Detect Prototype Pollution vulnerabilities - SonarQube Cloud | Product Roadmap

SonarQube Cloud

Under Consideration

Project Branches & Pull Requests

Clear and effective new code configuration options

Simplify the concept of branches

Easily change the main branch of a project

New Pull Request issues on unchanged code

Fixed issues in Pull Requests

Receive annotations in GitHub Pull Requests

AI Capabilities

Automatic PR Creation from AI CodeFix Suggestions

Issues

Personal dashboard improvements

Understand issues faster with visual representations

Enhanced diff highlighting for code examples

AI generated Unit Tests

Quality Profiles & Quality Gates

Fine-tune behavior around Quality Gates and new code availability

Changes to Quality Gate and Quality Profile configurations are visible

Accessibility as a software quality

Sustainability and Green IT as a software quality

SonarQube for IDE

Activate SonarQube for IDE connected mode from SonarQube Server or SonarQube Cloud web interface

Integration

Slack notifications

Connect to GitHub Enterprise Server

Guide administrators to setup analysis on Jenkins

Quality Gate pipe for Maven projects on Bitbucket Cloud

Change the organization binding

Administrators can transfer projects between organizations

Connect to self-hosted GitLab instances

Connect to on-premise Bitbucket Server

Connect to on-premise Azure DevOps Server

Support Azure DevOps Service Principals instead of Personal Access Tokens

Use OIDC to set GitHub Actions analysis instead of secrets

Identity & Access Management

Synchronize your GitHub teams with SonarQube Cloud groups

Outside collaborators from GitHub are synchronized

Synchronize members on SonarQube Cloud for GitLab organizations

Restrict user list to a specific company email domain

Operability

Automatically import your repositories

Migrate from SonarQube Server to SonarQube Cloud

Add mobile support to the web application

Bring your own key - BYOK

Reporting

Reporting Capabilities

Account and organization audit logs

Managers can assess if softwares are compliant with "Digital Operational Resilience Act" (DORA)

Summary of all analysis problems/warnings for projects

WCAG Accessibility report

SonarQube can export findings as SARIF output

Quantify the value Sonar brings to your organization

Software Composition Analysis (SCA)

Malicious package detection

End of Life dependency detection

Code Security / SAST: Capabilities

Detect second-order vulnerabilities

Detect Prototype Pollution vulnerabilities

Raise Vulnerabilities in inline JavaScript code inside HTML files

Detect PHP Server-Side Template Injection (SSTI)

Detect C# Server-Side Template Injection (SSTI)

Code Security / SAST: Framework Support

Detect Taint Vulnerability issues in Blazor Apps

Medoo PHP Database Framework support

Support for Java Streams in security analysis

DotNet ASP.NET Core 6.0 "Minimal APIs" support

Python Starlette

Quarkus support in security analysis

Eclipse Vert.x support in security analysis

Detect security issues on Cloud Deployment Manager files

Detect security misconfigurations in Chef files

Detect security misconfigurations in Puppet files

Code Quality: Capabilities

Rules for error-free Python coroutines

Performance rules for Python

Rules for effective use of Python Collections

Rules for effective use of Python comprehensions

Sonar can load Rubycritic reports

.NET String Comparison Rules

.NET Localisation Rules

Testable code rules

Help C# Developers catch errors in Regular Expressions

Sonar helps .NET developers apply good practices around authentication and authentication

Rules to help developers use the {fmt} C++ library at best

Assess if my C code is compliant with MISRA C 2023 standard

Assess if my C code is compliant with MISRA C 2012 standard

Assess if my C code is compliant with SEI CERT C

Assess if my C++ code is compliant with SEI CERT C++

Assess if my C++ code is compliant AUTOSAR C++14

Asses if my C code is compliant with BARR-C:2018

Help C and C++ developers writing regexp running fast, with the correct amount of resources and really doing what developers intended

Java Code Quality rules for Azure Functions

Java Code Quality rules for Google Cloud Functions

Analyze my C++ code against MISRA C++ 2023 rules

Apply main code rules to test code

Logging rules for Python

API usage rules for Python

Memory management rules for Python

Performance as a software quality

When is it helpful to be able to change the type of a rule or issue?

Support lcov coverage format for C and C++

Code Quality: Framework Support

ASP.NET Webforms support

ASP.NET Razor Pages support

Avoid common pitfalls in Minimal APIs

Avoid common pitfalls in ASP.NET pipeline configuration

Entity Framework Core rules

Analyse Unity Projects

Sonar helps DevOps people to have clean Docker Compose code

Detect security misconfigurations in Pulumi files

Support the Connexion Python web framework

Matplotlib library support in Python analysis

Support Analysis of Databricks Notebooks Magic Commands & Imports

Support Seaborn library for Python

Support Microsoft's type libraries and COM interfaces through the use of #import

Support C++/CLI

Support Cuda extensions

Support OpenMP extensions

Sonar detects security issues in JSP files using JSTL 3 `jakarta.tags.*` tags

Help developers with Spring Data

Project Reactor support

Spring Cloud support

RxAndroid support

RxJava3 support

React Native support

Keras library support in Python analysis

Support "Kustomized" variants of Kubernetes YAML configurations

Sonar raises more issues on Docker shell commands

Code Quality rules for Hugging Face

Detect uses of functions IPV6 incompatible

Best practices to use C++'s Algorithms library

Code Analysis: User Experience

Automatic Analysis of Azure DevOps Repositories

Automatic analysis is available for Azure DevOps

Automatic analysis is available for Bitbucket Cloud

Automatic analysis is available for GitLab

Automatic analysis includes test and coverage reports

Automatic analysis analyzes all branches

Exploring updates to code coverage and duplication

Bring external results to the automatic analysis of your projects

//NOSONAR ignores a specific list of rules (like @SuppressWarnings)

Code coverage is computed in parallel to the analysis

Support for dotCover and DeterministicSourcePaths

Simplified Scanner for .NET

Import Mutation Testing Results

Support custom rules for C and CPP

Analyze multiple code variants built on distinct hosts

Analyze multiple code variants built on the same host

Expand compiler support

Support C/C++/Objective-C analysis on Windows Arm64

Provide an Azure Devops task to analyze C and C++

Automatic Analysis of GitLab Repositories

Analyze .NET code with the Scanner CLI

Code Analysis: Language Version Support

Support Java 23

Java analysis for Spark usage

Support Rego Language / Open Policy Agent (OPA)

OpenAPI support

Scan GitHub workflow files

Scan GitLab CI files

Scan AzureDevOps pipelines

Automatically detect the presence of AI-generated code

Support Powershell

Support sh/bash

Support Snowflake SQL

Help data professionals avoid pitfalls with Snowflake SQL

Custom Rules for any language

Detect Prototype Pollution vulnerabilities

10

AG

Alexandre Gigleux

Posted on February 2021

"Prototype Pollution" vulnerabilities got a lot of attention in 2020. Many vulnerabilities were discovered in famous or less famous NPM packages.

"Prototype Pollution" is now the #2 most common vulnerability type found in NPM packages (18%), even though this statistic is a little bit distorted due to imprecise classifications (source: internal private studies).

We can't ignore this fact and we need to find a way to fix the problem by helping developers of libraries and applications to detect "Prototype Pollution" vulnerabilities before they are published.