Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
eslint-plugin-sonarjs
Advanced tools
eslint-plugin-sonarjs is an ESLint plugin that provides a set of rules inspired by SonarQube to detect bugs and suspicious patterns in JavaScript code. It aims to improve code quality by identifying potential issues early in the development process.
Detecting Cognitive Complexity
This rule helps to keep functions simple and maintainable by enforcing a limit on their cognitive complexity. The code sample configures ESLint to throw an error if a function's cognitive complexity exceeds 15.
module.exports = {
rules: {
'sonarjs/cognitive-complexity': ['error', 15]
}
};
Detecting Duplicated Code
This rule detects duplicated string literals in the code. The code sample configures ESLint to throw an error if a string literal is duplicated more than 3 times.
module.exports = {
rules: {
'sonarjs/no-duplicate-string': ['error', 3]
}
};
Detecting Unused Function Parameters
This rule identifies function parameters that are declared but not used within the function body. The code sample configures ESLint to throw an error for any unused function parameters.
module.exports = {
rules: {
'sonarjs/no-unused-collection': 'error'
}
};
Detecting Collapsible If Statements
This rule detects if statements that can be collapsed into a single statement. The code sample configures ESLint to throw an error for any collapsible if statements.
module.exports = {
rules: {
'sonarjs/no-collapsible-if': 'error'
}
};
eslint-plugin-jsx-a11y is an ESLint plugin that provides accessibility checks for JSX elements. It helps developers to write accessible code by enforcing best practices and identifying potential accessibility issues. Unlike eslint-plugin-sonarjs, which focuses on code quality and bug detection, eslint-plugin-jsx-a11y is specifically aimed at improving accessibility in web applications.
eslint-plugin-security is an ESLint plugin that identifies potential security vulnerabilities in JavaScript code. It includes rules to detect common security issues such as the use of eval, insecure randomness, and potential command injection. While eslint-plugin-sonarjs focuses on general code quality and bug detection, eslint-plugin-security is specialized in identifying security-related issues.
eslint-plugin-unicorn is an ESLint plugin that enforces various best practices and code quality improvements. It includes a wide range of rules for improving code readability, maintainability, and performance. Compared to eslint-plugin-sonarjs, eslint-plugin-unicorn offers a broader set of rules that cover more aspects of code quality, including stylistic preferences and performance optimizations.
SonarJS rules for ESLint to detect bugs and suspicious patterns in your code.
Rules in this category aim to find places in code which have a high chance of being bugs, i.e. don't work as intended.
no-all-duplicated-branches
)no-element-overwrite
)no-empty-collection
)no-extra-arguments
)no-identical-conditions
)no-identical-expressions
)no-ignored-return
) (uses-types)no-one-iteration-loop
)no-use-of-empty-return-value
)non-existent-operator
) (:wrench: fixable)Code Smells, or maintainability issues, are raised for places of code which might be costly to change in the future. These rules also help to keep the high code quality and readability. And finally some rules report issues on different suspicious code patters.
cognitive-complexity
)elseif-without-else
) (disabled)max-switch-cases
)no-collapsible-if
)no-collection-size-mischeck
) (:wrench: fixable, uses-types)no-duplicate-string
)no-duplicated-branches
)no-gratuitous-expressions
)no-identical-functions
)no-inverted-boolean-check
) (:wrench: fixable, disabled)no-nested-switch
)no-nested-template-literals
)no-redundant-boolean
)no-redundant-jump
) (:wrench: fixable)no-same-line-conditional
) (:wrench: fixable)no-small-switch
)no-unused-collection
)no-useless-catch
)prefer-immediate-return
) (:wrench: fixable)prefer-object-literal
)prefer-single-boolean-return
) (:wrench: fixable)prefer-while
) (:wrench: fixable)eslint-plugin-sonarjs
using npm
(or yarn
) for you project or globally:npm install eslint-plugin-sonarjs --save-dev # install for your project
npm install eslint-plugin-sonarjs -g # or install globally
eslint-plugin-sonarjs
to the plugins
option of your .eslintrc
:{
"plugins": ["sonarjs"]
}
plugin:sonarjs/recommended
to the extends
option to enable all recommended rules:{
"extends": ["plugin:sonarjs/recommended"]
}
{
"rules": {
"sonarjs/cognitive-complexity": "error",
"sonarjs/no-identical-expressions": "error"
// etc.
}
}
@typescript-eslint/parser
as a parser for ESLint (like we do) and set the parserOptions.project option. Thanks to it, type information is available, which is beneficial or even essential for some rules.This plugin provides only recommended
configuration. Almost all rules are activated in this profile with a few exceptions (check disabled
tag in the rules list). recommended
configuration activates rules with error
severity.
This plugin exposes to ESLint users a subset of JS/TS rules from Sonar-* products (aka SonarJS). We extracted the rules which are not available in ESLint core or other ESLint plugins to be beneficial for ESLint community.
If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest to use SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.
You want to participate in the development of the project? Have a look at our contributing guide!
FAQs
SonarJS rules for ESLint
The npm package eslint-plugin-sonarjs receives a total of 958,160 weekly downloads. As such, eslint-plugin-sonarjs popularity was classified as popular.
We found that eslint-plugin-sonarjs demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.