Is there any predefined Rule available in javascript to not hard-code credentials and URIs

Himanshu · October 16, 2019, 5:04am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Using version 7.9
what are you trying to achieve
If any Credentials(Username&Password) Or URIs are hardcoded in javascript code,then it should show as Vulnerability.
what have you tried so far to achieve this
I tried to find in the rule section,this rule is available for java,c# and etc ,but not for javscript.

Please Suggest if there is any alternative way

Thanks

Lena · October 17, 2019, 7:45am

Hi,

Indeed there is no hard-code credentials rule for JS yet. But it should be available in next release (see ticket https://github.com/SonarSource/SonarJS/issues/1498).
For hard-code URI we also don’t have a rule and don’t have plans to implement one (see comment at the bottom https://jira.sonarsource.com/browse/RSPEC-1075)

Himanshu · October 17, 2019, 9:33am

Thanks Elena for Reply ,
In Version 7.1 can We Create Custom Rule for Hardcoded Credentials Or URIs in Javascript.

Thanks

Lena · October 17, 2019, 10:14am

Are you talking about SQ version 7.1?

Custom rules for JS are deprecated and will be dropped soon. Instead you can create custom ESLint rule and import its results with external issue report.

Himanshu · October 17, 2019, 11:35am

Yes SQ 7.1

Lena · October 17, 2019, 11:58am

Using SQ 7.1 is not a great idea, as there is LTS (long term support) 7.9 version is released while 7.1 will not be supported anymore. So I recommend to use 7.9 or 8.0 (latest release).