Sonar’s new deep-analysis capability discovers and fixes code security issues

Sonar announced a significant advancement of its Clean Code offering – developers can now automatically discover and fix code security issues arising from interactions between user source code and third-party, open-source libraries.

Referred to as deeper SAST, the new advanced detection addresses issues that traditional SAST tools miss by not following the flow within library code. Traditional SAST vendors analyze user application code. These tools do not scan the combined code, and flag libraries in an unsophisticated way, ignoring the context and use within the library.

The result is that library features are considered black boxes, leaving organizations in the dark about whether they’re truly secure for a given context or not. Moreover, these tools typically support only a handful of popular frameworks, often requiring up-front configurations for setup. All of this leads to the security issues created by the unique usage of third-party open source libraries going undetected.

“Code is code, whether it is written by a developer in your team or whether it comes as part of a library that is solving a specific problem. The two different approaches always bothered me, and I am thrilled that we are now able to analyze all codes the same way at once, solving what was considered an impossible problem,” said Olivier Gaudin, CEO of Sonar. “With the deeper SAST advancements made to our Clean Code solution, organizations can discover these vulnerabilities and resolve them quickly as code is developed.”

Sonar addresses the gap of traditional SAST through its fine-grained analysis of user source code interactions with external dependencies, all without the need for any special configuration or incremental costs. This deeper SAST innovation furthers Sonar’s mission to equip organizations to achieve a state of Clean Code — code that is consistent, intentional, adaptable, and responsible. When code adheres to these characteristics, software becomes reliable, maintainable, and secure.

“It’s estimated that over 90% of applications leverage third-party libraries and interact with the code within them, but most SAST tools don’t tell developers which dependencies make their code vulnerable. Security is mission-critical, and the more issues you find and fix before they have the ability to cause you harm, the better off your business will be,” said Rik Turner, a Senior Principal Analyst covering cybersecurity at Omdia. “This is the essence of the proactive security wave we are seeing across the cyber sector: find it and fix it before it’s exploited.”

Sonar deeper SAST functionality is available at no additional cost within commercial editions of SonarQube (self-managed) and SonarCloud (cloud-based) — static analysis code review tools that continuously inspect and analyze the codebase using quality gates to determine if code meets the defined standards for development and production. Deeper SAST currently supports Java, C#, and TypeScript programming languages and covers thousands of the topmost and commonly used open-source libraries, including their subsequent (transitive) dependencies.

Achieving a clean code state

Sonar empowers development teams to write Clean Code by providing them with the right tools and best practices, so they can spend less time fixing issues and more time meeting delivery and business goals. Pairing the Sonar solution with the company’s Clean as You Code methodology — set standards for keeping new, added, or edited code clean — and its educational guidance for code called ‘Learn as You Code,’ developers have faster issue remediation and delivery, code enhancement, and can further professional growth and team retention. Today, there are over seven million developers using Sonar.

Sonar also actively engages with its ecosystem and customer communities, in addition to partnerships with several universities for security research projects, and the open source software and start-up communities. Additionally, Sonar has a dedicated team of security researchers that find and responsibly disclose exploitable zero-day vulnerabilities in open-source software; these findings are used as inspiration for new security rules and detections to help find vulnerabilities.