Hello,
It has been a long time since I last updated you on what we did in our security engines.
Framework Coverage
We spent a significant amount of time defining what it means for a SAST engine to cover a web framework. We concluded that it means that the SAST engine must properly understand a list of 45 features spread across 10 categories.
Here are some examples of these 45 features and related categories:
- Read inbound HTTP request objects (Inbound HTTP requests)
- Write response body (outbound HTTP response)
- Provide JWT based authentication (Authentication & Authorizations)
- Provide integration for SQL databases (Database integrations)
To estimate our coverage of a given web framework, we split these 45 abstract features into 4 coverage levels: Essential coverage, Standard coverage, Advanced coverage, and Complete coverage.
This split was mainly based on the popularity of the features in open-source code. If the feature is commonly used, it must be part of the essential coverage level. If it is a niche feature, it’s less critical to cover it, and so it is assigned to the Complete coverage level.
Finally, we looked at the capabilities of our SAST engine to determine whether or not these 45 features were supported to determine the level of coverage of some web frameworks for Java, Python, and C#.
With that in mind, we were able to determine that Sonar has the following capabilities:
- Python: FastAPI - Essential
- C#: ASP.NET Core - Essential
- With the support of Blazor, see this webinar for a demo of taint analysis on a Blazor based app
- Java: Micronaut - Essential
- Java: Spring - Complete
“Essential” should be understood as this is the list of the features that are the most commonly used by developers for the web framework and that the SAST engine must understand in order to consider the framework covered.
Overall, by supporting more features of a given web framework, Sonar’s taint analyzer can find more vulnerabilities because it explores more paths in your code.
New Rules
We added the support of API Traversal for Java, C#, Python, PHP thanks to the following rule:
- S7044: Server-side requests should not be vulnerable to traversing attacks
For C#, we added the support of 5 additional rules:
- S6680: Loop boundaries should not be vulnerable to injection attacks
- S6776: Stack traces should not be disclosed
- S5147: NoSQL operations should not be vulnerable to injection attacks
- S6549: Accessing files should not lead to filesystem oracle attacks
- S6547: Environment variables should not be defined from untrusted input
These features are available now on SonarCloud and will be part of SonarQube 10.8 by the end of November 2024.
Enjoy!
Alex