Hello JavaScript and TypeScript developers,
The JS and TS analyzers were upgraded to be able to detect cryptography-related security issues.
While it sounds obvious nowadays that communications should be encrypted to protect users’s privacy, it’s not that easy to implement without mistakes due to the complexity of this area.
Here is the full list of the new security rules:
- S4426: Cryptographic keys should be robust (Blocker)
- S5547: Cipher algorithms should be robust (Blocker)
- S5542: Encryption algorithms should be used with secure mode and padding scheme (Blocker)
- S5659: JWT should be signed and verified with strong cipher algorithm (Critical)
- S4830: Server certificates should be verified during SSL⁄TLS connections (Critical)
- S5527: Server hostnames should be verified during SSL⁄TLS connections (Critical)
- S4423: Weak SSL and TLS protocols should not be used (Major)
- S3330: Creating cookies without the “HttpOnly” flag is security-sensitive
- S2092: Creating cookies without the “secure” flag is security-sensitive
The following is one example of an issue raised by S5659 because the verification of the validity of the JWT is done with the “none” (= default value) algorithm:
These 9 rules are available now for both JavaScript and TypeScript on SonarCloud, and will be included in SonarQube 8.6.
Alex