[Webinar Customer] Shift Left, Ship Right: Building Secure Applications from the Start

Hi all,

On July 12, we held our second Customer Webinar! The presentation and demo covered creating secure applications from the ground up, ensuring your code is consistent, intentional, adaptable, responsible, and free of vulnerabilities.

In this webinar you will learn how adopting a secure-by-design approach using Sonar solutions can catch issues early in the development process, reducing rework, delays, and the pressure to ship incomplete solutions.

By shifting security “left” in the development lifecycle, you can “ship right” with confidence, ensuring your applications are secure, maintainable, and reliable from the very beginning.

If you were not able to attend or would like to know more about these commercial features, watch the recording: “Shift Left, Ship Right: Building Secure Applications from the Start

Reminders:

  • Connected Mode - Get seamless IDE to CI integration with SonarLint. Connected mode joins SonarLint to SonarCloud and SonarQube for additional value. Shared code quality expectations, deeper issue analysis, smart notifications, and more. SonarLint is always free!

If you are on SonarQube Developer Edition or above, take advantage of deeper SAST by upgrading to the latest SonarQube version:

  • deeper SAST - Sonar’s deeper SAST capability empowers organizations to identify and resolve application code issues originating from interactions with third-party open-source libraries. This unique feature enables Sonar’s SAST to trace data flow in and out of libraries, effectively uncovering deeply concealed security vulnerabilities that other tools fail to detect.

All SonarQube users can take advantage of Secrests Detection. Enterprise Edition users can get the additional benefit of custom Secrets Detection.

  • Secrets Detection - Sonar can detect hundreds of secrets in source code right in your IDE using SonarLint and also detect them in your CI/CD pipeline using SonarQube and SonarCloud. This feature is provided by a new open-source secret detection engine developed by Sonar so that you can see how it’s done, and contribute.

Thank you!

The Sonar Team

Hello everyone,

Thank you to all who took part in our session yesterday. You can now find below the questions that were asked during the session

Q: Does the latest version of SonarQube include SCA capabilities and Container Scanning capabilities?
A: SonarQube doesn’t currently provide SCA capabilities. We are working on integrating a partner solution into our product that will be released in the future…

However, deeper SAST allows you to catch deeply hidden security issues related to the use of commonly used open-source libraries.

For the container scanning capabilities, we can analyze Dockerfiles. You can find the rules for Dockerfiles at: https://rules.sonarsource.com/docker/

Q: How come SonarQube is able to analyze any kind of Java source files regardless of the version of Java they comply with but you have a hard dependency on the Java versions used by the scanners?
A: Since we do static code analysis we do not need to compile the code to get all results.
We can just run the analysis on the source code. However, our analyzers/scanners need to be compatible with the Java Runtime they were compiled in.

Q: When will you start supporting Rust language ?
A: We are looking into adding this support… You can vote for this roadmap item here: https://portal.productboard.com/sonarsource/3-sonarqube/c/285-rust-support?utm_medium=social&utm_source=portal_share

Q: It seems Sonar has a partnership for SBOM and SCA. Being a Sonar customer, how can we leverage it? What vendor is partnered with?
A: Please contact us directly via your sales representative or using the Contact Us form on sonarsource.com

Q: As a smaller company with quite a compact code base (less than 1M lines), how can we benefit from advanced security scanning capabilities without necessarily going Enterprise (the price is too steep)
A: For smaller code bases, we recommend using SonarCloud (includes tain analysis, secrets detection, and deeper SAST) as it is easier to get started and is a managed offering. Additionally, most of the advanced security scanning capabilities can already be used with SonarQube Developer Edition if you cannot switch to the Enterprise Edition.

Q: Would there be rules to test cryptographic and post-quantum safety in the next releases?
A: Thanks for the question. We are looking into adding this but do not have a timeline yet.

