Thank you to everyone who joined our session yesterday! You can find below the questions that were addressed during the webinar:
Q: Does Sonar discover critical input from Source to Sink? Or does it just throw a Security Hotspot when it discovers "exec()”?
A: Sonar does one or the other depending on the rule. For injection-related rules, the engine will track the data from source to sink as Stefan just explained. For simpler issues, we might want to only match a simple line of code. Everything depends on what we want to detect and what is the best way to reduce the False Positive Rate.
Q: Which version of SonarQube Enterprise is Deep SAST available in?
A: Deeper SAST is available in SQ 9.9 LTS and higher versions. Uncovering hidden security vulnerabilities with deeper SAST for more info. It is also available in all editions of SonarQube except the Community one.
**Q: Can Deeper SAST also analyze private libraries only available within an organization, or only publicly accessible libraries?”
A: Deeper SAST only analyzes open-source libraries, not private ones. If you privately host open-source libraries, it will work. Otherwise, depending on how your projects are configured and architectured, the normal taint analysis engine will identify the vulnerabilities in your own libraries.
Q: Are other languages than Java also affected by Zip Slip Vulnerabilities?
A: Yes, indeed! All programming languages, which can extract archives and don’t automatically sanitize the name of entries are prone to this. We have different rules for the specific languages. You can view all these rules on rules.sonarsource.com.
Q:How do you select open-source applications you analyze with SonarCloud?
A: In the Vulnerability Research Team, we generally only scan very popular applications. Vulnerabilities in these applications affect more users and thus we can have a greater impact to unveil vulnerabilities in these projects.
In terms of the projects we are not really restricted, since the analysis of SonarCloud is easy to set up and runs totally automatic. What rather restricts us in terms of quantity is the number of vulnerabilities identified by SonarCloud. The shocking truth is that there are a lot of vulnerabilities out there, especially for less popular applications. And we cannot review all of them. They could easily identify these by scanning the application themselves and that’s actually what a lot of maintainers of popular open-source projects are already doing. But not all of them.
Q:How can I enable Deeper SAST and how does this affect the analysis duration?
A: Good question! Sorry for not mentioning this. In fact, you don’t need to enable deeper SAST. It’s applied automatically to the analysis of your application.
Regarding the duration of an analysis, there is no difference. All common libraries are pre-analyzed on our infrastructure. Once your application is analyzed, which uses these libraries, the libraries don’t need to be analyzed again. The pre-analyzed data is used to find vulnerable taint flows from your application through or into the library or even from the library to your application. This all depends on how your application is using the library. But in summary: you don’t have to do anything and will be automatically notified if your application is using a library in an unsafe way.
Q: Do SonarLint and SonarQube Community Edition have the possibility to identify the vulnerabilities for the open-source components/libraries on a private code base, in the manner of a Software Composition Analysis?
A: SCA analysis consists in maintaining a database of existing vulnerabilities and checking if the dependency associated with its vulnerable version is used in the project. If it is used, even if the vulnerable component is not used, you could receive an alert. This would be a false positive and pretty noisy.
At Sonar, we take proactive measures by understanding which external library functions could be vulnerable, how they could be vulnerable, and check at analysis time if you are using them in an unsafe way.
Q: Is Taint Analysis available in the standalone SonarQube solution?
A: Taint analysis is available in SonarQube except for the Community edition.
Q: What happens if one source ends up in two or more dangerous sinks?
A: So basically the question is, if we have one source and there are two or more independent paths to dangerous sinks.
In that case, SonarCloud will notify you about two vulnerabilities. Both of these paths need to be fixed. For example, if you have got one query parameter, which ends up in two different SQL queries. In that case, you have two SQL injection vulnerabilities. And now there is another great thing, I didn’t mention yet. If you escape the query parameter before inserting it into the first SQL query, SonarCloud will recognize the escaping function as a sanitizer and automatically resolve this vulnerability as fixed. So now you have only one more vulnerability, where you also need to escape the query parameter before inserting it into the SQL query. Once this is done, both vulnerabilities are resolved.
Q: Does my application need to be public on GitHub to be scanned by SonarCloud?
A: No, of course not. If your application is public on GitHub, it is even free to use SonarCloud. If your application is private, you can also give it a free try for 14 days and later decide if you want to switch to a paid plan.
Q: What if my application has an intended feature to let the user run operating system commands? How does Sonar handle this?
A: Yes. In this case, SonarCloud will notify you about a vulnerability, because it’s generally assumed to be unsafe to let the user run operating system commands. But if this is an intended feature of your application and you are comfortable with the associated risks you can select “Resolve as won’t fix” on the SonarCloud UI and this specific vulnerability will not be shown to you anymore.