Software Development

Sonar new SAST tool includes support for thousands of open-source libraries


The developer security company Sonar has announced an update to its platform, which will make it even easier for developers to write what Sonar calls “Clean Code,” or code that is “easy to read, maintain, understand and change through structure and consistency yet remains robust and secure to withstand performance demands.”

The company has added deeper static application security testing (SAST) that makes it possible for developers to automatically discover and fix security vulnerabilities. 

According to Sonar, traditional SAST tools analyze application code, but don’t check code in libraries, which means that any features coming from a library is a black box in terms of vulnerabilities. These tools also usually only support a few third-party frameworks and require up-front configurations. 

Deeper SAST offers support for Java, C#, and TypeScript, along with thousands of popular open-source libraries and their dependencies.

“Code is code, whether it is written by a developer in your team or whether it comes as part of a library that is solving a specific problem. The two different approaches always bothered me, and I am thrilled that we are now able to analyze all codes the same way at once, solving what was considered an impossible problem,” said Olivier Gaudin, CEO and co-founder of Sonar. “With the deeper SAST advancements made to our Clean Code solution, organizations can discover these vulnerabilities and resolve them quickly as code is developed.” 

The new deeper SAST capabilities are now available in SonarQube and SonarCloud at no additional charge.