eslint-plugin-sonarjs
Advanced tools
eslint-plugin-sonarjs is an ESLint plugin that provides a set of rules inspired by SonarQube to detect bugs and suspicious patterns in JavaScript code. It aims to improve code quality by identifying potential issues early in the development process.
Detecting Cognitive Complexity
This rule helps to keep functions simple and maintainable by enforcing a limit on their cognitive complexity. The code sample configures ESLint to throw an error if a function's cognitive complexity exceeds 15.
module.exports = {
rules: {
'sonarjs/cognitive-complexity': ['error', 15]
}
};Detecting Duplicated Code
This rule detects duplicated string literals in the code. The code sample configures ESLint to throw an error if a string literal is duplicated more than 3 times.
module.exports = {
rules: {
'sonarjs/no-duplicate-string': ['error', 3]
}
};Detecting Unused Function Parameters
This rule identifies function parameters that are declared but not used within the function body. The code sample configures ESLint to throw an error for any unused function parameters.
module.exports = {
rules: {
'sonarjs/no-unused-collection': 'error'
}
};Detecting Collapsible If Statements
This rule detects if statements that can be collapsed into a single statement. The code sample configures ESLint to throw an error for any collapsible if statements.
module.exports = {
rules: {
'sonarjs/no-collapsible-if': 'error'
}
};eslint-plugin-jsx-a11y is an ESLint plugin that provides accessibility checks for JSX elements. It helps developers to write accessible code by enforcing best practices and identifying potential accessibility issues. Unlike eslint-plugin-sonarjs, which focuses on code quality and bug detection, eslint-plugin-jsx-a11y is specifically aimed at improving accessibility in web applications.
eslint-plugin-security is an ESLint plugin that identifies potential security vulnerabilities in JavaScript code. It includes rules to detect common security issues such as the use of eval, insecure randomness, and potential command injection. While eslint-plugin-sonarjs focuses on general code quality and bug detection, eslint-plugin-security is specialized in identifying security-related issues.
eslint-plugin-unicorn is an ESLint plugin that enforces various best practices and code quality improvements. It includes a wide range of rules for improving code readability, maintainability, and performance. Compared to eslint-plugin-sonarjs, eslint-plugin-unicorn offers a broader set of rules that cover more aspects of code quality, including stylistic preferences and performance optimizations.
SonarJS rules for ESLint to help developers produce Clean Code by detecting bugs and suspicious patterns.
💼 Configurations enabled in.
🚫 Configurations disabled in.
✅ Set in the recommended configuration.
🔧 Automatically fixable by the --fix CLI option.
💡 Manually fixable by editor suggestions.
💭 Requires type information.
❌ Deprecated.
| Name | Description | 💼 | 🚫 | 🔧 | 💡 | 💭 | ❌ |
|---|---|---|---|---|---|---|---|
| accessor-pairs | Property getters and setters should come in pairs | ✅ | |||||
| alt-text | Image, area, button with image and object elements should have an alternative text | ✅ | |||||
| anchor-has-content | Anchors should contain accessible content | ✅ | 💡 | ||||
| anchor-is-valid | Anchor tags should not be used as buttons | ✅ | |||||
| anchor-precedence | Alternatives in regular expressions should be grouped when used with anchors | ✅ | 💭 | ||||
| argument-type | Arguments to built-in functions should match documented types | ✅ | 💭 | ||||
| arguments-order | Parameters should be passed in the correct order | ✅ | 💭 | ||||
| arguments-usage | "arguments" should not be accessed directly | ✅ | |||||
| array-callback-without-return | Callbacks of array methods should have return statements | ✅ | 💭 | ||||
| array-constructor | Array constructors should not be used | ✅ | 🔧 | 💡 | |||
| arrow-function-convention | Braces and parentheses should be used consistently with arrow functions | ✅ | |||||
| assertions-in-tests | Tests should include assertions | ✅ | |||||
| aws-apigateway-public-api | Creating public APIs is security-sensitive | ✅ | |||||
| aws-ec2-rds-dms-public | Allowing public network access to cloud resources is security-sensitive | ✅ | |||||
