Python security analysis is now field-sensitive: less false-positives, more time fixing real vulnerabilities

Hello Python developers,

Python was the last language still running on the old SonarSource technology developed prior to the acquisition of RIPS Technologies. Java, C# and PHP were already migrated to our new technology taking the best of SonarSource & RIPS engines. Today is a big day for us as we managed to click on the delete button and remove the so-called fixed point analysis and replace it by our Symbolic Analysis for Python. Great, but what does this bring to you?

The security engine for Python is now field-sensitive and it allows us to precisely track which field of an object is tainted (or not) by a malicious user input. For you, it means less false-positives so you can concentrate on fixing real vulnerabilities.

Previously when the fieldA was tainted, the entire object o was considered tainted and therefore the use of fieldB in a sink was considered as non-compliant and so two vulnerabilities were raised.
Today, this is no longer the case and field’s values are tracked separately and only relevant issues are raised, here only on cur.execute(... % fieldA) .

This change is available on SonarCloud, and is included in SonarQube 9.0 starting from the Developer Edition.