SonarJS rules for ESLint to help developers produce Clean Code by detecting bugs and suspicious patterns.
- Node.js (>=16.x) with ESLint 8.
- Node.js (^18.18.0 || ^20.9.0 || >=21) with ESLint 9.
- If you don't have ESLint yet configured for your project, follow these instructions.
- Install
eslint-plugin-sonarjs
usingnpm
(oryarn
) for your project or globally:
npm install eslint-plugin-sonarjs --save-dev # install for your project
npm install eslint-plugin-sonarjs -g # or install globally
- Add
eslint-plugin-sonarjs
to the plugins of your ESLint config.
For ESLint 9: add plugins
option to your eslint.config.js
and include the recommended config to enable all rules:
import sonarjs from "eslint-plugin-sonarjs";
[
sonarjs.configs.recommended,
{
"plugins": {
sonarjs,
}
}
]
For ESLint 8: add plugins
option to your .eslintrc
and plugin:sonarjs/recommended-legacy
to the extends
option to enable all recommended rules:
{
"plugins": ["sonarjs"],
"extends": ["plugin:sonarjs/recommended-legacy"]
}
- or enable only some rules manually:
{
"rules": {
"sonarjs/cognitive-complexity": "error",
"sonarjs/no-identical-expressions": "error"
// etc.
}
}
- To allow each of the rules to fully perform, use
@typescript-eslint/parser
as a parser for ESLint and set the parserOptions.project option. This enables type checking which is beneficial or even essential for some rules.
This plugin provides only a recommended
configuration. Almost all rules are activated in this profile with a few exceptions (check the disabled
tag in the rules list). The recommended
configuration activates rules with error
severity.
We include a recommended-legacy
configuration to be backward compatible with ESLint v8, with the same rule configuration..
This plugin exposes to ESLint users all JS/TS rules from Sonar-* products (aka SonarJS). We extracted the rules to be beneficial for the ESLint community.
If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest using SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.
💼 Configurations enabled in.
✅ Set in the recommended
configuration.
🔧 Automatically fixable by the --fix
CLI option.
💡 Manually fixable by editor suggestions.
💭 Requires type information.
❌ Deprecated.
Name | Description | 💼 | 🔧 | 💡 | 💭 | ❌ |
---|---|---|---|---|---|---|
accessor-pairs | Property getters and setters should come in pairs | |||||
alt-text | Image, area, button with image and object elements should have an alternative text | ✅ | ||||
anchor-has-content | Anchors should contain accessible content | ✅ | 💡 | |||
anchor-is-valid | Anchor tags should not be used as buttons | ✅ | ||||
anchor-precedence | Alternatives in regular expressions should be grouped when used with anchors | ✅ | 💭 | |||
argument-type | Arguments to built-in functions should match documented types | ✅ | 💭 | |||
arguments-order | Parameters should be passed in the correct order | ✅ | 💭 | |||
arguments-usage | "arguments" should not be accessed directly | |||||
array-callback-without-return | Callbacks of array methods should have return statements | ✅ | 💭 | |||
array-constructor | Array constructors should not be used | 💡 | ||||
arrow-function-convention | Braces and parentheses should be used consistently with arrow functions | |||||
assertions-in-tests | Tests should include assertions | ✅ | ||||
aws-apigateway-public-api | Creating public APIs is security-sensitive | ✅ | ||||
aws-ec2-rds-dms-public | Allowing public network access to cloud resources is security-sensitive | ✅ | ||||
aws-ec2-unencrypted-ebs-volume | Using unencrypted EBS volumes is security-sensitive | ✅ | ||||
aws-efs-unencrypted | Using unencrypted EFS file systems is security-sensitive | ✅ | ||||
aws-iam-all-privileges | Policies granting all privileges are security-sensitive | ✅ | ||||
aws-iam-all-resources-accessible | Policies granting access to all resources of an account are security-sensitive | |||||
aws-iam-privilege-escalation | AWS IAM policies should limit the scope of permissions given | ✅ | ||||
