SonarJS rules for ESLint to help developers produce Clean Code by detecting bugs and suspicious patterns.
- Node.js (>=16.x).
- ESLint 8.x (version 9.X not yet supported)
- typescript-eslint/parser 7.X (version 8.X not yet supported)
- If you don't have ESLint yet configured for your project, follow these instructions.
- Install
eslint-plugin-sonarjsusingnpm(oryarn) for your project or globally:
npm install eslint-plugin-sonarjs --save-dev # install for your project
npm install eslint-plugin-sonarjs -g # or install globally- Add
eslint-plugin-sonarjsto the plugins of your ESLint config.
For ESLint 9: add plugins option to your eslint.config.js and include the recommended config to enable all rules:
import sonarjs from "eslint-plugin-sonarjs";
[
sonarjs.configs.recommended,
{
"plugins": {
sonarjs,
}
}
]
For ESLint 8: add plugins option to your .eslintrc and plugin:sonarjs/recommended-legacy to the extends option to enable all recommended rules:
{
"plugins": ["sonarjs"],
"extends": ["plugin:sonarjs/recommended-legacy"]
}- or enable only some rules manually:
{
"rules": {
"sonarjs/cognitive-complexity": "error",
"sonarjs/no-identical-expressions": "error"
// etc.
}
}- To allow each of the rules to fully perform, use
@typescript-eslint/parseras a parser for ESLint and set the parserOptions.project option. This enables type checking which is beneficial or even essential for some rules.
This plugin provides only a recommended configuration. Almost all rules are activated in this profile with a few exceptions (check the disabled tag in the rules list). The recommended configuration activates rules with error severity.
We include a recommended-legacy configuration to be backward compatible with ESLint v8, with the same rule configuration..
This plugin exposes to ESLint users all JS/TS rules from Sonar-* products (aka SonarJS). We extracted the rules to be beneficial for the ESLint community.
If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest using SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.
💼 Configurations enabled in.
✅ Set in the recommended configuration.
🔧 Automatically fixable by the --fix CLI option.
💡 Manually fixable by editor suggestions.
💭 Requires type information.
❌ Deprecated.
| Name | Description | 💼 | 🔧 | 💡 | 💭 | ❌ |
|---|---|---|---|---|---|---|
| accessor-pairs | Property getters and setters should come in pairs | |||||
| alt-text | Image, area, button with image and object elements should have an alternative text | ✅ | ||||
| anchor-has-content | Anchors should contain accessible content | ✅ | 💡 | |||
| anchor-is-valid | Anchor tags should not be used as buttons | ✅ | ||||
| anchor-precedence | Alternatives in regular expressions should be grouped when used with anchors | ✅ | 💭 | |||
| argument-type | Arguments to built-in functions should match documented types | ✅ | 💭 | |||
| arguments-order | Parameters should be passed in the correct order | ✅ | 💭 | |||
| arguments-usage | "arguments" should not be accessed directly | |||||
| array-callback-without-return | Callbacks of array methods should have return statements | ✅ | 💭 | |||
| array-constructor | Array constructors should not be used | 💡 | ||||
| arrow-function-convention | Braces and parentheses should be used consistently with arrow functions | |||||
| assertions-in-tests | Tests should include assertions | ✅ | ||||
| aws-apigateway-public-api | Creating public APIs is security-sensitive | ✅ | ||||
| aws-ec2-rds-dms-public | Allowing public network access to cloud resources is security-sensitive | ✅ | ||||
| aws-ec2-unencrypted-ebs-volume | Using unencrypted EBS volumes is security-sensitive | ✅ | ||||
| aws-efs-unencrypted | Using unencrypted EFS file systems is security-sensitive | ✅ | ||||
| aws-iam-all-privileges | Policies granting all privileges are security-sensitive | ✅ | ||||
| aws-iam-all-resources-accessible | Policies granting access to all resources of an account are security-sensitive | |||||