Q: For secret detection - can we expect new rules that detect strings with high entropy? Currently, many secrets and passwords are not detected by rules for predefined secret formats.
A: To add to Nicolas’ answer: We continuously improving our secrets detection capabilities and adding more and more supported secret formats (we already support more than 100 secret providers). We are already taking the entropy into account in certain detections, however, our results have shown that only looking for high-entropy strings would lead to too many false positives. If you have specific secret providers that you would like us to cover, you can ask for them in our community https://community.sonarsource.com/c/clean-code/rules/13

You can find the entire list here https://rules.sonarsource.com/secrets/

**Q: Very interested to hear how Security Hotspot values of High Medium and Low are defined and if they are customizable.
A: The severity of our Security Hotspots is defined similarly to the severity rating of our other issue types (e.g. vulnerabilities). This is a combination of the likelihood (probability of an issue being abused) and the impact (what can happen if an issue is abused by an attacker). More info can be found here: https://www.sonarsource.com/blog/we-are-adjusting-rules-severities/

In SonarQube 10.6, you can now configure the priority of rules that block your release to prevent substandard code from being released based on your coding standards. This ensures that your teams are following your company’s policy for Clean Code when those policies are more strict than Sonar’s recommended standards.

Q: Are there only specific Sinks that are identified or is this dynamically identified?
A: The sinks are specific and defined by us. You can customize the list by adding your own starting with SonarQube Enterprise Edition. Our sinks are defined thanks to our vulnerability experts and our deeper SAST technology.

Q: I/We use many tools and I’m not fluent in all of the Sonar-related acronyms. Would you please provide a glossary for we dummies :-)? SAST, EE, DCE, etc.
A: Sorry, for not spelling out the acronyms. SAST - Static Application Security Testing is an industry-standard way of analyzing source code for vulnerabilities. SonarQube has 4 editions - Community, Developer (DE),Enterprise (EE), Data Center (DCE). More info here - Plans & Pricing

Q: Deeper SAST sounds good. Do I have to configure anything to leverage it? (using SonarQube)
A: Thanks, it is actually a very cool feature of our SAST engine. It does not require any configuration and is always on by default in SonarQube commercial editions and in SonarCloud.

Q: Is this able to scan SAP solutions/objects?
A: We support ABAP language, you can find the rules we provide here ABAP static code analysis

Q: Will the new functionality being presented be in both SonarCloud and SonarQube?
A: Yes, deeper SAST is available in both SonarCloud and SonarQube commercial editions.

Q: Would the speaker please make some disclaimers on which flavor of SonarQube (developer vs enterprise vs data center) is required to leverage the features? (Unless all are available in developer and above). Thank you!
A: Deeper SAST is in all commercial editions. Custom Security config is in SonarQube Enterpise Edition only at this time. There is a comparison table on the bottom of our pricing page - Plans & Pricing that should help.

Q: Is there a way to require SonarLint before pushing code to GitHub? Instead of a PR gate, it would be a push gate.
A: I am not aware of this working out of the box. It might be achievable with additional scripting.

Q: SonarCloud doesn’t have security reports?
A: Not yet, but it will soon be available, probably in this quarter.

Q: Our SonarQube version 9.2 does not show a Security Reports link. Is this new in 10.x?
A: According to our documentation, it was available in 9.2, starting with the Enterprise Edition.
However, I would like to emphasize that 9.2 is no longer supported and strongly advise updating the version if possible. The latest LTA is 9.9 if you are looking for longer support and security patches.

Q: Are custom sinks and sources available for C or PHP? If there are, do they require additional configuration?
A: Custom sinks are available for PHP, and work exactly as the one demonstrated during this webinar. This is not available for C yet.

Q: Can developers change quality gates (sensitivity levels, etc) to ignore issues/vulnerabilities found by Sonar Cloud? Also, are there any reports/dashboards where we can see the history of the issues found and whether these have been fixed/ignored, etc?
A: More information on how to configure quality gates can be found here: https://docs.sonarsource.com/sonarcloud/standards/managing-quality-gates/ Yes, SonarCloud provides a dashboard with information about the issue history for every project. We are working to add reports in SonarCloud soon.

Q: Is Taint Analysis enabled by default? Or do I have to do something in SonarQube Enterprise Edition?
A: Taint analysis is free on SonarCloud for open source projects, and available in SonarQube commercial editions. It is enabled by default!

Q: Is it possible to use SonarLint in an huskky pre-commit script to prevent committing if problems have been detected in new code?
A: You can check further information about pre-commits on this community post: https://community.sonarsource.com/t/pre-commit-hooks/87674

Q: Can SonarCloud scan 3rd party SDK / libraries?
A: If the source code is provided, yes! Also, if these libraries are supported by deeper SAST we will automatically take into account the potential sinks from these libraries that might lead to issues.

Q: Is the Security Reports feature available in the enterprise edition only, or am I also able to use a newer version of the Developer edition?
A: Security Reports are a feature of Enterprise Edition and higher only.

2 Likes