aws-iam-public-access | Policies authorizing public access to resources are security-sensitive | ✅ | ||||
aws-opensearchservice-domain | Using unencrypted Elasticsearch domains is security-sensitive | ✅ | ||||
aws-rds-unencrypted-databases | Using unencrypted RDS DB resources is security-sensitive | ✅ | ||||
aws-restricted-ip-admin-access | Administration services access should be restricted to specific IP addresses | ✅ | ||||
aws-s3-bucket-granted-access | Granting access to S3 buckets to all or authenticated users is security-sensitive | ✅ | ||||
aws-s3-bucket-insecure-http | Authorizing HTTP communications with S3 buckets is security-sensitive | ✅ | ||||
aws-s3-bucket-public-access | Allowing public ACLs or policies on a S3 bucket is security-sensitive | ✅ | ||||
aws-s3-bucket-server-encryption | Disabling server-side encryption of S3 buckets is security-sensitive | ❌ | ||||
aws-s3-bucket-versioning | Disabling versioning of S3 buckets is security-sensitive | ✅ | ||||
aws-sagemaker-unencrypted-notebook | Using unencrypted SageMaker notebook instances is security-sensitive | ✅ | ||||
aws-sns-unencrypted-topics | Using unencrypted SNS topics is security-sensitive | ✅ | ||||
aws-sqs-unencrypted-queue | Using unencrypted SQS queues is security-sensitive | ✅ | ||||
bitwise-operators | Bitwise operators should not be used in boolean contexts | ✅ | ||||
bool-param-default | Optional boolean parameters should have default value | |||||
brace-style | An open curly brace should be located at the end of a line | 🔧 | ❌ | |||
call-argument-line | Function call arguments should not start on new lines | ✅ | ||||
certificate-transparency | Disabling Certificate Transparency monitoring is security-sensitive | ✅ | ||||
chai-determinate-assertion | Chai assertions should have only one reason to succeed | ✅ | ||||
class-name | Class names should comply with a naming convention | ✅ | ||||
class-prototype | Class methods should be used instead of "prototype" assignments | 💭 | ||||
code-eval | Dynamically executing code is security-sensitive | ✅ | ||||
cognitive-complexity | Cognitive Complexity of functions should not be too high | ✅ | ||||
comma-or-logical-or-case | Comma and logical OR operators should not be used in switch cases | ✅ | ||||
comment-regex | Track comments matching a regular expression | |||||
concise-regex | Regular expression quantifiers and character classes should be used concisely | ✅ | 💭 | |||
conditional-indentation | A conditionally executed single line should be denoted by indentation | ❌ | ||||
confidential-information-logging | Allowing confidential information to be logged is security-sensitive | ✅ | ||||
constructor-for-side-effects | Objects should not be created to be dropped immediately without being used | ✅ | ||||
content-length | Allowing requests with excessive content length is security-sensitive | ✅ | ||||
content-security-policy | Disabling content security policy fetch directives is security-sensitive | ✅ | ||||
cookie-no-httponly | Creating cookies without the "HttpOnly" flag is security-sensitive | ✅ | ||||
cookies | Writing cookies is security-sensitive | ❌ | ||||
cors | Having a permissive Cross-Origin Resource Sharing policy is security-sensitive | ✅ | ||||
csrf | Disabling CSRF protections is security-sensitive | ✅ | ||||
cyclomatic-complexity | Cyclomatic Complexity of functions should not be too high | |||||
declarations-in-global-scope | Variables and functions should not be declared in the global scope | |||||
default-param-last | Function parameters with default values should be last | ✅ | ||||
deprecation | Deprecated APIs should not be used | ✅ | 💭 | |||
destructuring-assignment-syntax | Destructuring syntax should be used for assignments | |||||
different-types-comparison | Strict equality operators should not be used with dissimilar types | ✅ | 💡 | 💭 | ||
disabled-auto-escaping | Disabling auto-escaping in template engines is security-sensitive | ✅ | 💭 | |||
disabled-resource-integrity | Using remote artifacts without integrity checks is security-sensitive | ✅ | 💭 | |||
