Himanshu
(Himanshu Sharma)
October 16, 2019, 5:04am
1
Must-share information (formatted with Markdown ):
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Using version 7.9
what are you trying to achieve
If any Credentials(Username&Password) Or URIs are hardcoded in javascript code,then it should show as Vulnerability.
what have you tried so far to achieve this
I tried to find in the rule section,this rule is available for java,c# and etc ,but not for javscript.
Please Suggest if there is any alternative way
Thanks
Lena
(Elena Vilchik)
October 17, 2019, 7:45am
2
Hi,
Indeed there is no hard-code credentials rule for JS yet. But it should be available in next release (see ticket https://github.com/SonarSource/SonarJS/issues/1498 ).
For hard-code URI we also don’t have a rule and don’t have plans to implement one (see comment at the bottom https://jira.sonarsource.com/browse/RSPEC-1075 )
Himanshu
(Himanshu Sharma)
October 17, 2019, 9:33am
3
Thanks Elena for Reply ,
In Version 7.1 can We Create Custom Rule for Hardcoded Credentials Or URIs in Javascript.
Thanks
Lena
(Elena Vilchik)
October 17, 2019, 10:14am
4
Are you talking about SQ version 7.1?
Custom rules for JS are deprecated and will be dropped soon. Instead you can create custom ESLint rule and import its results with external issue report .
Lena
(Elena Vilchik)
October 17, 2019, 11:58am
6
Using SQ 7.1 is not a great idea, as there is LTS (long term support) 7.9 version is released while 7.1 will not be supported anymore. So I recommend to use 7.9 or 8.0 (latest release).