CodeSonar 7.1, our static application security testing (SAST) solution, can be deployed in both on-premises and hybrid cloud models to seamlessly integrate into existing DevSecOps pipelines and facilitate remote team collaboration. GrammaTech CodeSonar also includes enhanced support for development tools from Microsoft, Jenkins and GitLab, as well as support for additional secure coding standards that enable organizations to further automate code testing and shift their security left in the software development life cycle (SDLC).
Hybrid Cloud Deployment
As our customers look for more flexible tool deployment scenarios and offloading their build infrastructure to the cloud, CodeSonar now provides deployment options that support these cloud migration initiatives which also helps support remote work and distributed team environments. The CodeSonar Hub (comprising the analytics engine and database) can now be hosted in a single-tenant AWS cloud instance to share CodeSonar capabilities and results across geographically distributed teams. This hybrid cloud deployment model combines on-premises build environments with the CodeSonar Hub hosted in the GrammaTech Cloud.
CodeSonar admins can now more easily provision new users, cloud-scale resources to meet user demands, and provide a more reliable and fault-tolerant infrastructure to development teams. This also means that your analysis infrastructure is managed and optimized by GrammaTech to make the most efficient use of resources. All of this provides a total cost of ownership (TCO) advantage for the organization consuming CodeSonar.
Seamless SAST integration for DevSecOps Pipelines
Additional 7.1 Improvements to DevSecOps integration also include:
- LDAP, Microsoft Active Directory, and single sign on (SSO) services simplify user and role management in CodeSonar and add more support for key enterprise IT and developer management tools.
- Concurrent builds in Jenkins are now supported, and the build-results reporting has been improved.
- CodeSonar warnings are directly delivered within Visual Studio 2022 and Visual Studio Code, and support for Eclipse, GitHub, GitLab, Jira and others has been expanded.
Extensive IDE Support
With increasing use of environments such as Visual Studio Code (VS Code), GrammaTech has enhanced our existing SARIF Viewer plug-in interface and will provide a free extension for VS Code which will be available on the Microsoft Marketplace. With this extension, engineers can securely connect their editor to their CodeSonar Hub, upload an analysis, or download and interact with warnings directly within VS Code.
Automating Safety and Security
Supporting coding standards is essential for ensuring developers are continually meeting critical safety, security and industry-specific standards as code moves through the SDLC. To help developers meet these standards:
- CodeSonar adds new rules for mapping warning classes to SEI CERT-C and CERT-C++ guidelines to reduce certification costs and increase software quality, safety, and security. These new rules extend support for other standards which already include MISRA/AUTOSAR, ISO 26262/IEC 61508, ISO/SAE 21434, IEC 62443, DO 178 B/C and CENELEC EN 50128.
- OWASP and CWE reports in the CodeSonar Hub have been updated to the latest standards (2021).
Language and Compiler Support Improvements
CodeSonar has enhanced Java warnings with additional details to speed diagnosis of potential risks and reduce the time to remediate problems. This improved path information means quick diagnosis and remediation for discovered defects and vulnerabilities.
CodeSonar C# support now includes code style warnings. These new warnings alert developers of C# coding style issues and violations to ensure consistent style is used across the code base. Style consistency pays off in the long term with higher quality, safer and more secure code.
CodeSonar version 7.1 also includes updated compiler support and improvements:
- Support for Metrowerks ColdFire 6 compiler (32-bit and 64-bit)
- Improvements to the IAR compiler
- Updated the C++ front-end to EDG 6.3
CodeSonar Software Bill of Materials
With a greater emphasis being placed on third-party risk management, many organizations are now requiring a Software Bill of Materials (SBOM) before accepting a new software package into their development environment. GrammaTech provides a complete SBOM in CycloneDX format that delivers complete visibility into any third-party and open-source components associated with CodeSonar. For U.S. Government and Department of Defense customers, GrammaTech is proactively satisfying the upcoming mandate in the cybersecurity Executive Order that will require software vendors to provide a SBOM to conduct business with U.S. Federal Government agencies. Our customers can confidently and safely deploy CodeSonar SAST in their environments while meeting these SBOM requirements. The CodeSonar SBOM also demonstrates GrammaTech’s commitment to follow best practices and security guidelines for developing its products.