Additional Javascript and Typescript rules from Developer License are ignored by SonarQube

After upgrading SonarQube from Community to Developer license I have noticed that more vulnerabilities were found on Java projects but on Javascript and Typescript projects number of vulnerabilities is the same.

I’ve review vulnerabilities rules in both Community and Developer versions of SonarQube for Javascript and Typescript and Developer version has more of rules but for some reason they are ignored (I intentionally introduced vulnerability that is against tssecurity:S6105 rule and it wasn’t catched).

with sonar.verbose=true I have noticed in the scanner log that those rules are “not read”.

INFO: Analyzing 14419 ucfgs to detect vulnerabilities.
DEBUG: Resource file jssecurity/sources/S2076.json was not read
DEBUG: Resource file jssecurity/sources/S2078.json was not read
DEBUG: Resource file jssecurity/sources/S2083.json was not read 
DEBUG: Resource file jssecurity/sources/S2091.json was not read 
DEBUG: Resource file jssecurity/sources/S2631.json was not read 
DEBUG: Resource file jssecurity/sources/S3649.json was not read 
DEBUG: Resource file jssecurity/sources/S5131.json was not read 
DEBUG: Resource file jssecurity/sources/S5135.json was not read 
DEBUG: Resource file jssecurity/sources/S5144.json was not read 
DEBUG: Resource file jssecurity/sources/S5145.json was not read 
DEBUG: Resource file jssecurity/sources/S5146.json was not read 
DEBUG: Resource file jssecurity/sources/S5147.json was not read 
DEBUG: Resource file jssecurity/sources/S5167.json was not read  
DEBUG: Resource file jssecurity/sources/S5334.json was not read  
DEBUG: Resource file jssecurity/sources/S5335.json was not read  
DEBUG: Resource file jssecurity/sources/S5696.json was not read  
DEBUG: Resource file jssecurity/sources/S5883.json was not read  
DEBUG: Resource file jssecurity/sources/S6096.json was not read  
DEBUG: Resource file jssecurity/sources/S6105.json was not read  
DEBUG: Resource file jssecurity/sources/S6287.json was not read  
DEBUG: Resource file jssecurity/sources/S6350.json was not read

Does anyone one why does rules are ignored?

I am using:
SonarQube server 9.2.4
SonarScanner 4.6.0.2311

Hey there.

The log messages don’t mean the rules are ignored – these are internal DEBUG messages that are actually expected.

If you believe you’re facing a false-positive or false-negative, I would suggest reporting it.