[SonarSource] Deeper SAST: Uncovering Hidden Security Vulnerabilities
- DevOps Tec
- 7月11日
- 讀畢需時 3 分鐘
The year before last, at the BlackHat security conference, Sonar introduced its innovative analysis technology Deeper SAST, designed to detect hidden code vulnerabilities. Since then, Sonar has continued to refine and expand this technology, aiming to identify more issues with higher accuracy—so your code stays clean.
At the same time, Sonar has been evaluating and monitoring the impact of using deeper SAST analysis on open-source software. In this blog post, we want to highlight why deeper SAST is crucial for uncovering vulnerabilities that would otherwise go undetected—by showcasing a real-world example of a critical vulnerability with global impact.
What is Deeper SAST?
Almost every software project depends on multiple libraries, such as the Spring Framework or the Log4j library. However, traditional Static Application Security Testing (SAST) tools typically analyze only first-party code—your project’s own code—while ignoring third-party dependencies. These libraries often act as black boxes for traditional SAST, even though they can contain sensitive or risky logic that, if misused in a project, can lead to security vulnerabilities.
These risky code snippets in third-party libraries only become vulnerabilities when misused within the project context. On their own, they are not considered vulnerabilities and are not classified or recorded as CVEs. Therefore, traditional Software Composition Analysis (SCA) tools are unable to detect them.
Real-World Example: Jenkins Vulnerability CVE-2024-23897
What kind of hidden vulnerabilities can Sonar’s Deeper SAST detect? Let’s take a look at a real-world example.
The year before last, researchers disclosed a critical vulnerability in Jenkins—one of the most popular CI/CD tools used by over 10 million developers. Let’s examine a single snippet of code involved in this vulnerability and explain why only deeper SAST can connect the dots.
The vulnerability affected Jenkins’ built-in CLI tool, which is used for remote management of Jenkins servers. To parse command-line arguments, Jenkins incorporated a small third-party library called args4j. Within this library, there is a hidden behavior: if a parameter starts with the "@" symbol, it is interpreted as a file to be read.
As a result, a remote attacker could exploit this behavior by passing malicious arguments to Jenkins, enabling them to steal sensitive data or information.
Here’s the key point:
If you only analyze Jenkins’ code, the vulnerability remains invisible because the sensitive logic resides within the third-party library. If you only analyze the args4j library, no vulnerability is found either, since reading a file by itself is harmless. The security issue arises only when a malicious user can manipulate the file path—something that happens due to the way Jenkins and args4j interact.
Sonar’s Deeper SAST can analyze the interaction between first-party code (Jenkins) and third-party code (args4j), pinpointing the vulnerability that emerges from their specific integration. This issue has now been recorded in Sonar’s rules.
Conclusion
Deeper SAST is essential for uncovering hidden vulnerabilities and writing clean, secure code.
A single overlooked vulnerability can lead to serious consequences. Every day, Sonar detects hundreds of previously hidden vulnerabilities within internal codebases. The deeper SAST technology developed by Sonar can detect issues that traditional tools cannot—especially those involving third-party dependencies.
Deeper SAST is now available to Sonar’s commercial customers at no additional cost. If your organization is aiming for high-quality, highly secure code and is committed to Clean Code principles, we believe the Sonar suite is a compelling option worth considering.
We look forward to seeing how Sonar can support your team.
If you'd like to learn more or discuss how to implement a complete DevSecOps workflow in your development environment, our professional DevOps consulting team is here to help.
Feel free to reach out via email or phone!
#Devopstec #partner #sonarsource #clean #code #secure #build #sonarlint #sonarqube #sonarcloud #ide #teams #enterprises #workflow #cloud #developers #source #github #risk #coding #pushing #promoting #managing #DeeperSAST #CleanCode #malaysia
![[Zenkit Projects Tips] 5 Steps to Create an Efficient Project Timeline](https://static.wixstatic.com/media/f087dc_5bc22d3c6e0e4f91b3e565e44167c014~mv2.png/v1/fill/w_980,h_514,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/f087dc_5bc22d3c6e0e4f91b3e565e44167c014~mv2.png)
![[Freshworks CRM Tips] From Lead Acquisition to Closing Deals: Accurately Target Your Ideal Customers](https://static.wixstatic.com/media/f087dc_2e61ea8bcd9641e9bb8339620d170257~mv2.png/v1/fill/w_980,h_514,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/f087dc_2e61ea8bcd9641e9bb8339620d170257~mv2.png)
![[SonarSource]: The Top Choice for Code Quality and Security Management](https://static.wixstatic.com/media/f087dc_6e1ed034f951442e8cef6c07193189e0~mv2.png/v1/fill/w_980,h_514,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/f087dc_6e1ed034f951442e8cef6c07193189e0~mv2.png)
留言