| aws-ec2-unencrypted-ebs-volume | Using unencrypted EBS volumes is security-sensitive | ✅ | |||||
| aws-efs-unencrypted | Using unencrypted EFS file systems is security-sensitive | ✅ | |||||
| aws-iam-all-privileges | Policies granting all privileges are security-sensitive | ✅ | |||||
| aws-iam-all-resources-accessible | Policies granting access to all resources of an account are security-sensitive | ✅ | |||||
| aws-iam-privilege-escalation | AWS IAM policies should limit the scope of permissions given | ✅ | |||||
| aws-iam-public-access | Policies authorizing public access to resources are security-sensitive | ✅ | |||||
| aws-opensearchservice-domain | Using unencrypted Elasticsearch domains is security-sensitive | ✅ | |||||
| aws-rds-unencrypted-databases | Using unencrypted RDS DB resources is security-sensitive | ✅ | |||||
| aws-restricted-ip-admin-access | Administration services access should be restricted to specific IP addresses | ✅ | |||||
| aws-s3-bucket-granted-access | Granting access to S3 buckets to all or authenticated users is security-sensitive | ✅ | |||||
| aws-s3-bucket-insecure-http | Authorizing HTTP communications with S3 buckets is security-sensitive | ✅ | |||||
| aws-s3-bucket-public-access | Allowing public ACLs or policies on a S3 bucket is security-sensitive | ✅ | |||||
| aws-s3-bucket-server-encryption | Disabling server-side encryption of S3 buckets is security-sensitive | ✅ | ❌ | ||||
| aws-s3-bucket-versioning | Disabling versioning of S3 buckets is security-sensitive | ✅ | |||||
| aws-sagemaker-unencrypted-notebook | Using unencrypted SageMaker notebook instances is security-sensitive | ✅ | |||||
| aws-sns-unencrypted-topics | Using unencrypted SNS topics is security-sensitive | ✅ | |||||
| aws-sqs-unencrypted-queue | Using unencrypted SQS queues is security-sensitive | ✅ | |||||
| bitwise-operators | Bitwise operators should not be used in boolean contexts | ✅ | |||||
| bool-param-default | Optional boolean parameters should have default value | ✅ | |||||
| brace-style | An open curly brace should be located at the end of a line | ✅ | 🔧 | ❌ | |||
| call-argument-line | Function call arguments should not start on new lines | ✅ | |||||
| certificate-transparency | Disabling Certificate Transparency monitoring is security-sensitive | ✅ | |||||
| chai-determinate-assertion | Chai assertions should have only one reason to succeed | ✅ | |||||
| class-name | Class names should comply with a naming convention | ✅ | |||||
| class-prototype | Class methods should be used instead of "prototype" assignments | ✅ | 💭 | ||||
| code-eval | Dynamically executing code is security-sensitive | ✅ | |||||
| cognitive-complexity | Cognitive Complexity of functions should not be too high | ✅ | |||||
| comma-or-logical-or-case | Comma and logical OR operators should not be used in switch cases | ✅ | |||||
| comment-regex | Track comments matching a regular expression | ✅ | |||||
| concise-regex | Regular expression quantifiers and character classes should be used concisely | ✅ | 💭 | ||||
| conditional-indentation | A conditionally executed single line should be denoted by indentation | ✅ | ❌ | ||||
| confidential-information-logging | Allowing confidential information to be logged is security-sensitive | ✅ | |||||
| constructor-for-side-effects | Objects should not be created to be dropped immediately without being used | ✅ | |||||
| content-length | Allowing requests with excessive content length is security-sensitive | ✅ | |||||
| content-security-policy | Disabling content security policy fetch directives is security-sensitive | ✅ | |||||
| cookie-no-httponly | Creating cookies without the "HttpOnly" flag is security-sensitive | ✅ | |||||
| cookies | Writing cookies is security-sensitive | ✅ | ❌ | ||||
| cors | Having a permissive Cross-Origin Resource Sharing policy is security-sensitive | ✅ | |||||
| csrf | Disabling CSRF protections is security-sensitive | ✅ | |||||
| cyclomatic-complexity | Cyclomatic Complexity of functions should not be too high | ✅ | |||||
| declarations-in-global-scope | Variables and functions should not be declared in the global scope | ✅ | |||||
| default-param-last | Function parameters with default values should be last | ✅ | |||||
| deprecation | Deprecated APIs should not be used | ✅ | 💭 | ||||
| destructuring-assignment-syntax | Destructuring syntax should be used for assignments | ✅ | |||||