| aws-iam-privilege-escalation | AWS IAM policies should limit the scope of permissions given | ✅ | ||||
| aws-iam-public-access | Policies authorizing public access to resources are security-sensitive | ✅ | ||||
| aws-opensearchservice-domain | Using unencrypted Elasticsearch domains is security-sensitive | ✅ | ||||
| aws-rds-unencrypted-databases | Using unencrypted RDS DB resources is security-sensitive | ✅ | ||||
| aws-restricted-ip-admin-access | Administration services access should be restricted to specific IP addresses | ✅ | ||||
| aws-s3-bucket-granted-access | Granting access to S3 buckets to all or authenticated users is security-sensitive | ✅ | ||||
| aws-s3-bucket-insecure-http | Authorizing HTTP communications with S3 buckets is security-sensitive | ✅ | ||||
| aws-s3-bucket-public-access | Allowing public ACLs or policies on a S3 bucket is security-sensitive | ✅ | ||||
| aws-s3-bucket-server-encryption | Disabling server-side encryption of S3 buckets is security-sensitive | ❌ | ||||
| aws-s3-bucket-versioning | Disabling versioning of S3 buckets is security-sensitive | ✅ | ||||
| aws-sagemaker-unencrypted-notebook | Using unencrypted SageMaker notebook instances is security-sensitive | ✅ | ||||
| aws-sns-unencrypted-topics | Using unencrypted SNS topics is security-sensitive | ✅ | ||||
| aws-sqs-unencrypted-queue | Using unencrypted SQS queues is security-sensitive | ✅ | ||||
| bitwise-operators | Bitwise operators should not be used in boolean contexts | ✅ | ||||
| bool-param-default | Optional boolean parameters should have default value | |||||
| brace-style | An open curly brace should be located at the end of a line | 🔧 | ❌ | |||
| call-argument-line | Function call arguments should not start on new lines | ✅ | ||||
| certificate-transparency | Disabling Certificate Transparency monitoring is security-sensitive | ✅ | ||||
| chai-determinate-assertion | Chai assertions should have only one reason to succeed | ✅ | ||||
| class-name | Class names should comply with a naming convention | ✅ | ||||
| class-prototype | Class methods should be used instead of "prototype" assignments | 💭 | ||||
| code-eval | Dynamically executing code is security-sensitive | ✅ | ||||
| cognitive-complexity | Cognitive Complexity of functions should not be too high | ✅ | ||||
| comma-or-logical-or-case | Comma and logical OR operators should not be used in switch cases | ✅ | ||||
| comment-regex | Track comments matching a regular expression | |||||
| concise-regex | Regular expression quantifiers and character classes should be used concisely | ✅ | 💭 | |||
| conditional-indentation | A conditionally executed single line should be denoted by indentation | ❌ | ||||
| confidential-information-logging | Allowing confidential information to be logged is security-sensitive | ✅ | ||||
| constructor-for-side-effects | Objects should not be created to be dropped immediately without being used | ✅ | ||||
| content-length | Allowing requests with excessive content length is security-sensitive | ✅ | ||||
| content-security-policy | Disabling content security policy fetch directives is security-sensitive | ✅ | ||||
| cookie-no-httponly | Creating cookies without the "HttpOnly" flag is security-sensitive | ✅ | ||||
| cookies | Writing cookies is security-sensitive | ❌ | ||||
| cors | Having a permissive Cross-Origin Resource Sharing policy is security-sensitive | ✅ | ||||
| csrf | Disabling CSRF protections is security-sensitive | ✅ | ||||
| cyclomatic-complexity | Cyclomatic Complexity of functions should not be too high | |||||
| declarations-in-global-scope | Variables and functions should not be declared in the global scope | |||||
| default-param-last | Function parameters with default values should be last | ✅ | ||||
| deprecation | Deprecated APIs should not be used | ✅ | 💭 | |||
| destructuring-assignment-syntax | Destructuring syntax should be used for assignments | |||||
| different-types-comparison | Strict equality operators should not be used with dissimilar types | ✅ | 💡 | 💭 | ||