disabled-timeout | Disabling Mocha timeouts should be explicit | ✅ | ||||
dns-prefetching | Allowing browsers to perform DNS prefetching is security-sensitive | ❌ | ||||
duplicates-in-character-class | Character classes in regular expressions should not contain the same character twice | ✅ | 💭 | |||
elseif-without-else | "if ... else if" constructs should end with "else" clauses | |||||
empty-string-repetition | Repeated patterns in regular expressions should not match the empty string | ✅ | 💭 | |||
encryption | Encrypting data is security-sensitive | ❌ | ||||
encryption-secure-mode | Encryption algorithms should be used with secure mode and padding scheme | ✅ | ||||
enforce-trailing-comma | Trailing commas should be used | 🔧 | ❌ | |||
existing-groups | Replacement strings should reference existing regular expression groups | ✅ | 💭 | |||
expression-complexity | Expressions should not be too complex | |||||
file-header | Track lack of copyright and license headers | |||||
file-name-differ-from-class | Default export names and file names should match | |||||
file-permissions | Setting loose POSIX file permissions is security-sensitive | ✅ | ||||
file-uploads | File uploads should be restricted | ✅ | ||||
fixme-tag | Track uses of "FIXME" tags | ✅ | ||||
for-in | "for...in" loops should filter properties before acting on them | |||||
for-loop-increment-sign | A "for" loop update clause should move the counter in the right direction | ✅ | ||||
frame-ancestors | Disabling content security policy frame-ancestors directive is security-sensitive | ✅ | ||||
function-inside-loop | Functions should not be defined inside loops | ✅ | ||||
function-name | Function and method names should comply with a naming convention | |||||
function-return-type | Functions should always return the same type | ✅ | 💭 | |||
future-reserved-words | Future reserved words should not be used as identifiers | ✅ | ||||
generator-without-yield | Generators should explicitly "yield" a value | ✅ | ||||
hashing | Using weak hashing algorithms is security-sensitive | ✅ | ||||
hidden-files | Statically serving hidden files is security-sensitive | ✅ | ||||
hook-use-state | The return value of "useState" should be destructured and named symmetrically | ✅ | 💡 | |||
html-has-lang | HTML elements should have a valid language attribute | ✅ | 💡 | |||
in-operator-type-error | "in" should not be used with primitive types | ✅ | 💭 | |||
inconsistent-function-call | Functions should be called consistently with or without "new" | ✅ | ||||
index-of-compare-to-positive-number | "indexOf" checks should not be for positive numbers | ✅ | 💭 | |||
insecure-cookie | Creating cookies without the "secure" flag is security-sensitive | ✅ | ||||
insecure-jwt-token | JWT should be signed and verified with strong cipher algorithms | ✅ | ||||
inverted-assertion-arguments | Assertion arguments should be passed in the correct order | ✅ | 💡 | |||
jsx-key | JSX list components should have a key property | ✅ | ||||
jsx-no-constructed-context-values | React Context Provider values should have stable identities | ✅ | ||||
jsx-no-useless-fragment | Redundant React fragments should be removed | ✅ | 🔧 | 💡 | ||
label-has-associated-control | Label elements should have a text label and an associated control | ✅ | ||||
label-position | Only "while", "do", "for" and "switch" statements should be labelled | ✅ | ||||
link-with-target-blank | Authorizing an opened window to access back to the originating window is security-sensitive | ✅ | ||||
max-switch-cases | "switch" statements should not have too many "case" clauses | ✅ | ||||
max-union-size | Union types should not have too many elements | |||||
media-has-caption | Media elements should have captions | ✅ | ||||
misplaced-loop-counter | "for" loop increment clauses should modify the loops' counters | ✅ | ||||
mouse-events-a11y | Mouse events should have corresponding keyboard events | ✅ | 💡 | |||
