Writing custom sonar rule for scanning Inline javascript for HTML

I am looking for a rule which can identify inline java scripts written in HTML/JSP, If rule is not there is it possible to write custom rule for identifying the same.
for example if there is written script tag with java script code in an HTML file then it should be scanned as a issue.
Here is the code-
<script> alert("js code"); </script>
The ideal way to have java script code in a separate java script file and that should be referenced in script tag with src attribute.

Thanks in Advance.

Hi Rupesh,

Welcome to the community!

I believe S1456 is what you’re looking for. This rule defaults to a threshold of 5 lines of script code before raising an issue, but that threshold should be configurable. So you could set it to 1 to find the example you’ve provided.


Hi G Ann Campbell Thanks for your response,
I checked this rule S1456
This only checks lines irrespective of empty or not empty, which results in scanning false positive like this if I configure max line param 1 then it calculates empty lines as well.

<script src="abc.js">


Is this possible to write custom rule for this?


There’s no direct support for custom rules for either HTML or JavaScript. You’ll need to write and run your rule externally to SonarQube, and feed the results into analysis in a Generic Issue report.