| disabled-auto-escaping | Disabling auto-escaping in template engines is security-sensitive | ✅ | 💭 | |||
| disabled-resource-integrity | Using remote artifacts without integrity checks is security-sensitive | ✅ | 💭 | |||
| disabled-timeout | Disabling Mocha timeouts should be explicit | ✅ | ||||
| dns-prefetching | Allowing browsers to perform DNS prefetching is security-sensitive | ❌ | ||||
| duplicates-in-character-class | Character classes in regular expressions should not contain the same character twice | ✅ | 💭 | |||
| elseif-without-else | "if ... else if" constructs should end with "else" clauses | |||||
| empty-string-repetition | Repeated patterns in regular expressions should not match the empty string | ✅ | 💭 | |||
| encryption | Encrypting data is security-sensitive | ❌ | ||||
| encryption-secure-mode | Encryption algorithms should be used with secure mode and padding scheme | ✅ | ||||
| enforce-trailing-comma | Trailing commas should be used | 🔧 | ❌ | |||
| existing-groups | Replacement strings should reference existing regular expression groups | ✅ | 💭 | |||
| expression-complexity | Expressions should not be too complex | |||||
| file-header | Track lack of copyright and license headers | |||||
| file-name-differ-from-class | Default export names and file names should match | |||||
| file-permissions | Setting loose POSIX file permissions is security-sensitive | ✅ | ||||
| file-uploads | File uploads should be restricted | ✅ | ||||
| fixme-tag | Track uses of "FIXME" tags | ✅ | ||||
| for-in | "for...in" loops should filter properties before acting on them | |||||
| for-loop-increment-sign | A "for" loop update clause should move the counter in the right direction | ✅ | ||||
| frame-ancestors | Disabling content security policy frame-ancestors directive is security-sensitive | ✅ | ||||
| function-inside-loop | Functions should not be defined inside loops | ✅ | ||||
| function-name | Function and method names should comply with a naming convention | |||||
| function-return-type | Functions should always return the same type | ✅ | 💭 | |||
| future-reserved-words | Future reserved words should not be used as identifiers | ✅ | ||||
| generator-without-yield | Generators should explicitly "yield" a value | ✅ | ||||
| hashing | Using weak hashing algorithms is security-sensitive | ✅ | ||||
| hidden-files | Statically serving hidden files is security-sensitive | ✅ | ||||
| hook-use-state | The return value of "useState" should be destructured and named symmetrically | ✅ | 💡 | |||
| html-has-lang | HTML elements should have a valid language attribute | ✅ | 💡 | |||
| in-operator-type-error | "in" should not be used with primitive types | ✅ | 💭 | |||
| inconsistent-function-call | Functions should be called consistently with or without "new" | ✅ | ||||
| index-of-compare-to-positive-number | "indexOf" checks should not be for positive numbers | ✅ | 💭 | |||
| insecure-cookie | Creating cookies without the "secure" flag is security-sensitive | ✅ | ||||
| insecure-jwt-token | JWT should be signed and verified with strong cipher algorithms | ✅ | ||||
| inverted-assertion-arguments | Assertion arguments should be passed in the correct order | ✅ | 💡 | |||
| jsx-key | JSX list components should have a key property | ✅ | ||||
| jsx-no-constructed-context-values | React Context Provider values should have stable identities | ✅ | ||||
| jsx-no-useless-fragment | Redundant React fragments should be removed | ✅ | 🔧 | 💡 | ||
| label-has-associated-control | Label elements should have a text label and an associated control | ✅ | ||||
| label-position | Only "while", "do", "for" and "switch" statements should be labelled | ✅ | ||||
| link-with-target-blank | Authorizing an opened window to access back to the originating window is security-sensitive | ✅ | ||||
| max-switch-cases | "switch" statements should not have too many "case" clauses | ✅ | ||||
| max-union-size | Union types should not have too many elements | |||||