nested-control-flow | Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply | |||||
new-cap | Constructor names should start with an upper case letter | ✅ | ||||
new-operator-misuse | "new" should only be used with functions and classes | ✅ | 💭 | |||
no-accessor-field-mismatch | Getters and setters should access the expected fields | ✅ | ||||
no-all-duplicated-branches | All branches in a conditional structure should not have exactly the same implementation | ✅ | ||||
no-alphabetical-sort | "Array.prototype.sort()" and "Array.prototype.toSorted()" should use a compare function | ✅ | 💡 | 💭 | ||
no-angular-bypass-sanitization | Disabling Angular built-in sanitization is security-sensitive | ✅ | ||||
no-array-delete | "delete" should not be used on arrays | ✅ | 💭 | |||
no-array-index-key | JSX list components should not use array indexes as key | ✅ | ||||
no-associative-arrays | Array indexes should be numeric | ✅ | 💭 | |||
no-async-constructor | Constructors should not contain asynchronous operations | ✅ | ||||
no-base-to-string | Objects and classes converted or coerced to strings should define a "toString()" method | ✅ | 💭 | |||
no-built-in-override | Built-in objects should not be overridden | |||||
no-case-label-in-switch | "switch" statements should not contain non-case labels | ✅ | ||||
no-clear-text-protocols | Using clear-text protocols is security-sensitive | ✅ | ||||
no-code-after-done | Tests should not execute any code after "done()" is called | ✅ | ||||
no-collapsible-if | Mergeable "if" statements should be combined | |||||
no-collection-size-mischeck | Collection size and array length comparisons should make sense | ✅ | 💡 | 💭 | ||
no-commented-code | Sections of code should not be commented out | ✅ | 💡 | |||
no-dead-store | Unused assignments should be removed | ✅ | ||||
no-delete-var | "delete" should be used only with object properties | ✅ | ||||
no-deprecated-react | Deprecated React APIs should not be used | ✅ | ||||
no-duplicate-in-composite | Union and intersection types should not include duplicated constituents | ✅ | 💡 | |||
no-duplicate-string | String literals should not be duplicated | |||||
no-duplicated-branches | Two branches in a conditional structure should not have exactly the same implementation | ✅ | ||||
no-element-overwrite | Collection elements should not be replaced unconditionally | ✅ | ||||
no-empty-after-reluctant | Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string | ✅ | 💭 | |||
no-empty-alternatives | Alternation in regular expressions should not contain empty alternatives | ✅ | 💭 | |||
no-empty-collection | Empty collections should not be accessed or iterated | ✅ | ||||
no-empty-function | Functions should not be empty | ✅ | 💡 | |||
no-empty-group | Regular expressions should not contain empty groups | ✅ | 💭 | |||
no-empty-interface | Interfaces should not be empty | 🔧 | 💡 | |||
no-empty-test-file | Test files should contain at least one test case | ✅ | ||||
no-equals-in-for-termination | Equality operators should not be used in "for" loop termination conditions | ✅ | ||||
no-exclusive-tests | Exclusive tests should not be commited to version control | ✅ | 💡 | |||
no-extend-native | Prototypes of builtin objects should not be modified | ✅ | ||||
no-extra-arguments | Function calls should not pass extra arguments | ✅ | ||||
no-extra-semi | Extra semicolons should be removed | 🔧 | ❌ | |||
no-find-dom-node | React's "findDOMNode" should not be used | ✅ | ||||
no-for-in-iterable | "for in" should not be used with iterables | 💭 | ||||
no-function-declaration-in-block | Function declarations should not be made within blocks | |||||
no-global-this | The global "this" object should not be used | ✅ | 💡 | |||
no-globals-shadowing | Special identifiers should not be bound or assigned | ✅ | ||||
no-gratuitous-expressions | Boolean expressions should not be gratuitous | ✅ | ||||
no-hardcoded-credentials | Hard-coded credentials are security-sensitive | ✅ | ||||
no-hardcoded-ip | Using hardcoded IP addresses is security-sensitive | ✅ | ||||