| different-types-comparison | Strict equality operators should not be used with dissimilar types | ✅ | 🔧 | 💡 | 💭 | ||
| disabled-auto-escaping | Disabling auto-escaping in template engines is security-sensitive | ✅ | 💭 | ||||
| disabled-resource-integrity | Using remote artifacts without integrity checks is security-sensitive | ✅ | 💭 | ||||
| disabled-timeout | Disabling Mocha timeouts should be explicit | ✅ | |||||
| dns-prefetching | Allowing browsers to perform DNS prefetching is security-sensitive | ✅ | ❌ | ||||
| duplicates-in-character-class | Character classes in regular expressions should not contain the same character twice | ✅ | 💭 | ||||
| elseif-without-else | "if ... else if" constructs should end with "else" clauses | ✅ | |||||
| empty-string-repetition | Repeated patterns in regular expressions should not match the empty string | ✅ | 💭 | ||||
| encryption | Encrypting data is security-sensitive | ✅ | ❌ | ||||
| encryption-secure-mode | Encryption algorithms should be used with secure mode and padding scheme | ✅ | |||||
| enforce-trailing-comma | Trailing commas should be used | ✅ | 🔧 | ❌ | |||
| existing-groups | Replacement strings should reference existing regular expression groups | ✅ | 💭 | ||||
| expression-complexity | Expressions should not be too complex | ✅ | |||||
| file-header | Track lack of copyright and license headers | ✅ | |||||
| file-name-differ-from-class | Default export names and file names should match | ✅ | |||||
| file-permissions | Setting loose POSIX file permissions is security-sensitive | ✅ | |||||
| file-uploads | File uploads should be restricted | ✅ | |||||
| fixme-tag | Track uses of "FIXME" tags | ✅ | |||||
| for-in | "for...in" loops should filter properties before acting on them | ✅ | |||||
| for-loop-increment-sign | A "for" loop update clause should move the counter in the right direction | ✅ | |||||
| frame-ancestors | Disabling content security policy frame-ancestors directive is security-sensitive | ✅ | |||||
| function-inside-loop | Functions should not be defined inside loops | ✅ | |||||
| function-name | Function and method names should comply with a naming convention | ✅ | |||||
| function-return-type | Functions should always return the same type | ✅ | 💭 | ||||
| future-reserved-words | Future reserved words should not be used as identifiers | ✅ | |||||
| generator-without-yield | Generators should explicitly "yield" a value | ✅ | |||||
| hashing | Using weak hashing algorithms is security-sensitive | ✅ | |||||
| hidden-files | Statically serving hidden files is security-sensitive | ✅ | |||||
| hook-use-state | The return value of "useState" should be destructured and named symmetrically | ✅ | 🔧 | 💡 | |||
| html-has-lang | HTML elements should have a valid language attribute | ✅ | 💡 | ||||
| in-operator-type-error | "in" should not be used with primitive types | ✅ | 💭 | ||||
| inconsistent-function-call | Functions should be called consistently with or without "new" | ✅ | |||||
| index-of-compare-to-positive-number | "indexOf" checks should not be for positive numbers | ✅ | 💭 | ||||
| insecure-cookie | Creating cookies without the "secure" flag is security-sensitive | ✅ | |||||
| insecure-jwt-token | JWT should be signed and verified with strong cipher algorithms | ✅ | |||||
| inverted-assertion-arguments | Assertion arguments should be passed in the correct order | ✅ | 🔧 | 💡 | |||
| jsx-key | JSX list components should have a key property | ✅ | |||||
| jsx-no-constructed-context-values | React Context Provider values should have stable identities | ✅ | |||||
| jsx-no-useless-fragment | Redundant React fragments should be removed | ✅ | 🔧 | 💡 | |||
| label-has-associated-control | Label elements should have a text label and an associated control | ✅ | |||||
| label-position | Only "while", "do", "for" and "switch" statements should be labelled | ✅ | |||||
| link-with-target-blank | Authorizing an opened window to access back to the originating window is security-sensitive | ✅ | |||||
| max-switch-cases | "switch" statements should not have too many "case" clauses | ✅ | |||||
| max-union-size | Union types should not have too many elements | ✅ | |||||
| media-has-caption | Media elements should have captions | ✅ | |||||
| misplaced-loop-counter | "for" loop increment clauses should modify the loops' counters | ✅ | |||||
