Ready for DevSecOps
GrammaTech’s CodeSonar static application security testing (SAST) solution already has great integrations with the tools our customers rely on to develop software today. This release of CodeSonar adds new features and functionality making it easier for you to achieve DevSecOps, while helping you accelerate the delivery of quality, safe and secure code more efficiently.
Here are the highlights of the new features:
**Log4Shell Security Update**
Following the disclosure of the Log4Shell vulnerability in Apache log4j, we can confirm that CodeSonar 6.2 ships with a version of the library that remediates the vulnerability, so you can use CodeSonar with confidence. We are monitoring the security of log4j, and we will continue to update CodeSonar as new information becomes available. To stay informed of our plans, please refer to the article at https://support.grammatech.com/hc/en-us/articles/4413605719697-Log4J2-Vulnerability-to-Zero-Day-Exploit-within-CodeSonar-and-CodeSentry. We will continue to update the article as more information becomes available.
Enterprise Single Sign On (SSO)
The new single sign on (SSO) feature provides administrators with an easier, efficient and cost-effective method for managing CodeSonar users. Organizations with larger development teams will see a greater benefit as its difficult to manually provide and manage user credentials.
SSO (using SAML) integration enables secure authentication to the CodeSonar hub using SSO solutions from vendors such as Okta, Auth0, Ping Identity, OneLogin and others that support the SAML standard. Using an open standard like SAML provides the most options for SSO support and better integration success in enterprise deployments.
As new developers come on board and others leave the team, managing CodeSonar users is a simple as a few clicks in the SSO provider’s solution. Additionally, if contract or outsourced developers are used, it is now easier to manage temporary or ‘as needed’ access to CodeSonar.
Jira Cloud Support
Software development teams are often dispersed among various locations and work remotely. In cases like this, your development teams rely even more heavily on tools that make integrations and collaboration easier. Cloud applications, such as Jira Cloud, promote collaboration and efficiencies to help deliver projects on-time and on-budget. With CodeSonar support for Jira Cloud, software teams can share CodeSonar results, assign issues and ensure defects are fixed throughout the software development life cycle (SDLC).
CodeSonar already supports Jira on-premises instances. As organizations move their various services off-premises, CodeSonar’s support for Jira Cloud is timely as it’s becoming the preferred method for how software development teams work with Jira.
DoD Platform One Iron Bank Container Upgrades
Containers are how modern software vendors are delivering cloud-native solutions to users. This technology is revolutionizing the way our customers install and consume software. However, the provenance and security of those containers is of paramount importance to the IT teams tasked with deploying them.
Platform One is the DoD enterprise DevSecOps service. As a component to Platform One, Iron Bank is the DoD repository of digitally signed, binary container images including free and open source software (FOSS), and commercial off-the-shelf (COTS) software.
The addition of GrammaTech’s CodeSonar SAST solution to Platform One and Iron Bank provides the DoD a certified, cloud-native solution that integrates seamlessly with their workflows to quickly find and remediate defects and vulnerabilities in code before software is released. On a continuous basis, GrammaTech is hardening more of the components in the container. Learn more about CodeSonar and Iron Bank here.
Improvements to the GitLab and GitHub Integrations
To support DevSecOps, CodeSonar integrations with CI/CD pipelines such as GitLab and GitHub are essential to enable developers to work with SAST natively in their workflows. Continued improvements here provide developers with a better experience and more efficiencies as they use CodeSonar to scan code, find defects and fix problems to ensure higher quality, safer and more secure code. In the case of GitLab, we have upgraded to Python 3 for more performance and better support. And for GitHub, we have improved the “summary report” to quickly see results of a SAST analysis.
Jenkins Plugin Improvements
Jenkins is a popular build and integration tool for CI/CD pipelines and CodeSonar has integrated with it for many years. With this release we improved the ability to find results from parallel builds.
Windows 11 and Windows Server 2022 Compatibility
This release of CodeSonar includes support for both Windows 11 and Windows Server 2022.
Analysis and Security Improvements
Supporting secure coding standards is essential for ensuring developers are continually meeting security and industry specific standards as code moves through the SDLC, so we have made improvements to our support for DISA-STIG and the SEI CERT C and CERT-CPP secure coding standards. We have also made enhancements to our Java and C# warnings and added support for Android 12.
DISA-STIG v4r3 mapping for Java and C#
Our DISA-STIG mappings provide developers with guidelines for coding to meet the standard’s requirements, but also to reduce certification costs and increases software quality. These mappings correlate with the Security Technical Implementation Guides (STIGs) standards, which are designed to make device hardware and software as secure as possible, safeguarding DoD systems. With this new release, we have expanded our mapping to include Java and C#.
Increased coverage for CERT-C and CERT-CPP standards
SEI CERT C and CERT CPP are the prominent secure coding standards in the industry. They provide developers with secure coding guidelines to help prevent most common software weakness before they turn into dangerous software vulnerabilities. CodeSonar’s automation helps reduce the cost of conformance to these standards. The improvements we’ve made with this release include eight new CERT-C rules mapped to warning classes in CodeSonar and 21 new CERT-CPP rules also mapped to warning classes.
Enhanced warning classes for Java and C#
By being able to diagnose risk more quickly and reduce the time to fix problems, developers can gain greater efficiencies and allocate more time to completing projects ahead of schedule with quality, safety and security in mind. With this new release, CodeSonar now includes more details for C# and Java warnings (including deeper path tracing information) to help speed diagnosis of potential risks and reduce the time to remediate problem.
Support for Android 12
For organizations developing software targeting Android 12, CodeSonar is able to scan Java code written for this latest release.
To learn more about these new features and see a quick demo of how they work, check out this recorded session where we introduce CodeSonar 6.2. If you would a like to schedule a demo to see how CodeSonar can help you today, please contact us.