no-hook-setter-in-body | React's useState hook should not be used directly in the render function or body of a component | ✅ | ||||
no-identical-conditions | "if/else if" chains and "switch" cases should not have the same condition | ✅ | ||||
no-identical-expressions | Identical expressions should not be used on both sides of a binary operator | ✅ | ||||
no-identical-functions | Functions should not have identical implementations | ✅ | ||||
no-ignored-exceptions | Exceptions should not be ignored | ✅ | ||||
no-ignored-return | Return values from functions without side effects should not be ignored | ✅ | 💭 | |||
no-implicit-dependencies | Dependencies should be explicit | |||||
no-implicit-global | Variables should be declared explicitly | ✅ | ||||
no-in-misuse | "in" should not be used on arrays | ✅ | 💡 | 💭 | ||
no-incomplete-assertions | Assertions should be complete | ✅ | ||||
no-inconsistent-returns | Functions should use "return" consistently | |||||
no-incorrect-string-concat | Strings and non-strings should not be added | 💭 | ||||
no-infinite-loop | Loops should not be infinite | ✅ | ||||
no-internal-api-use | Users should not use internal APIs | ✅ | ||||
no-intrusive-permissions | Using intrusive permissions is security-sensitive | ✅ | ||||
no-invalid-await | "await" should only be used with promises | ✅ | 💭 | |||
no-invariant-returns | Function returns should not be invariant | ✅ | ||||
no-inverted-boolean-check | Boolean checks should not be inverted | ✅ | 🔧 | 💡 | ||
no-ip-forward | Forwarding client IP address is security-sensitive | ✅ | ||||
no-labels | Labels should not be used | ✅ | ||||
no-literal-call | Literals should not be used as functions | ✅ | ||||
no-lonely-if | If statements should not be the only statement in else blocks | ✅ | 🔧 | |||
no-mime-sniff | Allowing browsers to sniff MIME types is security-sensitive | ✅ | ||||
no-misleading-array-reverse | Array-mutating methods should not be used misleadingly | ✅ | 💡 | 💭 | ||
no-misused-promises | Promises should not be misused | ✅ | 💡 | 💭 | ||
no-mixed-content | Allowing mixed-content is security-sensitive | ✅ | ||||
no-nested-assignment | Assignments should not be made from within sub-expressions | ✅ | ||||
no-nested-conditional | Ternary operators should not be nested | ✅ | ||||
no-nested-functions | Functions should not be nested too deeply | ✅ | ||||
no-nested-incdec | Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression | |||||
no-nested-switch | "switch" statements should not be nested | |||||
no-nested-template-literals | Template literals should not be nested | ✅ | ||||
no-one-iteration-loop | Loops with at most one iteration should be refactored | ✅ | ||||
no-os-command-from-path | Searching OS commands in PATH is security-sensitive | ✅ | ||||
no-parameter-reassignment | Initial values of parameters, caught exceptions, and loop variables should not be ignored | ✅ | ||||
no-primitive-wrappers | Wrapper objects should not be used for primitive types | ✅ | 💡 | |||
no-redeclare | Variables and functions should not be redeclared | ✅ | ||||
no-redundant-assignments | Assignments should not be redundant | ✅ | ||||
no-redundant-boolean | Boolean literals should not be used in comparisons | ✅ | ||||
no-redundant-jump | Jump statements should not be redundant | ✅ | 💡 | |||
no-redundant-optional | Optional property declarations should not use both '?' and 'undefined' syntax | ✅ | 💡 | 💭 | ||
no-redundant-parentheses | Redundant pairs of parentheses should be removed | 💡 | ❌ | |||
no-redundant-type-constituents | Type constituents of unions and intersections should not be redundant | ✅ | 💭 | |||
no-reference-error | Variables should be defined before being used | |||||
no-referrer-policy | Disabling strict HTTP no-referrer policy is security-sensitive | ✅ | ||||
no-require-or-define | "import" should be used to include external code | 💭 | ||||
no-return-type-any | Primitive return types should be used | 💭 | ||||
no-same-argument-assert | Assertions should not be given twice the same argument | ✅ | ||||