| mouse-events-a11y | Mouse events should have corresponding keyboard events | ✅ | 💡 | ||||
| nested-control-flow | Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply | ✅ | |||||
| new-cap | Constructor names should start with an upper case letter | ✅ | |||||
| new-operator-misuse | "new" should only be used with functions and classes | ✅ | 💭 | ||||
| no-accessor-field-mismatch | Getters and setters should access the expected fields | ✅ | |||||
| no-all-duplicated-branches | All branches in a conditional structure should not have exactly the same implementation | ✅ | |||||
| no-alphabetical-sort | "Array.prototype.sort()" and "Array.prototype.toSorted()" should use a compare function | ✅ | 🔧 | 💡 | 💭 | ||
| no-angular-bypass-sanitization | Disabling Angular built-in sanitization is security-sensitive | ✅ | |||||
| no-array-delete | "delete" should not be used on arrays | ✅ | 💭 | ||||
| no-array-index-key | JSX list components should not use array indexes as key | ✅ | |||||
| no-associative-arrays | Array indexes should be numeric | ✅ | 💭 | ||||
| no-base-to-string | Objects and classes converted or coerced to strings should define a "toString()" method | ✅ | 💭 | ||||
| no-built-in-override | Built-in objects should not be overridden | ✅ | |||||
| no-case-label-in-switch | "switch" statements should not contain non-case labels | ✅ | |||||
| no-clear-text-protocols | Using clear-text protocols is security-sensitive | ✅ | |||||
| no-code-after-done | Tests should not execute any code after "done()" is called | ✅ | |||||
| no-collapsible-if | Mergeable "if" statements should be combined | ✅ | |||||
| no-collection-size-mischeck | Collection size and array length comparisons should make sense | ✅ | 🔧 | 💡 | 💭 | ||
| no-commented-code | Sections of code should not be commented out | ✅ | 🔧 | 💡 | |||
| no-dead-store | Unused assignments should be removed | ✅ | |||||
| no-delete-var | "delete" should be used only with object properties | ✅ | |||||
| no-deprecated-react | Deprecated React APIs should not be used | ✅ | |||||
| no-duplicate-in-composite | Union and intersection types should not include duplicated constituents | ✅ | 🔧 | 💡 | |||
| no-duplicate-string | String literals should not be duplicated | ✅ | |||||
| no-duplicated-branches | Two branches in a conditional structure should not have exactly the same implementation | ✅ | |||||
| no-element-overwrite | Collection elements should not be replaced unconditionally | ✅ | |||||
| no-empty-after-reluctant | Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string | ✅ | 💭 | ||||
| no-empty-alternatives | Alternation in regular expressions should not contain empty alternatives | ✅ | 💭 | ||||
| no-empty-collection | Empty collections should not be accessed or iterated | ✅ | |||||
| no-empty-function | Functions should not be empty | ✅ | 🔧 | 💡 | |||
| no-empty-group | Regular expressions should not contain empty groups | ✅ | 💭 | ||||
| no-empty-interface | Interfaces should not be empty | ✅ | 🔧 | 💡 | |||
| no-empty-test-file | Test files should contain at least one test case | ✅ | |||||
| no-equals-in-for-termination | Equality operators should not be used in "for" loop termination conditions | ✅ | |||||
| no-exclusive-tests | Exclusive tests should not be commited to version control | ✅ | 🔧 | 💡 | |||
| no-extend-native | Prototypes of builtin objects should not be modified | ✅ | |||||
| no-extra-arguments | Function calls should not pass extra arguments | ✅ | |||||
| no-extra-semi | Extra semicolons should be removed | ✅ | 🔧 | ❌ | |||
| no-find-dom-node | React's "findDOMNode" should not be used | ✅ | |||||
| no-for-in-iterable | "for in" should not be used with iterables | ✅ | 💭 | ||||
| no-function-declaration-in-block | Function declarations should not be made within blocks | ✅ | |||||
| no-global-this | The global "this" object should not be used | ✅ | 🔧 | 💡 | |||
| no-globals-shadowing | Special identifiers should not be bound or assigned | ✅ | |||||
| no-gratuitous-expressions | Boolean expressions should not be gratuitous | ✅ | |||||
| no-hardcoded-credentials | Hard-coded credentials are security-sensitive | ✅ | |||||
| no-hardcoded-ip | Using hardcoded IP addresses is security-sensitive | ✅ | |||||
| no-hook-setter-in-body | React's useState hook should not be used directly in the render function or body of a component | ✅ | |||||
