SonarQube rule [S2392] - not properly working

I noticed a possible problem related with S2392 SonarQube default rule.

SonarQube server version: Enterprise EditionVersion 9.9.2 (build 77730)

I tried to scan the following piece of JavaScript code:

if (true) {
    if (true) {
        const groupedProductsObj = {
            test: 'test'
        };

        log(groupedProductsObj)
    }
}

if (true) {
    setData(groupedProductsObj.test)
}

Expected result: SonarQube rule [S2392] triggered for groupedProductsObj variable.
Current result: No issue raised.

I noticed that this rule is triggered if groupedProductsObj is declared as var only.

For const or let the rule is not triggered.

Could you please explain why?

Thanks

Hey there!

When you opened a new thread, you were asked for version details.

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)

That’s not there just because we needed to put something there :slight_smile: It’s really important you provide those details.

Updated as requested.

Thanks! With that info, I’ve flagged this for expert eyes.

Hello Octavian,

The rule raises an issue for var because it is function scoped while const and let are block-scoped (let, const).

If you try to run your example with const or let, you will see that groupedProductsObj is undefined in the last if block:

if (true) {
    setData(groupedProductsObj.test)
}

Thanks Ilia for your explanation.
You are right.
We have a lot of scripts with this type of variable declarations (with let or const into a block and then reference them in other blocks) and our goal is to identify them in an automatic manner.
Is there any SonarQube rule that can catch this type of error?

I noticed a rule which could be related with “undefined” error:
Properties of variables with “null” or “undefined” values should not be accessed
Why is this error not fired on the example script provided?

Hi Octavian,

The rule does not raise an issue because we implement it using static analysis, which is not suited to detecting such patterns.
We are working on more dynamic solutions to detect such issues and will release them in the near future.

Thanks Ilia for your response and time.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.