JavaScript/TypeScript SAST finds more Node.js, Express.js server-side vulnerabilities

Hello JavaScript and TypeScript developers,

We are happy to announce a major improvement on the precision of our SAST engine :muscle:, detecting more server-side vulnerabilities in applications based on Node.Js and Express.js frameworks.

Here is the list of injection vulnerabilities to be found with this update:

  • S2076: OS commands should not be vulnerable to command injection attacks
  • S5334: Dynamic code execution should not be vulnerable to injection attacks
  • S5146: HTTP request redirections should not be open to forging attacks
  • S5144: Server-side requests should not be vulnerable to forging attacks

This adds up to the list of existing vulnerabilities that SonarCloud was already able to find.

In addition, our SAST engine for JS/TS now understands arrays, promises, ES6 classes and async/await syntaxes. This results in a far richer and more precise analysis of your code.

:warning: Performance

With all these improvements, the analysis might take a little longer to complete.
May you experience an unexpected problem of performance, please reach-out to us so we can investigate.
As an example, the Kibana source code was scanned in 8 minutes before while now it takes 10 minutes.

We hope you will enjoy the level of Code Security this update will bring to your code. Please share feedback as always.

The SonarCloud Team


Hi Alex!

Do you know when it will be available for SonarQube on-premise commercial editions? We have been impacted by the slowest performance on one of our customers, the same way as described in this thread:

Do you know if a patch (8.8.1) will be released soon with the improved js security sensor?

Thanks and best regards.


This will come with SonarQube 8.9 LTS which is planned to be released beginning of May.
For the time being there is no plan to do a 8.8.1 given that SQ 8.9 will come in 2 weeks.


1 Like