| no-identical-conditions | "if/else if" chains and "switch" cases should not have the same condition | ✅ | |||||
| no-identical-expressions | Identical expressions should not be used on both sides of a binary operator | ✅ | |||||
| no-identical-functions | Functions should not have identical implementations | ✅ | |||||
| no-ignored-exceptions | Exceptions should not be ignored | ✅ | |||||
| no-ignored-return | Return values from functions without side effects should not be ignored | ✅ | 💭 | ||||
| no-implicit-dependencies | Dependencies should be explicit | ✅ | |||||
| no-implicit-global | Variables should be declared explicitly | ✅ | |||||
| no-in-misuse | "in" should not be used on arrays | ✅ | 🔧 | 💡 | 💭 | ||
| no-incomplete-assertions | Assertions should be complete | ✅ | |||||
| no-inconsistent-returns | Functions should use "return" consistently | ✅ | |||||
| no-incorrect-string-concat | Strings and non-strings should not be added | ✅ | 💭 | ||||
| no-infinite-loop | Loops should not be infinite | ✅ | |||||
| no-intrusive-permissions | Using intrusive permissions is security-sensitive | ✅ | |||||
| no-invalid-await | "await" should only be used with promises | ✅ | 💭 | ||||
| no-invariant-returns | Function returns should not be invariant | ✅ | |||||
| no-inverted-boolean-check | Boolean checks should not be inverted | ✅ | 🔧 | 💡 | |||
| no-ip-forward | Forwarding client IP address is security-sensitive | ✅ | |||||
| no-labels | Labels should not be used | ✅ | |||||
| no-literal-call | Literals should not be used as functions | ✅ | |||||
| no-lonely-if | If statements should not be the only statement in else blocks | ✅ | 🔧 | ||||
| no-mime-sniff | Allowing browsers to sniff MIME types is security-sensitive | ✅ | |||||
| no-misleading-array-reverse | Array-mutating methods should not be used misleadingly | ✅ | 🔧 | 💡 | 💭 | ||
| no-misused-promises | Promises should not be misused | ✅ | 💡 | 💭 | |||
| no-mixed-content | Allowing mixed-content is security-sensitive | ✅ | |||||
| no-nested-assignment | Assignments should not be made from within sub-expressions | ✅ | |||||
| no-nested-conditional | Ternary operators should not be nested | ✅ | |||||
| no-nested-functions | Functions should not be nested too deeply | ✅ | |||||
| no-nested-incdec | Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression | ✅ | |||||
| no-nested-switch | "switch" statements should not be nested | ✅ | |||||
| no-nested-template-literals | Template literals should not be nested | ✅ | |||||
| no-one-iteration-loop | Loops with at most one iteration should be refactored | ✅ | |||||
| no-os-command-from-path | Searching OS commands in PATH is security-sensitive | ✅ | |||||
| no-parameter-reassignment | Initial values of parameters, caught exceptions, and loop variables should not be ignored | ✅ | |||||
| no-primitive-wrappers | Wrapper objects should not be used for primitive types | ✅ | 🔧 | 💡 | |||
| no-redeclare | Variables and functions should not be redeclared | ✅ | |||||
| no-redundant-assignments | Assignments should not be redundant | ✅ | |||||
| no-redundant-boolean | Boolean literals should not be used in comparisons | ✅ | |||||
| no-redundant-jump | Jump statements should not be redundant | ✅ | 🔧 | 💡 | |||
| no-redundant-optional | Optional property declarations should not use both '?' and 'undefined' syntax | ✅ | 🔧 | 💡 | 💭 | ||
| no-redundant-parentheses | Redundant pairs of parentheses should be removed | ✅ | 🔧 | 💡 | ❌ | ||
| no-redundant-type-constituents | Type constituents of unions and intersections should not be redundant | ✅ | 💭 | ||||
| no-reference-error | Variables should be defined before being used | ✅ | |||||
| no-referrer-policy | Disabling strict HTTP no-referrer policy is security-sensitive | ✅ | |||||
| no-require-or-define | "import" should be used to include external code | ✅ | 💭 | ||||
| no-return-type-any | Primitive return types should be used | ✅ | 💭 | ||||
| no-same-argument-assert | Assertions should not be given twice the same argument | ✅ | |||||
| no-same-line-conditional | Conditionals should start on new lines | ✅ | 🔧 | 💡 | |||
| no-self-compare | "Number.isNaN()" should be used to check for "NaN" value | ✅ | 🔧 | 💡 | |||
| no-small-switch | "switch" statements should have at least 3 "case" clauses | ✅ | |||||
| no-tab | Tabulation characters should not be used | ✅ | ❌ | ||||
