New taint security beta rules for C and C++ on SonarQube Cloud

Dear Community,

We have big news for our C and C++ users.

On June 15th, taint analysis for C and C++ will enter beta on SonarQube Cloud.

This is an important step forward for our C/C++ security analysis, bringing focused taint detection to SonarQube Cloud and strengthening the security of your C and C++ code.

This beta introduces four new rules in Sonar way:

  • S2076 — OS command injection (CWE-20, CWE-78).

  • S2083 — Path injection / unsafe I/O path usage (CWE-20, CWE-22).

  • S5145 — Logging injection (CWE-20, CWE-117).

  • S5334 — Dynamic code execution injection (CWE-20, CWE-95).

These rules will be included in the Sonar way quality profile, reflecting their importance for C and C++ security analysis.

They are cross-project rules designed to help identify critical vulnerabilities.

We are adding them to Sonar way even though they are still in beta because they have already been deeply validated internally on many projects, and we do not expect significant issues in normal use. At the same time, detection with this level of impact should not be considered GA until it has been exposed to customers at scale and validated with real-world feedback.

These rules are not available with Automatic Analysis or AutoConfig. They are available only for projects configured with a compilation database, with or without build-wrapper.

You may notice a slight increase in analysis time and memory consumption. Given the importance of these rules, we believe this trade-off is justified.

We look forward to your feedback.

What happened with these? It is late on the 15th but I don’t see those 4 rules as something I can add.

Hi @BillHoover , sorry about that. The deployment was slightly delayed for operational reasons. We will update the thread when it is deployed. It should not be long.

Hi @BillHoover.
It is live now. Sorry for the delay.
Happy to hear feedback if you have some.
Cheers

I’ve noticed this in our pipelines now and its adding significant time to the tasks and failing at the end?

Is there any documentation for this, how to adjust it or turn it off?

##[error]14:29:40.999 ERROR Detected non-zero taint analysis exit code, a file named '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz' will be automatically generated to help the investigation of the problem.
Please contact SonarSource support providing this file to help improving the analyzer.
14:29:40.999 ERROR Detected non-zero taint analysis exit code, a file named '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz' will be automatically generated to help the investigation of the problem.
Please contact SonarSource support providing this file to help improving the analyzer.
14:38:23.221 INFO  Taint analysis reproducer written to '/agent/_work/1/s/sonar-cfamily-taint-analysis-reproducer.tar.xz'
14:38:23.376 INFO  Sensor CFamilyTaintAnalysis [cpp] (done) | time=839932ms

Hi @kwragg.

You will find the taint analysis documentation at Customizing the analysis | SonarQube Cloud | Sonar Documentation

To explicitly disable taint analysis, set the sonar.cfamily.taintAnalysis property to false.

Let me know whether you can share the taint reproducer `sonar-cfamily-taint-analysis-reproducer.tar.xz`.

Cheers,
Philipp

Thanks, I’ll turn it off for now and circle back to that file and the why next week.

For our product 10+ minutes on every gated build is a huge impact for this, but possibly something we can schedule nightly / weekly once it works on our codebase.

That would be great. Thanks, @kwragg. I’d be happy to take a look at the problem.

We are currently working on optimizations to reduce both runtime and memory requirements.

We got similar issue and the scan runs more than 2 hours and we are disabling the taintAnalysis

17:10:51.337 INFO Parsed LLVM IR file [1/1376]: 'C:\a\_work\1\s\.scannerwork\cfamily\taint-analysis\0003049C771B904A895EDD4791B94A81.bc' in 249ms
19:12:14.759 INFO Parsed LLVM IR file [1376/1376]: 'C:\a\_work\1\s\.scannerwork\cfamily\taint-analysis\FFC211E5C21A5AE032789D3453A55EFD.bc' in 9697ms

Thanks for sharing, @RaviStrs.

In that case, we would kindly ask you to disable taint analysis for the time being. We will let you know as soon as the taint analysis optimizations are available.