Highlight Unicode BIDI characters as Security Hotspot

As reported today, there is a vulnerability when using Unicode characters that allows a malicious actor to disguise source code in the eyes of the programmer, by using Unicode BIDI characters. This was published today as the “Trojan Source” bug affecting virtually all development environments and compilers.

The research paper is available here: https://www.trojansource.codes/trojan-source.pdf
And a summary by Krebs on Security is here: ‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security

It should be an easy thing for SonarQube to scan for those characters in Unicode files, and flag them as a (Critical?) Security Hotspot.

Hi Chris and welcome to the community! Thanks for the suggestion, we will have a look.

@Hendrik_Buchwald Any update on this one? I would love to be able to say we can scan for this vulnerability

1 Like

Any answer/solution please?

1 Like


SonarSource would like to detect such problem and we are getting organized to be able to deliver this feature ASAP. The related item in our Productboard Portal is SonarSource products detect Unicode BIDI characters to prevent Trojan Source Attacks - SonarQube | Product Roadmap and I hope we will be able to deliver this for SonarQube 9.3



Will there be an update for 8.9LTS?

1 Like

The idea of the LTS is to not provide new features but only fix critical bugs. So this feature will not be part of 8.9 LTS, no. For people that want the latest features, we recommend using the latest version instead of LTS.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.