| media-has-caption | Media elements should have captions | ✅ | ||||
| misplaced-loop-counter | "for" loop increment clauses should modify the loops' counters | ✅ | ||||
| mouse-events-a11y | Mouse events should have corresponding keyboard events | ✅ | 💡 | |||
| nested-control-flow | Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply | |||||
| new-cap | Constructor names should start with an upper case letter | ✅ | ||||
| new-operator-misuse | "new" should only be used with functions and classes | ✅ | 💭 | |||
| no-accessor-field-mismatch | Getters and setters should access the expected fields | ✅ | ||||
| no-all-duplicated-branches | All branches in a conditional structure should not have exactly the same implementation | ✅ | ||||
| no-alphabetical-sort | "Array.prototype.sort()" and "Array.prototype.toSorted()" should use a compare function | ✅ | 💡 | 💭 | ||
| no-angular-bypass-sanitization | Disabling Angular built-in sanitization is security-sensitive | ✅ | ||||
| no-array-delete | "delete" should not be used on arrays | ✅ | 💭 | |||
| no-array-index-key | JSX list components should not use array indexes as key | ✅ | ||||
| no-associative-arrays | Array indexes should be numeric | ✅ | 💭 | |||
| no-async-constructor | Constructors should not contain asynchronous operations | ✅ | ||||
| no-base-to-string | Objects and classes converted or coerced to strings should define a "toString()" method | ✅ | 💭 | |||
| no-built-in-override | Built-in objects should not be overridden | |||||
| no-case-label-in-switch | "switch" statements should not contain non-case labels | ✅ | ||||
| no-clear-text-protocols | Using clear-text protocols is security-sensitive | ✅ | ||||
| no-code-after-done | Tests should not execute any code after "done()" is called | ✅ | ||||
| no-collapsible-if | Mergeable "if" statements should be combined | |||||
| no-collection-size-mischeck | Collection size and array length comparisons should make sense | ✅ | 💡 | 💭 | ||
| no-commented-code | Sections of code should not be commented out | ✅ | 💡 | |||
| no-dead-store | Unused assignments should be removed | ✅ | ||||
| no-delete-var | "delete" should be used only with object properties | ✅ | ||||
| no-deprecated-react | Deprecated React APIs should not be used | ✅ | ||||
| no-duplicate-in-composite | Union and intersection types should not include duplicated constituents | ✅ | 💡 | |||
| no-duplicate-string | String literals should not be duplicated | |||||
| no-duplicated-branches | Two branches in a conditional structure should not have exactly the same implementation | ✅ | ||||
| no-element-overwrite | Collection elements should not be replaced unconditionally | ✅ | ||||
| no-empty-after-reluctant | Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string | ✅ | 💭 | |||
| no-empty-alternatives | Alternation in regular expressions should not contain empty alternatives | ✅ | 💭 | |||
| no-empty-collection | Empty collections should not be accessed or iterated | ✅ | ||||
| no-empty-function | Functions should not be empty | ✅ | 💡 | |||
| no-empty-group | Regular expressions should not contain empty groups | ✅ | 💭 | |||
| no-empty-interface | Interfaces should not be empty | 🔧 | 💡 | |||
| no-empty-test-file | Test files should contain at least one test case | ✅ | ||||
| no-equals-in-for-termination | Equality operators should not be used in "for" loop termination conditions | ✅ | ||||
| no-exclusive-tests | Exclusive tests should not be commited to version control | ✅ | 💡 | |||
| no-extend-native | Prototypes of builtin objects should not be modified | ✅ | ||||
| no-extra-arguments | Function calls should not pass extra arguments | ✅ | ||||
| no-extra-semi | Extra semicolons should be removed | 🔧 | ❌ | |||
| no-find-dom-node | React's "findDOMNode" should not be used | ✅ | ||||
| no-for-in-iterable | "for in" should not be used with iterables | 💭 | ||||
| no-function-declaration-in-block | Function declarations should not be made within blocks | |||||
