SonarLint to check JS on VSCode not reporting vulnerabilities

khopdee · April 22, 2021, 11:02am

Must-share information (formatted with Markdown):

SonarLint for VSCode 1.21.0
checking JS source for security issues
I have the following code with hardcoded password. SonarLint does not report this!
var mysql = require(‘mysql’);

var connection = mysql.createConnection(
{
host:‘localhost’,
user: “admin”,
database: “project”,
password: “mypassword”, // sensitive
multipleStatements: true
});

connection.connect();

Any suggestions?
Thanks

Jeff_Zapotoczny · April 22, 2021, 4:40pm

Hi @khopdee, welcome to the SonarSource Community!

This situation is covered by one of our Security Hotspot rules for Javascript and Security Hotspots are not currently raised directly by SonarLint in standalone mode. If you also have a SonarQube instance and analyze the project containing this code, the hotspot would be raised there and the “Open in IDE” feature available since the last few SonarQube releases would allow you to review it within VS Code.

system · May 5, 2021, 8:24am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SonarLint for VSCode 1.20.1 released - Review Security Hotspots in the IDE Releases vscode , sonarqube-ide	0	2014	February 5, 2021
Security issues are not found VS Code php , vscode , security	7	5370	August 30, 2019
SonarLint for VSCode 3.14 - Security Hotspots in the IDE Releases vscode , cfamily , security , security-hotspot , sonarqube-ide	0	1726	January 31, 2023
Problem getting scan results from SonarQube server into VSCode / SonarLint VS Code	13	1575	September 29, 2023
SonarLint for VSCode 3.12 - Enhanced investigation of taint vulnerabilities Releases vscode , sonarqube-ide	0	809	November 14, 2022

SonarLint to check JS on VSCode not reporting vulnerabilities

Related topics