Releases: SonarSource/SonarJS
SonarJS 5.2.1
Hi,
This version fixes a bug introduced in version 5.2: #1264 LCOV parser cannot resolve absolute paths
SonarJS 5.2
Hi,
This release adjusts Security Hotspot rules to better help developers review their code and find vulnerabilities. Security Hotspot rules were at first designed for security audits. We now believe that they provide even more value during normal code reviews, i.e. to developers. This however required some changes.
We updated three rules:
Rule S4784 "Using regular expressions is security-sensitive"
It will only raise issues on hard-coded regular expressions which have at least 3 characters and at least two instances of any of the following characters: *+{. This will avoid raising issues on regular expressions which are too simple to be dangerous.
The rule will not raise anymore on dynamic regular expressions, i.e. regular expressions for which we have no information (ex: passed as parameters). This was useful for a security auditor but not for a developer as it would raise in too many places, making code review more complex than necessary. However keep in mind that this is still a possible attack vector.
Rule S2077 "Formatting SQL queries is security-sensitive"
It will only raise when it detects that an SQL query is created via concatenation. This is often a bad practice which can result in an SQL injection. Even when no injection is possible it is better to use bound arguments as it makes code review easier.
Same as for rule S4784, the rule will not raise anymore on dynamic SQL queries, i.e. sql queries for which we have no information (ex: passed as parameter).
Rule S2255 "Writing cookies is security-sensitive"
It will only raise when cookies are written, not when cookies are read. This makes the rule focused on sensitive information exposure alone, instead of covering both exposure and injection risks.
Three more rules have been removed because they provided value to security auditors only and would make code review more complex for developers:
- S4797 Handling files is security-sensitive
- S4825 Sending HTTP requests is security-sensitive
- S4529 Exposing HTTP endpoints is security-sensitive
We hope you will enjoy this new version of SonarJS and welcome any feedback.
SonarJS 5.1
Hi,
This release focuses on Security Hotspot rules, which identify security-sensitive areas of code. They help Security Analysts determine if a vulnerability is present in a software by guiding them during code reviews.
This new set of Security Hotspot rules find some of the most common security-sensitive code patterns, such as executing regular expression or encrypting data.
Each rule explains the danger which might be lurking, lists questions which should be answered to find out if the code is vulnerable or not, and provides recommendations. They are enabled by default and should be reviewed in SonarQube's Security Reports space.
SonarJS 5.1 brings 15 new Security Hotspot rules:
- Rule S5122: Enabling Cross-Origin Resource Sharing is security-sensitive
- Rule S4825: Sending HTTP requests is security-sensitive
- Rule S4784: Using regular expressions is security-sensitive
- Rule S4817: Executing XPath expressions is security-sensitive
- Rule S2077: Executing SQL queries is security-sensitive
- Rule S4790: Hashing data is security-sensitive
- Rule S4818: Using Sockets is security-sensitive
- Rule S4529: Exposing HTTP endpoints is security-sensitive
- Rule S4797: Handling files is security-sensitive
- Rule S4787: Encrypting data is security-sensitive
- Rule S2255: Using cookies is security-sensitive
- Rule S4823: Using command line arguments is security-sensitive
- Rule S4829: Reading the Standard Input is security-sensitive
- Rule S4721: Executing OS commands is security-sensitive
- Rule S2245: Using pseudorandom number generators (PRNGs) is security-sensitive
SonarJS 5.0
Hey,
This version brings 5 new rules:
- Rule S1940: Boolean checks should not be inverted new-rule #973
- Rule S2737: "catch" clauses should do more than rethrow common-rule new-rule #951
- Rule S1479: "switch" statements should not have too many "case" clauses common-rule new-rule #945
- Rule S1192: String literals should not be duplicated common-rule new-rule #943
- Rule S2428: Object literal syntax should be used new-rule #699
Note that starting from this version SonarJS requires Node.js to be available during execution.
4.2.1
Hi,
we released a new version of SonarJS 4.2 🎆
Highlights of this version
- import issues from ESLint report (see documentation)
- improve parsing of Vue files
- fix several parsing issues
SonarJS 4.1
Hi,
New release of SonarJS is there! This version brings 7 new rules and many bug fixes (full list of fixed tickets is here).
See some highlights:
SonarJS 4.0
See 4.0-RC1 for details
SonarJS 4.0-RC
Hi,
We are opening the feedback period for SonarJS 4.0.
You can find the details of this release in this milestone: https://github.com/SonarSource/sonar-javascript/milestone/8?closed=1.
This version is updated to support the new SonarQube LTS version 6.7 (#837). Thus SonarJS 4.0 is not compatible anymore with SQ <6.7. Moreover, the previously deprecated coverage import configuration properties are now removed (#839).
We also improved and tuned many rules (fixes false positives, false negatives etc) to get them to the level of accuracy required to belong to the default Sonar Way profile, which, as a result, is now much richer.
The feedback period will last until Monday (December 18). Do not hesitate to leave any feedback: just create an issue --> https://github.com/SonarSource/SonarJS/issues/new
Many thanks to @NilSet for reporting and fixing #828!
To test use the jar attached to this prerelease.
Introducing SonarJS-CLI 📺
SonarJS 4.0 is also embedded in the beta of the command-line version of SonarJS, which we just published to npm.
This version of SonarJS can output the results of SonarJS directly in the console or as an object (when used as a library).
You can install it with npm install sonarjs (or globally, or as a development dependency, as you need).
Check the npm page for more information : https://www.npmjs.com/package/sonarjs
For any feedback, as usual, just create an issue --> https://github.com/SonarSource/SonarJS/issues/new and label it sonarjs-cli
SonarJS 3.3
New rules and node_modules exclusion
SonarJS 3.3-RC
Hi,
Since today you are more than welcome to provide feedback for SonarJS 3.3.
All the fixed issues you can find in this milestone https://github.com/SonarSource/sonar-javascript/milestone/7?closed=1. There are 3 new awesome rules in this version:
Collection and array contents should be used
Assignments should not be redundant
Conditionals should start on new lines
Note that #665 will force ignore of all files inside of node_modules directory, that way your analysis will be more clean without additional configuration.
BTW documentation has been reworked and it will be nice to hear from you any opinion on that.
The feedback period will last until next Wednesday (November 8). Do not hesitate to leave any feedback: just create an issue --> https://github.com/SonarSource/SonarJS/issues/new
To test use jar attached to this prerelease.
P.S. Since several days we have a twitter account, so if you want to follow development on this plugin, it's a nice way to do it