JavaScript scanning rules

I am running a scan of front-end code, all JavaScript, using SonarScanner.
The version of SonarQube server being used is
It is concerning that on the SonarQube portal, seeing only 7 vulnerability rules for the JavaScript.
[“alert(…)” open=javascript%3AS1442&rule_key=javascript%3AS1442) JavaScriptVulnerabilitycwe, owasp-a3, user-experience

[Console logging should not be used]open=javascript%3AS2228&rule_key=javascript%3AS2228) JavaScriptVulnerabilityowasp-a3, user-experience

Cross-document messaging domains should be carefully restricted JavaScriptVulnerabilityhtml5, owasp-a7

Debugger statements should not be used JavaScriptVulnerabilitycwe, owasp-a3, user-experience

Local storage should not be used JavaScriptVulnerabilityowasp-a3

Untrusted content should not be included JavaScriptVulnerabilitycwe, owasp-a1, sans-top25-risky

Web SQL databases should not be used JavaScriptVulnerabilityhtml5, owasp-a3, owasp-a9

Is this correct, that there are only 7 SonarQube rules for identifying JS vulnerabilities?

Actually. in the latest versions of SonarQube, only 5! :smiley:

More seriously, in the back-half of this year (before the v8.x LTS) there is a focus on Javascript/Typescript and Security rules. Until now, we’ve been focused on Java, C#, PHP, and Python.

MMF-1895, MMF-2093 and MMF-2094 might give you a good idea about what’s coming.

So…watch this space. :wink:

Great! when are these changes planned for?

No specific timeline to share other than that the goal would be before the next SonarQube LTS (early 2021) as mentioned in the SonarQube Roadmap! Pieces may start to show up in 8.x releases before then, and on SonarCloud.

1 Like