Hi,
This release adjusts Security Hotspot rules to better help developers review their code and find vulnerabilities. Security Hotspot rules were at first designed for security audits. We now believe that they provide even more value during normal code reviews, i.e. to developers. This however required some changes.
We updated three rules:
Rule S4784 "Using regular expressions is security-sensitive"
It will only raise issues on hard-coded regular expressions which have at least 3 characters and at least two instances of any of the following characters: *+{. This will avoid raising issues on regular expressions which are too simple to be dangerous.
The rule will not raise anymore on dynamic regular expressions, i.e. regular expressions for which we have no information (ex: passed as parameters). This was useful for a security auditor but not for a developer as it would raise in too many places, making code review more complex than necessary. However keep in mind that this is still a possible attack vector.
Rule S2077 "Formatting SQL queries is security-sensitive"
It will only raise when it detects that an SQL query is created via concatenation. This is often a bad practice which can result in an SQL injection. Even when no injection is possible it is better to use bound arguments as it makes code review easier.
Same as for rule S4784, the rule will not raise anymore on dynamic SQL queries, i.e. sql queries for which we have no information (ex: passed as parameter).
Rule S2255 "Writing cookies is security-sensitive"
It will only raise when cookies are written, not when cookies are read. This makes the rule focused on sensitive information exposure alone, instead of covering both exposure and injection risks.
Three more rules have been removed because they provided value to security auditors only and would make code review more complex for developers:
- S4797 Handling files is security-sensitive
- S4825 Sending HTTP requests is security-sensitive
- S4529 Exposing HTTP endpoints is security-sensitive
We hope you will enjoy this new version of SonarJS and welcome any feedback.