SonarCloud detects Bidirectional Characters to prevent trojan source attacks


SonarCloud is now able to detect Bidirectional Characters and here is why this is important.

According to a recently published paper, source code can be maliciously encoded so that it appears different to a compiler and to the human eye. It means the code can look nice and without any security problem when a human reviews it while when the compiler reads the code, it will understand something else. Correctly crafted, Pull Requests could be done on popular open-source projects to inject a backdoor to be later used by hackers.

This is the reason why it’s important to detect Bidirectional Characters so that reviewers can make a decision whether or not these characters are legitimate ones.

Here is how it will appear in SonarCloud:

The Bidirectional Characters detection rule appears under a new umbrella called Text in the Rules and Quality Profiles pages. This new analyzer introduces a new analysis paradigm. It runs a second analysis on files in your project that are also analyzed by another analyzer. It is only the first such analyzer we anticipate.

This is available now on and the same feature will come with SonarQube Community Edition 9.3.