Hello JavaScript developers,
We did not talk about new JavaScript rules for a while so it’s time to fix this. Today we are proud to announce that 8 new rules detecting Express’s bad security configuration practices and XXE vulnerabilities were released. This is the result of a first iteration and more rules are in the pipe to help you write secure JavaScript code.
Here is the full list of the new rules:
- S2755: XML parsers should not be vulnerable to XXE attacks
- S2598: File uploads should be restricted
- S4502: Disabling CSRF protections is security-sensitive
- S5689: Recovering fingerprints from web application technologies should not be possible
- S5122: Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
- S4507: Delivering code in production with debug features activated is security-sensitive
- S5691: Statically serving hidden files is security-sensitive
- S5693: Allowing requests with excessive content length is security-sensitive
These rules are already available on SonarCloud, and will be included in SonarQube 8.5.
Node.js 8 environment is deprecated
As mentioned already by @Martin_Bednorz, it will be soon required to rely on Node.js 10+ to scan your JavaScript or TypeScript code.
Alex