feat(security): add ScanJs eslint plugin and rules

package.json

@@ -54,8 +54,10 @@
     "eslint-index": "1.4.0",
     "eslint-plugin-import": "2.9.0",
     "eslint-plugin-jsx-a11y": "6.0.3",
+    "eslint-plugin-no-unsafe-innerhtml": "1.0.16",
     "eslint-plugin-optimize-regex": "1.1.5",
     "eslint-plugin-react": "7.7.0",
+    "eslint-plugin-scanjs-rules": "0.2.1",
     "eslint-plugin-security": "1.4.0",
     "husky": "0.14.3",
     "lint-staged": "7.0.0",
@@ -71,8 +73,10 @@
     "eslint": "^4.18.1",
     "eslint-plugin-import": "^2.9.0",
     "eslint-plugin-jsx-a11y": "^6.0.3",
+    "eslint-plugin-no-unsafe-innerhtml": "^1.0.16",
     "eslint-plugin-optimize-regex": "^1.1.5",
     "eslint-plugin-react": "^7.7.0",
+    "eslint-plugin-scanjs-rules": "^0.2.1",
     "eslint-plugin-security": "^1.4.0"
   },
   "release": {

rules/security.js

@@ -1,5 +1,12 @@
-const plugins = ['security'];
+const env = {
+  browser: true,
+  es6: true,
+};
+
+const plugins = ['security', 'scanjs-rules', 'no-unsafe-innerhtml'];
+
 const rules = {
+  /* security rules */
   'security/detect-buffer-noassert': 'warn',
   'security/detect-child-process': 'warn',
   'security/detect-disable-mustache-escape': 'warn',
@@ -13,9 +20,50 @@ const rules = {
   'security/detect-possible-timing-attacks': 'warn',
   'security/detect-pseudoRandomBytes': 'warn',
   'security/detect-unsafe-regex': 'warn',
+
+  /* no-unsafe-innerhtml rule */
+  'no-unsafe-innerhtml/no-unsafe-innerhtml': 'error',
+
+  /* ScanJS rules */
+  'scanjs-rules/accidental_assignment': 'warn',
+  'scanjs-rules/assign_to_hostname': 'warn',
+  'scanjs-rules/assign_to_href': 'warn',
+  'scanjs-rules/assign_to_location': 'warn',
+  'scanjs-rules/assign_to_onmessage': 'warn',
+  'scanjs-rules/assign_to_pathname': 'warn',
+  'scanjs-rules/assign_to_protocol': 'warn',
+  'scanjs-rules/assign_to_search': 'warn',
+  'scanjs-rules/assign_to_src': 'warn',
+  'scanjs-rules/call_Function': 'warn',
+  'scanjs-rules/call_addEventListener': 'warn',
+  'scanjs-rules/call_addEventListener_deviceproximity': 'warn',
+  'scanjs-rules/call_addEventListener_message': 'warn',
+  'scanjs-rules/call_connect': 'warn',
+  'scanjs-rules/call_eval': 'warn',
+  'scanjs-rules/call_execScript': 'warn',
+  'scanjs-rules/call_hide': 'warn',
+  'scanjs-rules/call_open_remote=true': 'warn',
+  'scanjs-rules/call_parseFromString': 'warn',
+  'scanjs-rules/call_setImmediate': 'warn',
+  'scanjs-rules/call_setInterval': 'warn',
+  'scanjs-rules/call_setTimeout': 'warn',
+  'scanjs-rules/identifier_indexedDB': 'warn',
+  'scanjs-rules/identifier_localStorage': 'warn',
+  'scanjs-rules/identifier_sessionStorage': 'warn',
+  'scanjs-rules/new_Function': 'warn',
+  'scanjs-rules/property_addIdleObserver': 'warn',
+  'scanjs-rules/property_createContextualFragment': 'warn',
+  'scanjs-rules/property_crypto': 'warn',
+  'scanjs-rules/property_geolocation': 'warn',
+  'scanjs-rules/property_getUserMedia': 'warn',
+  'scanjs-rules/property_indexedDB': 'warn',
+  'scanjs-rules/property_localStorage': 'warn',
+  'scanjs-rules/property_mgmt': 'warn',
+  'scanjs-rules/property_sessionStorage': 'warn',
 };
 
 module.exports = {
+  env,
   plugins,
   rules,
 };