| no-table-as-layout | HTML "<table>" should not be used for layout purposes | ✅ | |||||
| no-this-alias | "this" should not be assigned to variables | ✅ | |||||
| no-throw-literal | Literals should not be thrown | ✅ | 🔧 | 💡 | 💭 | ||
| no-try-promise | Promise rejections should not be caught by "try" blocks | ✅ | 💭 | ||||
| no-undefined-argument | "undefined" should not be passed as the value of optional parameters | ✅ | 🔧 | 💡 | 💭 | ||
| no-undefined-assignment | "undefined" should not be assigned | ✅ | |||||
| no-unenclosed-multiline-block | Multiline blocks should be enclosed in curly braces | ✅ | |||||
| no-uniq-key | JSX list components keys should match up between renders | ✅ | |||||
| no-unknown-property | JSX elements should not use unknown properties and attributes | ✅ | 🔧 | 💡 | |||
| no-unreachable | All code should be reachable | ✅ | 🔧 | 💡 | |||
| no-unsafe | React legacy lifecycle methods should not be used | ✅ | |||||
| no-unsafe-unzip | Expanding archive files without controlling resource consumption is security-sensitive | ✅ | |||||
| no-unstable-nested-components | React components should not be nested | ✅ | |||||
| no-unthrown-error | Errors should not be created without being thrown | ✅ | 🔧 | 💡 | |||
| no-unused-collection | Collection contents should be used | ✅ | |||||
| no-unused-expressions | Non-empty statements should change control flow or have at least one side-effect | ✅ | |||||
| no-unused-function-argument | Unused function parameters should be removed | ✅ | 🔧 | 💡 | |||
| no-unused-private-class-members | Unused private class members should be removed | ✅ | 🔧 | 💡 | |||
| no-use-of-empty-return-value | The return value of void functions should not be used | ✅ | |||||
| no-useless-call | Calls to ".call()" and ".apply()" methods should not be redundant | ✅ | 🔧 | 💡 | |||
| no-useless-catch | "catch" clauses should do more than rethrow | ✅ | |||||
| no-useless-constructor | Unnecessary constructors should be removed | ✅ | 🔧 | 💡 | |||
| no-useless-increment | Values should not be uselessly incremented | ✅ | |||||
| no-useless-intersection | Type intersections should use meaningful types | ✅ | 💭 | ||||
| no-useless-react-setstate | React state setter function should not be called with its matching state variable | ✅ | |||||
| no-var | Variables should be declared with "let" or "const" | ✅ | 🔧 | ||||
| no-variable-usage-before-declaration | Variables declared with "var" should be declared before they are used | ✅ | |||||
| no-vue-bypass-sanitization | Disabling Vue.js built-in escaping is security-sensitive | ✅ | |||||
| no-weak-cipher | Cipher algorithms should be robust | ✅ | |||||
| no-weak-keys | Cryptographic keys should be robust | ✅ | |||||
| no-wildcard-import | Wildcard imports should not be used | ✅ | |||||
| non-existent-operator | Non-existent operators '=+', '=-' and '=!' should not be used | ✅ | 🔧 | 💡 | |||
| non-number-in-arithmetic-expression | Arithmetic operators should only have numbers as operands | ✅ | 💭 | ||||
| null-dereference | Properties of variables with "null" or "undefined" values should not be accessed | ✅ | 💭 | ||||
| object-alt-content | "" tags should provide an alternative content | ✅ | |||||
| object-shorthand | Object literal shorthand syntax should be used | ✅ | 🔧 | ||||
| operation-returning-nan | Arithmetic operations should not result in "NaN" | ✅ | 💭 | ||||
| os-command | Using shell interpreter when executing OS commands is security-sensitive | ✅ | |||||
| post-message | Origins should be verified during cross-origin communications | ✅ | 💭 | ||||
| prefer-default-last | "default" clauses should be last | ✅ | |||||
| prefer-enum-initializers | Enum member values should be either all initialized or none | ✅ | 🔧 | 💡 | |||
| prefer-for-of | "for of" should be used with Iterables | ✅ | 🔧 | 💡 | |||
| prefer-function-type | Function types should be preferred | ✅ | 🔧 | ||||
| prefer-immediate-return | Local variables should not be declared and then immediately returned or thrown | ✅ | 🔧 | ||||
| prefer-namespace-keyword | "module" should not be used | ✅ | 🔧 | ||||
| prefer-nullish-coalescing | Nullish coalescing should be preferred | ✅ | 🔧 | 💡 | 💭 | ||
| prefer-object-literal | Object literal syntax should be used | ✅ | |||||
| prefer-object-spread | Object spread syntax should be used instead of "Object.assign" | ✅ | 🔧 | ||||
