Security code reviews now available in TypeScript and 4 new Code Smell rules for JavaScript

Hello JavaScript and TypeScript developers,

Frontend developers switch more and more between JavaScript and TypeScript, thus we wanted to provide a better and more familiar experience for both worlds.

We have the pleasure to announce that TypeScript now benefits from all 12 Security Hotspot rules which already existed for JavaScript, and JavaScript has 4 new Code Smell rules which were available for TypeScript.

TypeScript new Security Hotspot rules:

  • S2255: Writing cookies is security-sensitive.
  • S5122: Enabling Cross-Origin Resource Sharing is security-sensitive.
  • S4787: Encrypting data is security-sensitive.
  • S4790: Hashing data is security-sensitive.
  • S4721: Executing OS commands is security-sensitive.
  • S4823: Using command line arguments is security-sensitive.
  • S2245: Using pseudorandom number generators (PRNGs) is security-sensitive.
  • S4784: Using regular expressions is security-sensitive.
  • S4818: Using Sockets is security-sensitive.
  • S2077: Formatting SQL queries is security-sensitive.
  • S4829: Reading the Standard Input is security-sensitive.
  • S4817: Executing XPath expressions is security-sensitive.

JavaScript new rules:

  • S4326: “await” should not be used redundantly (Code Smell)
  • S109: Magic numbers should not be used (Code Smell)
  • S4140: Sparse arrays should not be declared (Code Smell)
  • S3696: Non-exception types should not be thrown (Code Smell)

In addition to these new rules, we have also improved some TypeScript and JavaScript rules. Thus you can expect some changes in your quality gate results.

You might also notice an error saying “Unsupported TypeScript version” during the next analysis. We had to change the minimal TypeScript version to 3.2.1. This does not mean that you have to change the TypeScript version of your project. You just need to install TypeScript >= 3.2.1 for code analysis.

These changes are only available in SonarCloud for now but SonarQube users will soon benefit from them too.

All feedback is welcome.