Hello Python developers,
Python was the last language still running on the old SonarSource technology developed prior to the acquisition of RIPS Technologies. Java, C# and PHP were already migrated to our new technology taking the best of SonarSource & RIPS engines. Today is a big day for us as we managed to click on the delete button and remove the so-called fixed point analysis and replace it by our Symbolic Analysis for Python. Great, but what does this bring to you?
The security engine for Python is now field-sensitive and it allows us to precisely track which field of an object is tainted (or not) by a malicious user input. For you, it means less false-positives so you can concentrate on fixing real vulnerabilities.
Previously when the
fieldA was tainted, the entire object
o was considered tainted and therefore the use of
fieldB in a sink was considered as non-compliant and so two vulnerabilities were raised.
Today, this is no longer the case and field’s values are tracked separately and only relevant issues are raised, here only on
cur.execute(... % fieldA) .
This change is available on SonarCloud, and is included in SonarQube 9.0 starting from the Developer Edition.