New rules:
- S2598: File uploads should be restricted (formidable)
- S4502: Disabling CSRF protection is security-sensitive
- S4507: Delivering code in production with debug features activated is security-sensitive
- S5689: Recovering fingerprints from web application technologies should not be possible
- S5691: Statically serving hidden files is security-sensitive
- S5693: Allowing requests with excessive content length is security-sensitive
Improved rules:
- S5122: now raised only when permissive CORS policy is obvious; Support for
corsmiddleware.
Deprecated rules:
Changes in the requirements:
- The plugin now requires Node.js 10
- The plugin no longer relies on user-provided TypeScript: TypeScript is now shipped with the analyzer.
- Support for solution-style
tsconfigs - Very large files are now excluded from analysis by default (property
sonar.javascript.maxFileSizecontrols the threshold)