | February 26, 2009

SonarSource launches its web site

By | February 24, 2009

What makes Checkstyle, PMD, Findbugs and Macker complementary ?

There is often some misunderstanding when people talk about coding rules engines. Everyone tries to take position in favor of his preferred tool and does his …

By olivier gaudin | February 19, 2009

Sonar 1.6 in screenshots

Sonar 1.6 has been released. On top of various bug-fixes and several improvements, it contains 3 new major features related to the management of quality profi…

By simon brandhof | February 09, 2009

Maven Site, Sonar or both of them ?

As we get more and more questions about possible overlaps between Sonar and Maven Site, I think it is time to explain the clear vision we have on this importa…

By freddy mallet | February 05, 2009

Balsamiq Mockups to design the future of Sonar

I have spent roughly 10 years in software development, continuously aiming to improve team collaboration. Two months ago, I was convinced that we had a comple…

By freddy mallet | January 27, 2009

Sonar is the featured project of the month at Codehaus

2009 starts like 2008 finished, with a good news for Sonar ! :-) Indeed, after being nominated as finalist in 2009 Jolt Awards, Sonar has been declared Codeh…

By freddy mallet | January 21, 2009

Managing cyclomatic complexity to increase maintainability

In a previous post on Cyclomatic Complexity (CC), I discussed two ideas:…

By olivier gaudin | January 15, 2009

Sonar Time Machine : replaying the past

When talking about source code quality, at first you might think that the only data of interest is the result of the last code analysis. However, you realize …

By freddy mallet | January 07, 2009

Sonar nominated as finalist in 2009 JOLT Awards !

By | December 22, 2008

Discussing Cyclomatic Complexity

Googling on Cyclomatic Complexity (CC), gives some interesting results… Among those results, you’ll find the two following definitions :…

By olivier gaudin | December 17, 2008

Sonar 1.5 in screenshots

By simon brandhof | December 09, 2008

Tendencies in Sonar

By olivier gaudin | December 03, 2008

Sonar light: the low-calorie mode for Sonar

When I initially wrote this blog entry, I chose a much more original title : "What is the analogy between a Coke light and Sonar light". But then I realized t…

By olivier gaudin | November 25, 2008

Eclipse, Checkstyle, Sonar : an emerging source code management solution

Having a tool like Sonar to monitor source code and continuously evaluate risks is a good start. Nevertheless, Sonar should not only be considered as a passi…

By freddy mallet | November 19, 2008

SonarSource, a spin-off dedicated to Sonar development

By | November 11, 2008

Using the ‘Reviews’ section on the project dashboard

You might have already paid attention to this little and empty section named “Reviews” at the bottom right of any project dashboard, but what is this section …

By freddy mallet | November 04, 2008

Is 80% of code coverage any good ?

When talking about source code quality, there are always voices to tell you that metrics mean nothing and that plenty of projects have great metrics and poor …

By olivier gaudin | October 29, 2008

Sonar participates to the Valtech Days

Next week, on the 21st on 22nd of October, I am going to participate to the Valtech Days 2008 where I have been invited by Eric Lefevre. More than 300 partici…

By freddy mallet | October 14, 2008

Back from CITCON Europe 2008 in Amsterdam

Last week-end, we attended CITCON Europe 2008 in Amsterdam. We were really curious and impatient to discover the whole experience of technological OpenSpac…

By olivier gaudin | October 08, 2008

A new Hudson plugin for a closer integration with Sonar

Continuous integration (CI) has become a centerpiece of software development lifecycle. Since Sonar is implemented as a maven plugin, it can be easily integra…

By simon brandhof | September 30, 2008

Bug-fix release 1.4.2

By | September 25, 2008

Sonar at CITCON 2008 in Amsterdam

By freddy mallet | September 23, 2008

Does Sonar scale well ?

As Sonar is an enterprise quality tool, it must scale well when number of projects and snapshots by project grow over time. We consider this capability to be …

By freddy mallet | September 15, 2008

Sonar 1.4.1, bug fix release

By | August 25, 2008

Release 1.4

By | August 08, 2008

Release 1.3

By | June 17, 2008

Nemo, public demo of Sonar

By simon brandhof | June 02, 2008

Sonar 1.3 First Release Candidate

By | May 30, 2008

Sonar 1.2.1, bug fix release

By | April 30, 2008

Release 1.2 with new layout and reviews

By | March 27, 2008

Release 1.1

By | February 29, 2008

First release of 1.1 BETA

By | January 24, 2008

Move to Codehaus

By | January 10, 2008

Release 1.0.2

By | December 14, 2007

Sonar 1.0 released

By | November 21, 2007

Release 1.0 BETA

By | October 05, 2007

Related news

CVE-2022-32277: SpiderLabs Blog

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907