github SonarSource/SonarJS
SonarJS 6.1
on GitHub


With this release, the analyzer now provides analysis for both JavaScript and TypeScript code.

In addition to the rules previously provided by the TypeScript analyzer, TypeScript now benefits from all 12 Security Hotspot rules which existed for JavaScript:

  • Rule S2255: Writing cookies is security-sensitive.
  • Rule S5122: Enabling Cross-Origin Resource Sharing is security-sensitive.
  • Rule S4787: Encrypting data is security-sensitive.
  • Rule S4790: Hashing data is security-sensitive.
  • Rule S4721: Executing OS commands is security-sensitive.
  • Rule S4823: Using command line arguments is security-sensitive.
  • Rule S2245: Using pseudorandom number generators (PRNGs) is security-sensitive.
  • Rule S4784: Using regular expressions is security-sensitive.
  • Rule S4818: Using Sockets is security-sensitive.
  • Rule S2077: Formatting SQL queries is security-sensitive.
  • Rule S4829: Reading the Standard Input is security-sensitive.
  • Rule S4817: Executing XPath expressions is security-sensitive.

JavaScript has also new Bug, Code Smell and Security HotSpot rules which were available for TypeScript:

  • Rule S4275: Getters and setters should access the expected fields (Bug)
  • Rule S4326: “await” should not be used redundantly (Code Smell)
  • Rule S109: Magic numbers should not be used (Code Smell)
  • Rule S4140: Sparse arrays should not be declared (Code Smell)
  • Rule S3696: Literals should not be thrown (Code Smell)
  • Rule S4624: Template literals should not be nested (Code Smell)
  • Rule S117: Variable, property and parameter names should comply with a naming convention (Code Smell)
  • Rule S1821: “switch” statements should not be nested (Code Smell)
  • Rule S2068: Hard-coded credentials are security-sensitive (Security HotSpot)

TypeScript 3.2.1 or higher is required for TypeScript analysis. Note that this version of TypeScript is necessary only during the analysis. You can still use a different version to run your software.
You also need to upgrade the TypeScript analyzer to v2.1 in order to avoid conflicts.

Finally, make sure that you have NodeJS installed before running the analyzer.

We hope you will like this new version.

8 months ago