gab
(Gabriel Vivas)
July 27, 2022, 4:40pm
1
Hi SonarCloud users,
The “Sonar Way (recommended)” profile which has been available for JavaScript and TypeScript is now being upgraded to converge with the “Sonar Way” profile.
The reasoning behind the two profiles was to have a more conservative profile along the ever-green “Sonar Way”. However, this has resulted in the “recommended” profile being stuck without updates for over a year, it was also named confusingly, which we regret.
Overall, this means that for projects using or extending the “Sonar Way (recommended)” profile, you’ll now have 45 new rules . As part of the move, 27 old rules have been removed from the profile, and 4 other rules now have a different priority.
From now on, you will see a single “Sonar Way” profile, containing our selection of rules. The findings from the newly added rules will be backdated and the findings from rules that were removed will be closed. If you were already using the “Sonar Way” profile, you’ll see no changes.
We started rolling out these changes and they will be available on SonarCloud.io starting tomorrow 28 July 2022.
See below for a complete list of rules that have been added and removed from the profile.
Please share any doubts or concerns that you might have.
Kind regards,
Gabriel
2 Likes
gab
(Gabriel Vivas)
July 27, 2022, 5:32pm
2
45 rules added to the profile:
S6299 : Disabling Vue.js built-in escaping is security-sensitive
S6035 : Single-character alternations in regular expressions should be replaced with character classes
S6079 : Tests should not execute any code after “done()” is called
S5860 : Names of regular expressions named groups should be used
S6397 : Character classes in regular expressions should not contain only one character
S6353 : Regular expression quantifiers and character classes should be used concisely
S6331 : Regular expressions should not contain empty groups
S4036 : Searching OS commands in PATH is security-sensitive
S6435 : React “render” function should return a value
S5842 : Repeated patterns in regular expressions should not match the empty string
S2970 : Assertions should be complete
S5863 : Assertions should not be given twice the same argument
S5148 : Authorizing an opened window to access back to the originating window is security-sensitive
S6439 : React components should not render non-boolean condition values
S5843 : Regular expressions should not be too complicated
S5868 : Unicode Grapheme Clusters should be avoided inside regex character classes
S6019 : Reluctant quantifiers in regular expressions should be followed by an expression that can’t match the empty string
S2699 : Tests should include assertions
S6438 : Comments inside JSX expressions should be enclosed in curly braces
S3504 : Variables should be declared with “let” or “const”
S5869 : Character classes in regular expressions should not contain the same character twice
S6350 : Constructing arguments of system commands from user input is security-sensitive
S6080 : Mocha timeout should be disabled by setting it to “0”
S1172 : Unused function parameters should be removed
S6442 : React’s useState hook should only be used in the render function or body of a component
S6443 : React state setter function should not be called with its matching state variable
S6440 : React Hooks should be properly called
S6441 : Unused methods of React components should be removed
S6325 : Regular expression literals should be used when possible
S5850 : Alternatives in regular expressions should be grouped when used with anchors
S6326 : Regular expressions should not contain multiple spaces
S6268 : Disabling Angular built-in sanitization is security-sensitive
S6323 : Alternation in regular expressions should not contain empty alternatives
S5852 : Using slow regular expressions is security-sensitive
S6324 : Regular expressions should not contain control characters
S4125 : “typeof” expressions should only be compared to valid values
S6426 : Exclusive tests should not be commited to version control
S1874 : Deprecated APIs should not be used
S5856 : Regular expressions should be syntactically valid
S3415 : Assertion arguments should be passed in the correct order
S6328 : Replacement strings should reference existing regular expression groups
S5958 : Tests should check which exception is thrown
S6287 : HTTP responses should not be vulnerable to session fixation
S6092 : Chai assertions should have only one reason to succeed
S6351 : Regular expressions with the global flag should be used with caution
27 rules removed from the profile:
S3760 : Arithmetic operators should only have numbers as operands
S1440 : “===” and “!==” should be used instead of “==” and “!=”
S2376 : Property getters and setters should come in pairs
S3003 : Comparison operators should not be used with strings
S3786 : Template literal placeholder syntax should not be used in regular strings
S4139 : “for in” should not be used with iterables
S117 : Variable, property and parameter names should comply with a naming convention
S138 : Functions should not have too many lines of code
S1821 : “switch” statements should not be nested
S3801 : Functions should use “return” consistently
S113 : Files should contain an empty newline at the end
S1526 : Variables declared with “var” should be declared before they are used
S1528 : Array constructors should not be used
S1131 : Lines should not end with trailing whitespaces
S1192 : String literals should not be duplicated
S3353 : Unchanged variables should be marked “const”
S104 : Files should not have too many lines of code
S3512 : Template strings should be used instead of concatenation
S103 : Lines should not be too long
S2424 : Built-in objects should not be overridden
S122 : Statements should be on separate lines
S3757 : Arithmetic operations should not result in “NaN”
S881 : Increment (++) and decrement (–) operators should not be used in a method call or mixed with other operators in an expression
S881 : Control structures should use curly braces
S3758 : Values not convertible to numbers should not be used in numeric comparisons
S2428 : Object literal syntax should be used
3 rules now have lower priority:
S2077 : Formatting SQL queries is security-sensitive
S5542 : Encryption algorithms should be used with secure mode and padding scheme
S4426 : Cryptographic keys should be robust
1 rule now has higher priority:
S4423 : Weak SSL/TLS protocols should not be used