| no-global-this | The global "this" object should not be used | ✅ | 💡 | |||
| no-globals-shadowing | Special identifiers should not be bound or assigned | ✅ | ||||
| no-gratuitous-expressions | Boolean expressions should not be gratuitous | ✅ | ||||
| no-hardcoded-credentials | Hard-coded credentials are security-sensitive | ✅ | ||||
| no-hardcoded-ip | Using hardcoded IP addresses is security-sensitive | ✅ | ||||
| no-hook-setter-in-body | React's useState hook should not be used directly in the render function or body of a component | ✅ | ||||
| no-identical-conditions | "if/else if" chains and "switch" cases should not have the same condition | ✅ | ||||
| no-identical-expressions | Identical expressions should not be used on both sides of a binary operator | ✅ | ||||
| no-identical-functions | Functions should not have identical implementations | ✅ | ||||
| no-ignored-exceptions | Exceptions should not be ignored | ✅ | ||||
| no-ignored-return | Return values from functions without side effects should not be ignored | ✅ | 💭 | |||
| no-implicit-dependencies | Dependencies should be explicit | |||||
| no-implicit-global | Variables should be declared explicitly | ✅ | ||||
| no-in-misuse | "in" should not be used on arrays | ✅ | 💡 | 💭 | ||
| no-incomplete-assertions | Assertions should be complete | ✅ | ||||
| no-inconsistent-returns | Functions should use "return" consistently | |||||
| no-incorrect-string-concat | Strings and non-strings should not be added | 💭 | ||||
| no-infinite-loop | Loops should not be infinite | ✅ | ||||
| no-internal-api-use | Users should not use internal APIs | ✅ | ||||
| no-intrusive-permissions | Using intrusive permissions is security-sensitive | ✅ | ||||
| no-invalid-await | "await" should only be used with promises | ✅ | 💭 | |||
| no-invariant-returns | Function returns should not be invariant | ✅ | ||||
| no-inverted-boolean-check | Boolean checks should not be inverted | ✅ | 🔧 | 💡 | ||
| no-ip-forward | Forwarding client IP address is security-sensitive | ✅ | ||||
| no-labels | Labels should not be used | ✅ | ||||
| no-literal-call | Literals should not be used as functions | ✅ | ||||
| no-lonely-if | If statements should not be the only statement in else blocks | ✅ | 🔧 | |||
| no-mime-sniff | Allowing browsers to sniff MIME types is security-sensitive | ✅ | ||||
| no-misleading-array-reverse | Array-mutating methods should not be used misleadingly | ✅ | 💡 | 💭 | ||
| no-misused-promises | Promises should not be misused | ✅ | 💡 | 💭 | ||
| no-mixed-content | Allowing mixed-content is security-sensitive | ✅ | ||||
| no-nested-assignment | Assignments should not be made from within sub-expressions | ✅ | ||||
| no-nested-conditional | Ternary operators should not be nested | ✅ | ||||
| no-nested-functions | Functions should not be nested too deeply | ✅ | ||||
| no-nested-incdec | Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression | |||||
| no-nested-switch | "switch" statements should not be nested | |||||
| no-nested-template-literals | Template literals should not be nested | ✅ | ||||
| no-one-iteration-loop | Loops with at most one iteration should be refactored | ✅ | ||||
| no-os-command-from-path | Searching OS commands in PATH is security-sensitive | ✅ | ||||
| no-parameter-reassignment | Initial values of parameters, caught exceptions, and loop variables should not be ignored | ✅ | ||||
| no-primitive-wrappers | Wrapper objects should not be used for primitive types | ✅ | 💡 | |||
| no-redeclare | Variables and functions should not be redeclared | ✅ | ||||
| no-redundant-assignments | Assignments should not be redundant | ✅ | ||||
| no-redundant-boolean | Boolean literals should not be used in comparisons | ✅ | ||||
| no-redundant-jump | Jump statements should not be redundant | ✅ | 💡 | |||
| no-redundant-optional | Optional property declarations should not use both '?' and 'undefined' syntax | ✅ | 💡 | 💭 | ||
| no-redundant-parentheses | Redundant pairs of parentheses should be removed | 💡 | ❌ | |||
