Dear Community,
We have big news for our C and C++ users.
On June 15th, taint analysis for C and C++ will enter beta on SonarQube Cloud.
This is an important step forward for our C/C++ security analysis, bringing focused taint detection to SonarQube Cloud and strengthening the security of your C and C++ code.
This beta introduces four new rules in Sonar way:
-
S2076 — OS command injection (CWE-20, CWE-78).
-
S2083 — Path injection / unsafe I/O path usage (CWE-20, CWE-22).
-
S5145 — Logging injection (CWE-20, CWE-117).
-
S5334 — Dynamic code execution injection (CWE-20, CWE-95).
These rules will be included in the Sonar way quality profile, reflecting their importance for C and C++ security analysis.
They are cross-project rules designed to help identify critical vulnerabilities.
We are adding them to Sonar way even though they are still in beta because they have already been deeply validated internally on many projects, and we do not expect significant issues in normal use. At the same time, detection with this level of impact should not be considered GA until it has been exposed to customers at scale and validated with real-world feedback.
These rules are not available with Automatic Analysis or AutoConfig. They are available only for projects configured with a compilation database, with or without build-wrapper.
You may notice a slight increase in analysis time and memory consumption. Given the importance of these rules, we believe this trade-off is justified.
We look forward to your feedback.