| prefer-promise-shorthand | Shorthand promises should be used | ✅ | 🔧 | 💡 | |||
| prefer-single-boolean-return | Return of boolean expressions should not be wrapped into an "if-then-else" statement | ✅ | 🔧 | 💡 | |||
| prefer-spread | Spread syntax should be used instead of "apply()" | ✅ | 🔧 | 💡 | |||
| prefer-string-starts-ends-with | Ends of strings should be checked with "startsWith()" and "endsWith()" | ✅ | 🔧 | 💡 | 💭 | ||
| prefer-template | Template strings should be used instead of concatenation | ✅ | 🔧 | ||||
| prefer-type-guard | Type predicates should be used | ✅ | 🔧 | 💡 | |||
| prefer-while | A "while" loop should be used instead of a "for" loop | ✅ | 🔧 | ||||
| process-argv | Using command line arguments is security-sensitive | ✅ | ❌ | ||||
| production-debug | Delivering code in production with debug features activated is security-sensitive | ✅ | |||||
| pseudo-random | Using pseudorandom number generators (PRNGs) is security-sensitive | ✅ | |||||
| public-static-readonly | Public "static" fields should be read-only | ✅ | 🔧 | 💡 | |||
| publicly-writable-directories | Using publicly writable directories is security-sensitive | ✅ | |||||
| reduce-initial-value | "Array.reduce()" calls should include an initial value | ✅ | 💭 | ||||
| redundant-type-aliases | Redundant type aliases should not be used | ✅ | |||||
| regex-complexity | Regular expressions should not be too complicated | ✅ | 💭 | ||||
| regular-expr | Using regular expressions is security-sensitive | ✅ | ❌ | ||||
| rules-of-hooks | React Hooks should be properly called | ✅ | |||||
| semi | Statements should end with semicolons | ✅ | 🔧 | ❌ | |||
| session-regeneration | A new session should be created during user authentication | ✅ | |||||
| shorthand-property-grouping | Shorthand object properties should be grouped at the beginning or end of an object declaration | ✅ | |||||
| single-char-in-character-classes | Character classes in regular expressions should not contain only one character | ✅ | 💭 | ||||
| single-character-alternation | Single-character alternations in regular expressions should be replaced with character classes | ✅ | 💭 | ||||
| slow-regex | Using slow regular expressions is security-sensitive | ✅ | 💭 | ||||
| sockets | Using Sockets is security-sensitive | ✅ | ❌ | ||||
| sonar-block-scoped-var | Variables should be used in the blocks where they are declared | ✅ | |||||
| sonar-jsx-no-leaked-render | React components should not render non-boolean condition values | ✅ | 🔧 | 💡 | 💭 | ||
| sonar-max-lines | Files should not have too many lines of code | ✅ | |||||
| sonar-max-lines-per-function | Functions should not have too many lines of code | ✅ | |||||
| sonar-max-params | Functions should not have too many parameters | ✅ | |||||
| sonar-no-control-regex | Regular expressions should not contain control characters | ✅ | 💭 | ||||
| sonar-no-dupe-keys | Member names should not be duplicated within a class or object literal | ✅ | 🔧 | 💡 | |||
| sonar-no-empty-character-class | Empty character classes should not be used | ✅ | 💭 | ||||
| sonar-no-fallthrough | Switch cases should end with an unconditional "break" statement | ✅ | |||||
| sonar-no-invalid-regexp | Regular expressions should be syntactically valid | ✅ | 💭 | ||||
| sonar-no-magic-numbers | Magic numbers should not be used | ✅ | |||||
| sonar-no-misleading-character-class | Unicode Grapheme Clusters should be avoided inside regex character classes | ✅ | 💡 | 💭 | |||
| sonar-no-regex-spaces | Regular expressions should not contain multiple spaces | ✅ | 🔧 | 💡 | 💭 | ||
| sonar-no-unused-class-component-methods | Unused methods of React components should be removed | ✅ | |||||
| sonar-no-unused-vars | Unused local variables and functions should be removed | ✅ | |||||
| sonar-prefer-optional-chain | Optional chaining should be preferred | ✅ | 🔧 | 💡 | |||
| sonar-prefer-read-only-props | React props should be read-only | ✅ | 🔧 | 💡 | 💭 | ||
| sonar-prefer-regexp-exec | "RegExp.exec()" should be preferred over "String.match()" | ✅ | 🔧 | 💡 | 💭 | ||
| sql-queries | Formatting SQL queries is security-sensitive | ✅ | |||||
| stable-tests | Tests should be stable | ✅ | |||||
| standard-input | Reading the Standard Input is security-sensitive | ✅ | ❌ | ||||
| stateful-regex | Regular expressions with the global flag should be used with caution | ✅ | |||||
