SonarCloud Community: Major updates on security rules for Python, C# and Java

Hello SonarCloud community,

Major updates on security rules for Python, C# and Java delivered to you! This week we have deployed new vulnerability detection checks, which will enable developers to reinforce their code security even further. Here is what’s new:

On Python, your security analysis is getting stronger with 8 new rules based on taint analysis allowing you to detect injection vulnerabilities (OWASP A1) such as SQL Injections, OpenRedirect, Path Injections, LDAP Injections, XPath Injections, Log Injections, HRS and SSRF.

  • Rule S2078: LDAP queries should not be vulnerable to injection attacks
  • Rule S2083: I/O function calls should not be vulnerable to path injection attacks
  • Rule S2091: XPath expressions should not be vulnerable to injection attacks
  • Rule S3649: Database queries should not be vulnerable to injection attacks
  • Rule S5144: Server-side requests should not be vulnerable to forging attacks
  • Rule S5145: Logging should not be vulnerable to injection attacks
  • Rule S5146: HTTP request redirections should not be open to forging attacks
  • Rule S5167: HTTP response headers should not be vulnerable to injection attacks

On C#, you can benefit from the improvements of the rules detecting SQL Injections, Command Injections, OpenRedirects, XPath Injections which now support more APIs such as Dapper, System.Data.Linq, Microsoft.EntityFrameworkCore. Also for better accuracy, you should expect less false-positives and more true-positives.

Also on C#, you can elevate your game with the detection of XML External Entities vulnerabilities. The C# analysis is now able to detect similar issues as well-known vulnerabilities (e.g. CVE-2018-14485, CVE-2019-10718, CVE-2019-11392 (OWASP A4)) thanks to XXE checks:

  • Rule S2755: XML parsers should not be vulnerable to XXE attacks

Now on Java, you’ll be able to go a step further on XSS (Cross Site Scripting), which by the way is one of the biggest risk of attack (2019 CWE Top 25 Most Dangerous Software Errors). So you’ll now be able to detect vulnerabilities when the data is sent to your Template Engine with Thymeleaf. This works for your back-end written with Spring Framework or Spring Boot. And you might already know but your Java back-end code was already covered on this matter.

In the following example, message can be controlled by a malicious end-user. Its value is added to the Model of the MVC pattern implemented by Spring+Thymeleaf. Finally, this model is provided by Spring to the execution context of the templating system so that its content can be displayed.
The tricky part here is that there is nothing explicit about the location of the template to call, it only says return “welcome”. We added some logic to retrieve template locations, to be able to raise an issue directly in the template where the Model variable can be used dangerously.

Please let us know if you have any questions or feedback and enjoy the ride!

Thomas & the SonarCloud team.

7 Likes

A post was split to a new topic: Question about Python rules in SonarQube