| no-redundant-type-constituents | Type constituents of unions and intersections should not be redundant | ✅ | 💭 | |||
| no-reference-error | Variables should be defined before being used | |||||
| no-referrer-policy | Disabling strict HTTP no-referrer policy is security-sensitive | ✅ | ||||
| no-require-or-define | "import" should be used to include external code | 💭 | ||||
| no-return-type-any | Primitive return types should be used | 💭 | ||||
| no-same-argument-assert | Assertions should not be given twice the same argument | ✅ | ||||
| no-same-line-conditional | Conditionals should start on new lines | ✅ | 💡 | |||
| no-selector-parameter | Methods should not contain selector parameters | ✅ | 💭 | |||
| no-self-compare | "Number.isNaN()" should be used to check for "NaN" value | ✅ | 💡 | |||
| no-self-import | Module should not import itself | ✅ | 💡 | |||
| no-skipped-test | Tests should not be skipped without providing a reason | ✅ | ||||
| no-small-switch | "switch" statements should have at least 3 "case" clauses | ✅ | ||||
| no-tab | Tabulation characters should not be used | ❌ | ||||
| no-table-as-layout | HTML "<table>" should not be used for layout purposes | ✅ | ||||
| no-this-alias | "this" should not be assigned to variables | |||||
| no-throw-literal | Literals should not be thrown | ✅ | 💡 | 💭 | ||
| no-try-promise | Promise rejections should not be caught by "try" blocks | ✅ | 💭 | |||
| no-undefined-argument | "undefined" should not be passed as the value of optional parameters | ✅ | 💡 | 💭 | ||
| no-undefined-assignment | "undefined" should not be assigned | |||||
| no-unenclosed-multiline-block | Multiline blocks should be enclosed in curly braces | ✅ | ||||
| no-uniq-key | JSX list components keys should match up between renders | ✅ | ||||
| no-unknown-property | JSX elements should not use unknown properties and attributes | ✅ | 💡 | |||
| no-unreachable | All code should be reachable | ✅ | 💡 | |||
| no-unsafe | React legacy lifecycle methods should not be used | ✅ | ||||
| no-unsafe-unzip | Expanding archive files without controlling resource consumption is security-sensitive | ✅ | ||||
| no-unstable-nested-components | React components should not be nested | ✅ | ||||
| no-unthrown-error | Errors should not be created without being thrown | ✅ | 💡 | |||
| no-unused-collection | Collection contents should be used | ✅ | ||||
| no-unused-expressions | Non-empty statements should change control flow or have at least one side-effect | ✅ | ||||
| no-unused-function-argument | Unused function parameters should be removed | 💡 | ||||
| no-unused-private-class-members | Unused private class members should be removed | ✅ | 💡 | |||
| no-use-of-empty-return-value | The return value of void functions should not be used | ✅ | ||||
| no-useless-call | Calls to ".call()" and ".apply()" methods should not be redundant | ✅ | 💡 | |||
| no-useless-catch | "catch" clauses should do more than rethrow | ✅ | ||||
| no-useless-constructor | Unnecessary constructors should be removed | ✅ | 💡 | |||
| no-useless-increment | Values should not be uselessly incremented | ✅ | ||||
| no-useless-intersection | Type intersections should use meaningful types | ✅ | 💭 | |||
| no-useless-react-setstate | React state setter function should not be called with its matching state variable | ✅ | ||||
| no-var | Variables should be declared with "let" or "const" | ✅ | 🔧 | |||
| no-variable-usage-before-declaration | Variables declared with "var" should be declared before they are used | |||||
| no-vue-bypass-sanitization | Disabling Vue.js built-in escaping is security-sensitive | ✅ | ||||
| no-weak-cipher | Cipher algorithms should be robust | ✅ | ||||
| no-weak-keys | Cryptographic keys should be robust | ✅ | ||||
| no-wildcard-import | Wildcard imports should not be used | |||||
| non-existent-operator | Non-existent operators '=+', '=-' and '=!' should not be used | ✅ | 💡 | |||
| non-number-in-arithmetic-expression | Arithmetic operators should only have numbers as operands | 💭 | ||||
