Sonar, the leading provider of integrated code quality and code security solutions, is unveiling SonarQube Advanced Security, a significant advancement in code security which will soon be available. Designed to extend SonarQube’s analysis capabilities—which currently cover first-party and AI-generated code—to include third-party, open source code, this announcement enables Sonar to deliver the first fully integrated solution for developers to find and fix code quality and code security issues in the development phase of the software development lifecycle (SDLC), according to the company.
Open source code has a significant role to play in modern application development. According to Donald Fischer, co-founder of Tidelift, now part of Sonar, the extension of SonarQube is “part of providing a comprehensive solution covering all aspects of code quality and code security. Every modern application of any significance or scale is going to include third-party, open source software. It's just part of the modern software development process.”
“If you want to have a good, comprehensive view into the quality of all of your code and security of all your code, you really want to cover both the net new code that that your teams are writing as well as the third-party, open source code that they're pulling in as components, as libraries or dependencies of these applications,” Fischer continued.
SonarQube Advanced Security comes with a range of new capabilities centered around strengthening its existing features as it relates to third-party, open source code. These capabilities include:
- Software Composition Analysis (SCA): Helps identify vulnerabilities in third-party dependencies, allowing users to track, manage, and mitigate known vulnerabilities (including CVEs). Also ensures compliance with organizations’ software license policies, as well as generating detailed software bill of materials (SBOMs) that drive greater understanding of code composition.
- Advanced Static Application Security Testing (SAST): Improves detection of hidden vulnerabilities in code interactions with third-party dependencies, which traditional tools often fail to detect.
“One of the things that Sonar has developed over the years is an advanced form of SAST technology…that allows developers to identify data flows where data is flowing, not just through components that were authored within the organization, but also through these third-party open source components,” explained Fischer. “The coupling of Tidelift’s software bill of materials, vulnerability detection, and license compliance capabilities with that advanced static analysis capability from Sonar—they pair up really nicely to provide a really complete and newly comprehensive solution in the market.”
SonarQube’s latest features build upon its existing strengths, including:
- Taint analysis: Uncovering injection vulnerabilities (such as cross-site scripting, SQL Injection) that span multiple files, ensuring user input is used securely across the entire application.
- Secrets detection: Automatically scans for hard-coded secrets, helping teams prevent credential leakage.
- Infrastructure as Code (IaC) scanning: Surfaces security misconfigurations in infrastructure as code to ensure secure production environments.
- Security reporting: Reports on code compliance for standards, including OWASP Top 10, PCI DSS, STIG, CASA, and CWE Top 25.
- Security engine custom configuration: Fine-tune security configurations for organizations’ unique needs.
“With these capabilities coming together, Sonar is really helping to lead the evolution of software development by providing tools that are comprehensive and…supercharge developers to build better, faster,” said Fischer. “Developers have a lot on their plate. They don't need to be dealing manually with tracking down issues in their code or in third-party code. Sonar…is really being their partner [by] innovating quickly and adding new capabilities to serve these developers.”
To learn more about SonarQube Advanced Security, please visit https://www.sonarsource.com/.