JavaScript and TypeScript "Sonar Way (recommended)" profile upgraded

Hi SonarCloud users,

The “Sonar Way (recommended)” profile which has been available for JavaScript and TypeScript is now being upgraded to converge with the “Sonar Way” profile.

The reasoning behind the two profiles was to have a more conservative profile along the ever-green “Sonar Way”. However, this has resulted in the “recommended” profile being stuck without updates for over a year, it was also named confusingly, which we regret.

Overall, this means that for projects using or extending the “Sonar Way (recommended)” profile, you’ll now have 45 new rules. As part of the move, 27 old rules have been removed from the profile, and 4 other rules now have a different priority.

From now on, you will see a single “Sonar Way” profile, containing our selection of rules. The findings from the newly added rules will be backdated and the findings from rules that were removed will be closed. If you were already using the “Sonar Way” profile, you’ll see no changes.

We started rolling out these changes and they will be available on SonarCloud.io starting tomorrow 28 July 2022.

See below for a complete list of rules that have been added and removed from the profile.
Please share any doubts or concerns that you might have.

Kind regards,
Gabriel

2 Likes

45 rules added to the profile:

  • S6299: Disabling Vue.js built-in escaping is security-sensitive
  • S6035: Single-character alternations in regular expressions should be replaced with character classes
  • S6079: Tests should not execute any code after “done()” is called
  • S5860: Names of regular expressions named groups should be used
  • S6397: Character classes in regular expressions should not contain only one character
  • S6353: Regular expression quantifiers and character classes should be used concisely
  • S6331: Regular expressions should not contain empty groups
  • S4036: Searching OS commands in PATH is security-sensitive
  • S6435: React “render” function should return a value
  • S5842: Repeated patterns in regular expressions should not match the empty string
  • S2970: Assertions should be complete
  • S5863: Assertions should not be given twice the same argument
  • S5148: Authorizing an opened window to access back to the originating window is security-sensitive
  • S6439: React components should not render non-boolean condition values
  • S5843: Regular expressions should not be too complicated
  • S5868: Unicode Grapheme Clusters should be avoided inside regex character classes
  • S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can’t match the empty string
  • S2699: Tests should include assertions
  • S6438: Comments inside JSX expressions should be enclosed in curly braces
  • S3504: Variables should be declared with “let” or “const”
  • S5869: Character classes in regular expressions should not contain the same character twice
  • S6350: Constructing arguments of system commands from user input is security-sensitive
  • S6080: Mocha timeout should be disabled by setting it to “0”
  • S1172: Unused function parameters should be removed
  • S6442: React’s useState hook should only be used in the render function or body of a component
  • S6443: React state setter function should not be called with its matching state variable
  • S6440: React Hooks should be properly called
  • S6441: Unused methods of React components should be removed
  • S6325: Regular expression literals should be used when possible
  • S5850: Alternatives in regular expressions should be grouped when used with anchors
  • S6326: Regular expressions should not contain multiple spaces
  • S6268: Disabling Angular built-in sanitization is security-sensitive
  • S6323: Alternation in regular expressions should not contain empty alternatives
  • S5852: Using slow regular expressions is security-sensitive
  • S6324: Regular expressions should not contain control characters
  • S4125: “typeof” expressions should only be compared to valid values
  • S6426: Exclusive tests should not be commited to version control
  • S1874: Deprecated APIs should not be used
  • S5856: Regular expressions should be syntactically valid
  • S3415: Assertion arguments should be passed in the correct order
  • S6328: Replacement strings should reference existing regular expression groups
  • S5958: Tests should check which exception is thrown
  • S6287: HTTP responses should not be vulnerable to session fixation
  • S6092: Chai assertions should have only one reason to succeed
  • S6351: Regular expressions with the global flag should be used with caution

27 rules removed from the profile:

  • S3760: Arithmetic operators should only have numbers as operands
  • S1440: “===” and “!==” should be used instead of “==” and “!=”
  • S2376: Property getters and setters should come in pairs
  • S3003: Comparison operators should not be used with strings
  • S3786: Template literal placeholder syntax should not be used in regular strings
  • S4139: “for in” should not be used with iterables
  • S117: Variable, property and parameter names should comply with a naming convention
  • S138: Functions should not have too many lines of code
  • S1821: “switch” statements should not be nested
  • S3801: Functions should use “return” consistently
  • S113: Files should contain an empty newline at the end
  • S1526: Variables declared with “var” should be declared before they are used
  • S1528: Array constructors should not be used
  • S1131: Lines should not end with trailing whitespaces
  • S1192: String literals should not be duplicated
  • S3353: Unchanged variables should be marked “const”
  • S104: Files should not have too many lines of code
  • S3512: Template strings should be used instead of concatenation
  • S103: Lines should not be too long
  • S2424: Built-in objects should not be overridden
  • S122: Statements should be on separate lines
  • S3757: Arithmetic operations should not result in “NaN”
  • S881: Increment (++) and decrement (–) operators should not be used in a method call or mixed with other operators in an expression
  • S881: Control structures should use curly braces
  • S3758: Values not convertible to numbers should not be used in numeric comparisons
  • S2428: Object literal syntax should be used

3 rules now have lower priority:

  • S2077: Formatting SQL queries is security-sensitive
  • S5542: Encryption algorithms should be used with secure mode and padding scheme
  • S4426: Cryptographic keys should be robust

1 rule now has higher priority:

  • S4423: Weak SSL/TLS protocols should not be used