| null-dereference | Properties of variables with "null" or "undefined" values should not be accessed | ✅ | 💭 | |||
| object-alt-content | "" tags should provide an alternative content | ✅ | ||||
| object-shorthand | Object literal shorthand syntax should be used | 🔧 | ||||
| operation-returning-nan | Arithmetic operations should not result in "NaN" | 💭 | ||||
| os-command | Using shell interpreter when executing OS commands is security-sensitive | ✅ | ||||
| post-message | Origins should be verified during cross-origin communications | ✅ | 💭 | |||
| prefer-default-last | "default" clauses should be last | ✅ | ||||
| prefer-enum-initializers | Enum member values should be either all initialized or none | ✅ | 💡 | |||
| prefer-for-of | "for of" should be used with Iterables | ✅ | 💡 | |||
| prefer-function-type | Function types should be preferred | ✅ | 🔧 | |||
| prefer-immediate-return | Local variables should not be declared and then immediately returned or thrown | 🔧 | ||||
| prefer-namespace-keyword | "module" should not be used | ✅ | 🔧 | |||
| prefer-nullish-coalescing | Nullish coalescing should be preferred | ✅ | 💡 | 💭 | ||
| prefer-object-literal | Object literal syntax should be used | |||||
| prefer-object-spread | Object spread syntax should be used instead of "Object.assign" | ✅ | 🔧 | |||
| prefer-promise-shorthand | Shorthand promises should be used | ✅ | 💡 | |||
| prefer-single-boolean-return | Return of boolean expressions should not be wrapped into an "if-then-else" statement | ✅ | 💡 | |||
| prefer-spread | Spread syntax should be used instead of "apply()" | ✅ | 💡 | |||
| prefer-string-starts-ends-with | Ends of strings should be checked with "startsWith()" and "endsWith()" | ✅ | 🔧 | 💡 | 💭 | |
| prefer-template | Template strings should be used instead of concatenation | 🔧 | ||||
| prefer-type-guard | Type predicates should be used | ✅ | 💡 | |||
| prefer-while | A "while" loop should be used instead of a "for" loop | ✅ | 🔧 | |||
| process-argv | Using command line arguments is security-sensitive | ❌ | ||||
| production-debug | Delivering code in production with debug features activated is security-sensitive | ✅ | ||||
| pseudo-random | Using pseudorandom number generators (PRNGs) is security-sensitive | ✅ | ||||
| public-static-readonly | Public "static" fields should be read-only | ✅ | 💡 | |||
| publicly-writable-directories | Using publicly writable directories is security-sensitive | ✅ | ||||
| reduce-initial-value | "Array.reduce()" calls should include an initial value | ✅ | 💭 | |||
| redundant-type-aliases | Redundant type aliases should not be used | ✅ | ||||
| regex-complexity | Regular expressions should not be too complicated | ✅ | 💭 | |||
| regular-expr | Using regular expressions is security-sensitive | ❌ | ||||
| rules-of-hooks | React Hooks should be properly called | ✅ | ||||
| semi | Statements should end with semicolons | 🔧 | ❌ | |||
| session-regeneration | A new session should be created during user authentication | ✅ | ||||
| shorthand-property-grouping | Shorthand object properties should be grouped at the beginning or end of an object declaration | |||||
| single-char-in-character-classes | Character classes in regular expressions should not contain only one character | ✅ | 💭 | |||
| single-character-alternation | Single-character alternations in regular expressions should be replaced with character classes | ✅ | 💭 | |||
| slow-regex | Using slow regular expressions is security-sensitive | ✅ | 💭 | |||
| sockets | Using Sockets is security-sensitive | ❌ | ||||
| sonar-block-scoped-var | Variables should be used in the blocks where they are declared | ✅ | ||||
| sonar-jsx-no-leaked-render | React components should not render non-boolean condition values | ✅ | 💡 | 💭 | ||
| sonar-max-lines | Files should not have too many lines of code | |||||
| sonar-max-lines-per-function | Functions should not have too many lines of code | |||||
| sonar-max-params | Functions should not have too many parameters | ✅ | ||||
