Maximum protection with taint analysis

SonarQube's taint analysis is a deep security scan that tracks user-controllable data through your entire application, to identify sophisticated injection vulnerabilities.

Get startedContact sales

How taint analysis works

Taint analysis tracks untrusted user input throughput the execution flow ensuring no untrusted and unsanitized input can reach a sensitive function. Sonar’s taint analysis transforms your whole code base into a large graph model that represents all possible execution paths. It then simulates the data flow between all data assignments, creating a precise simulation of what your code does at runtime - without actually executing it.

Taint analysis operates by modelling four core elements within the code:

Taint source: The entry point of untrusted data, such as a user HTTP request


// 1) Taint source: untrusted user input
function handleRequest(req) {
    const userInput = req.query.username; // source


Passthrough:  A function or process that parses and returns untrusted data, effectively allowing untrusted data to flow through it


// 2) Passthrough: data flows through code
    let name = userInput;


Sanitizer/Validator: A function or process that cleanses or validates the data, neutralizing the security risk before the data reaches a sink.


// 3) Sanitizer / validator
function sanitize(str) {
    //very simple example: allow only letters and numbers
    return str.replace(/[^a-zA-Z0-9]/g, '');
}
name = sanitize(name); // sanitize before using


Sensitive sink: A function where untrusted data could cause harm, such as executing a system command, or running a database query.


// 4) Sensitive sink: where misuse could cause trouble
// e.g., inserting into HTML without escaping, or running a command
console.log('Welcome, ${name}!`); // safe if sanitized
// If we skipped sanitize, this could risk injection in other sinks


A vulnerability is found when the analysis discovers an uninterrupted path from a source to a sink without passing through an adequate sanitizer or validator.

Supported languages

What makes SonarQube’s taint analysis the best in the industry

sonar

Unmatched accuracy

Uses cross-file and cross function analysis to pinpoint complex injection flaws which minimizes false positives and builds developer trust.

magnifying glass

Breadth of scope

Framework-aware data flow analysis supports common libraries and frameworks, providing the depth and breadth needed to secure your code.

stopwatch

Real-time

Security issues are synchronized to your IDE, allowing you to investigate and fix vulnerabilities with clear, actionable, and practical guidance.

oss

Dependency-aware

Sonar extends analysis to open source libraries, uncovering hidden vulnerabilities that arise from interactions between your code and its dependencies.

Taint analysis benefits

warning

Uncover complex injection risks

Trace user-controlled data across the full execution flow even across multiple files to pinpoint and fix hard-to-find vulnerabilities like SQL injection and cross-site scripting (XSS).

secure

Enhance security posture and compliance

Taint analysis strengthens an organization's overall security posture. It helps identify complex vulnerabilities before they reach production.

false positive

Reduces false positives

Our precise taint analysis only raises an issue when a proven, exploitable path exists from an external, untrusted source to a security-sensitive operation, without sufficient sanitization. This sophisticated tracing lowers the number of false positives.

lock

Protection against top 10

Taint analysis is specifically designed to catch the most damaging categories of the OWASP Top 10, including SQL Injection, command injection, and path traversal, before they ever reach production.

Build trust into every line of code

Rating image

4.6 / 5

Get startedContact sales

Frequently asked questions

What is taint analysis and why is it critical for application security?

Taint analysis is an advanced static analysis technique that provides deep insight into your code's security posture by tracking the data flow. It works by tracing untrusted user input (the taint) from where it enters your application (the source) all the way to where it's used in a critical operation (the sink). The core function of taint analysis is to identify injection attacks, which are the leading cause of security incidents.

Taint analysis is essential because it helps you uncover complex, deeply hidden security flaws that simple pattern matching often misses. Taint analysis helps organizations maintain a strong security posture and easily track adherence to industry standards and regulatory compliance requirements.

What types of critical vulnerabilities can SonarQube’s taint analysis detect?

Taint analysis is specifically designed to detect injection vulnerabilities, which are among the most critical security flaws an application can face.  Injection is #5 in the "OWASP Top 10:2025". SonarQube’s taint analysis is capable of detecting many severe, exploitable security issues:

  • SQL injection: preventing attackers from executing malicious SQL code.
  • Cross-site Scripting(XSS): identifying flaws that allow attackers to inject client-side scripts into web pages
  • SSRF: Flagging vulnerabilities where an attacker can induce the server-side application to make unintended HTTP requests
  • Deserialization: Catching issue where insecure deserialization could lead to remote code execution.
  • And many more: 

This sophisticated analysis is performed cross-function and cross-file to reduce false positives, meaning you get actionable, highly precise and accurate results that help you focus on fixing the vulnerabilities that matter. Furthermore, with SonarQube Advanced SAST, this tracing capability extends deep into your third-party libraries, finding complex security flaws that originate from the interaction between your code and the external dependencies, which traditional static analysis often fails to uncover.

How does taint analysis differ from standard application security testing?

Taint analysis differs from standard static application security testing (SAST) primarily in its method of detecting flaws and its ability to trace data flow through a complex application structure. Standard SAST generally looks for simple, local issues, relying heavily on pattern matching to find flaws like insecure encryption or injection flaws within a single file or function. Whereas, taint analysis uses a more sophisticated approach called data flow analysis.

What are the different languages supported by taint analysis?

SonarQube’s taint analysis supports the following languages, including the most popular frameworks and libraries

  • Java
  • JavaScript
  • TypeScript
  • C#
  • PHP
  • Python
  • Kotlin
  • Go
  • VB.NET

How does taint analysis work in a real-world scenario?

Let’s look at a real-world example of taint analysis in action. In the blog post, we will explain the technical details on how SonarQube cloud uses taint analysis to identify the taint flow vulnerability, CVE-2024-35219, a critical arbitrary file read and deletion vulnerability in the OpenAPI Generator. 

Unsubscribe