| strict-transport-security | Disabling Strict-Transport-Security policy is security-sensitive | ✅ | |||||
| strings-comparison | Comparison operators should not be used with strings | ✅ | 💭 | ||||
| super-invocation | "super()" should be invoked appropriately | ✅ | |||||
| switch-without-default | "switch" statements should have "default" clauses | ✅ | 🔧 | 💡 | 💭 | ||
| table-header | Tables should have headers | ✅ | |||||
| table-header-reference | Table cells should reference their headers | ✅ | |||||
| test-check-exception | Tests should check which exception is thrown | ✅ | |||||
| todo-tag | Track uses of "TODO" tags | ✅ | |||||
| too-many-break-or-continue-in-loop | Loops should not contain more than a single "break" or "continue" statement | ✅ | |||||
| unicode-aware-regex | Regular expressions using Unicode character classes or property escapes should enable the unicode flag | ✅ | 💭 | ||||
| unnecessary-character-escapes | Unnecessary character escapes should be removed | ✅ | 🔧 | 💡 | |||
| unused-import | Unnecessary imports should be removed | ✅ | 🔧 | 💡 | 💭 | ||
| unused-named-groups | Names of regular expressions named groups should be used | ✅ | 💭 | ||||
| unverified-certificate | Server certificates should be verified during SSL/TLS connections | ✅ | |||||
| unverified-hostname | Server hostnames should be verified during SSL/TLS connections | ✅ | |||||
| updated-const-var | "const" variables should not be reassigned | ✅ | |||||
| updated-loop-counter | Loop counters should not be assigned within the loop body | ✅ | |||||
| use-isnan | "NaN" should not be used in comparisons | ✅ | 🔧 | 💡 | |||
| use-type-alias | Type aliases should be used | ✅ | |||||
| useless-string-operation | Results of operations on strings should not be ignored | ✅ | 💭 | ❌ | |||
| values-not-convertible-to-numbers | Values not convertible to numbers should not be used in numeric comparisons | ✅ | 💭 | ||||
| variable-name | Variable, property and parameter names should comply with a naming convention | ✅ | |||||
| void-use | "void" should not be used | ✅ | 💭 | ||||
| weak-ssl | Weak SSL/TLS protocols should not be used | ✅ | |||||
| web-sql-database | Web SQL databases should not be used | ✅ | 💭 | ❌ | |||
| x-powered-by | Disclosing fingerprints from web application technologies is security-sensitive | ✅ | |||||
| xml-parser-xxe | XML parsers should not be vulnerable to XXE attacks | ✅ | |||||
| xpath | Executing XPath expressions is security-sensitive | ✅ | ❌ |
eslint-plugin-sonarjs using npm (or yarn) for your project or globally:npm install eslint-plugin-sonarjs --save-dev # install for your project
npm install eslint-plugin-sonarjs -g # or install globally
eslint-plugin-sonarjs to the plugins of your ESLint config.For ESLint 9: add plugins option to your eslint.config.js and include the recommended config to enable all rules:
import sonarjs from "eslint-plugin-sonarjs";
[
sonarjs.configs.recommended,
{
"plugins": {
sonarjs,
}
}
]
For ESLint 8: add plugins option to your .eslintrc and plugin:sonarjs/recommended-legacy to the extends option to enable all recommended rules:
{
"plugins": ["sonarjs"],
"extends": ["plugin:sonarjs/recommended-legacy"]
}
{
"rules": {
"sonarjs/cognitive-complexity": "error",
"sonarjs/no-identical-expressions": "error"
// etc.
}
}
@typescript-eslint/parser as a parser for ESLint and set the parserOptions.project option. This enables type checking which is beneficial or even essential for some rules.This plugin provides only a recommended configuration. Almost all rules are activated in this profile with a few exceptions (check the disabled tag in the rules list). The recommended configuration activates rules with error severity.
We include a recommended-legacy configuration to be backward compatible with ESLint v8, with the same rule configuration..
This plugin exposes to ESLint users all JS/TS rules from Sonar-* products (aka SonarJS). We extracted the rules to be beneficial for the ESLint community.
If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest using SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.
FAQs
SonarJS rules for ESLint
The npm package eslint-plugin-sonarjs receives a total of 411,418 weekly downloads. As such, eslint-plugin-sonarjs popularity was classified as popular.
We found that eslint-plugin-sonarjs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.