| sonar-no-control-regex | Regular expressions should not contain control characters | ✅ | 💭 | |||
| sonar-no-dupe-keys | Member names should not be duplicated within a class or object literal | ✅ | 💡 | |||
| sonar-no-empty-character-class | Empty character classes should not be used | ✅ | 💭 | |||
| sonar-no-fallthrough | Switch cases should end with an unconditional "break" statement | ✅ | ||||
| sonar-no-invalid-regexp | Regular expressions should be syntactically valid | ✅ | 💭 | |||
| sonar-no-magic-numbers | Magic numbers should not be used | |||||
| sonar-no-misleading-character-class | Unicode Grapheme Clusters should be avoided inside regex character classes | ✅ | 💡 | 💭 | ||
| sonar-no-regex-spaces | Regular expressions should not contain multiple spaces | ✅ | 💡 | 💭 | ||
| sonar-no-unused-class-component-methods | Unused methods of React components should be removed | ✅ | ||||
| sonar-no-unused-vars | Unused local variables and functions should be removed | ✅ | ||||
| sonar-prefer-optional-chain | Optional chaining should be preferred | ✅ | 🔧 | 💡 | ||
| sonar-prefer-read-only-props | React props should be read-only | ✅ | 💡 | 💭 | ||
| sonar-prefer-regexp-exec | "RegExp.exec()" should be preferred over "String.match()" | ✅ | 💡 | 💭 | ||
| sql-queries | Formatting SQL queries is security-sensitive | ✅ | ||||
| stable-tests | Tests should be stable | ✅ | ||||
| standard-input | Reading the Standard Input is security-sensitive | ❌ | ||||
| stateful-regex | Regular expressions with the global flag should be used with caution | ✅ | ||||
| strict-transport-security | Disabling Strict-Transport-Security policy is security-sensitive | ✅ | ||||
| strings-comparison | Comparison operators should not be used with strings | 💭 | ||||
| super-invocation | "super()" should be invoked appropriately | ✅ | ||||
| switch-without-default | "switch" statements should have "default" clauses | 💡 | 💭 | |||
| table-header | Tables should have headers | ✅ | ||||
| table-header-reference | Table cells should reference their headers | ✅ | ||||
| test-check-exception | Tests should check which exception is thrown | ✅ | ||||
| todo-tag | Track uses of "TODO" tags | ✅ | ||||
| too-many-break-or-continue-in-loop | Loops should not contain more than a single "break" or "continue" statement | |||||
| unicode-aware-regex | Regular expressions using Unicode character classes or property escapes should enable the unicode flag | 💭 | ||||
| unnecessary-character-escapes | Unnecessary character escapes should be removed | ✅ | 💡 | |||
| unused-import | Unnecessary imports should be removed | ✅ | 💡 | 💭 | ||
| unused-named-groups | Names of regular expressions named groups should be used | ✅ | 💭 | |||
| unverified-certificate | Server certificates should be verified during SSL/TLS connections | ✅ | ||||
| unverified-hostname | Server hostnames should be verified during SSL/TLS connections | ✅ | ||||
| updated-const-var | "const" variables should not be reassigned | ✅ | ||||
| updated-loop-counter | Loop counters should not be assigned within the loop body | ✅ | ||||
| use-isnan | "NaN" should not be used in comparisons | ✅ | 💡 | |||
| use-type-alias | Type aliases should be used | ✅ | ||||
| useless-string-operation | Results of operations on strings should not be ignored | 💭 | ❌ | |||
| values-not-convertible-to-numbers | Values not convertible to numbers should not be used in numeric comparisons | 💭 | ||||
| variable-name | Variable, property and parameter names should comply with a naming convention | |||||
| void-use | "void" should not be used | ✅ | 💭 | |||
| weak-ssl | Weak SSL/TLS protocols should not be used | ✅ | ||||
| web-sql-database | Web SQL databases should not be used | 💭 | ❌ | |||
| x-powered-by | Disclosing fingerprints from web application technologies is security-sensitive | ✅ | ||||
| xml-parser-xxe | XML parsers should not be vulnerable to XXE attacks | ✅ | ||||
| xpath | Executing XPath expressions is security-sensitive | ❌ |