The rule I’m looking to create should look for the “tabnabbing” security vulnerability which is a form of a Phishing attack. We want it to look for the constructs of an anchor tag and then checking if the attribute “rel” exists with the value of “noopener” in the html.
I have good news and bad news.
Let’s start with the good ones: the rule you are describing already exists, it’s S5148. If you see a False Positive you can report it here, as for False Negatives you can report them here.
Now the bad news: It is currently not possible to add custom rules for HTML. You can see the list of languages enabling custom rules here.
We welcome all suggestion of new rules. You can send them here.
Thanks for the quick reply Nick! That’s great that it’s covered already. Do you know when that was introduced? We’re on 7.7 and I don’t see that rule available to us……… Thanks.
It is available since Sonar-HTML 3.2 (August 2019), which requires at least SonarQube 7.9+.
Perfect, that’s everything I needed. Thanks for your help!