no-same-line-conditional | Conditionals should start on new lines | ✅ | 💡 | |||
no-selector-parameter | Methods should not contain selector parameters | ✅ | 💭 | |||
no-self-compare | "Number.isNaN()" should be used to check for "NaN" value | ✅ | 💡 | |||
no-self-import | Module should not import itself | ✅ | 💡 | |||
no-skipped-test | Tests should not be skipped without providing a reason | ✅ | ||||
no-small-switch | "if" statements should be preferred over "switch" when simpler | ✅ | ||||
no-tab | Tabulation characters should not be used | ❌ | ||||
no-table-as-layout | HTML "<table>" should not be used for layout purposes | ✅ | ||||
no-this-alias | "this" should not be assigned to variables | |||||
no-throw-literal | Literals should not be thrown | ✅ | 💡 | 💭 | ||
no-try-promise | Promise rejections should not be caught by "try" blocks | ✅ | 💭 | |||
no-undefined-argument | "undefined" should not be passed as the value of optional parameters | ✅ | 💡 | 💭 | ||
no-undefined-assignment | "undefined" should not be assigned | |||||
no-unenclosed-multiline-block | Multiline blocks should be enclosed in curly braces | ✅ | ||||
no-uniq-key | JSX list components keys should match up between renders | ✅ | ||||
no-unknown-property | JSX elements should not use unknown properties and attributes | ✅ | 💡 | |||
no-unreachable | All code should be reachable | ✅ | 💡 | |||
no-unsafe | React legacy lifecycle methods should not be used | ✅ | ||||
no-unsafe-unzip | Expanding archive files without controlling resource consumption is security-sensitive | ✅ | ||||
no-unstable-nested-components | React components should not be nested | ✅ | ||||
no-unthrown-error | Errors should not be created without being thrown | ✅ | 💡 | |||
no-unused-collection | Collection contents should be used | ✅ | ||||
no-unused-expressions | Non-empty statements should change control flow or have at least one side-effect | ✅ | ||||
no-unused-function-argument | Unused function parameters should be removed | 💡 | ||||
no-unused-private-class-members | Unused private class members should be removed | ✅ | 💡 | |||
no-use-of-empty-return-value | The return value of void functions should not be used | ✅ | ||||
no-useless-call | Calls to ".call()" and ".apply()" methods should not be redundant | ✅ | 💡 | |||
no-useless-catch | "catch" clauses should do more than rethrow | ✅ | ||||
no-useless-constructor | Unnecessary constructors should be removed | ✅ | 💡 | |||
no-useless-increment | Values should not be uselessly incremented | ✅ | ||||
no-useless-intersection | Type intersections should use meaningful types | ✅ | 💭 | |||
no-useless-react-setstate | React state setter function should not be called with its matching state variable | ✅ | ||||
no-var | Variables should be declared with "let" or "const" | ✅ | 🔧 | |||
no-variable-usage-before-declaration | Variables declared with "var" should be declared before they are used | |||||
no-vue-bypass-sanitization | Disabling Vue.js built-in escaping is security-sensitive | ✅ | ||||
no-weak-cipher | Cipher algorithms should be robust | ✅ | ||||
no-weak-keys | Cryptographic keys should be robust | ✅ | ||||
no-wildcard-import | Wildcard imports should not be used | |||||
non-existent-operator | Non-existent operators '=+', '=-' and '=!' should not be used | ✅ | 💡 | |||
non-number-in-arithmetic-expression | Arithmetic operators should only have numbers as operands | 💭 | ||||
null-dereference | Properties of variables with "null" or "undefined" values should not be accessed | ✅ | 💭 | |||
object-alt-content | "" tags should provide an alternative content | ✅ | ||||
object-shorthand | Object literal shorthand syntax should be used | 🔧 | ||||
operation-returning-nan | Arithmetic operations should not result in "NaN" | 💭 | ||||
os-command | Using shell interpreter when executing OS commands is security-sensitive | ✅ | ||||
post-message | Origins should be verified during cross-origin communications | ✅ | 💭 | |||
prefer-default-last | "default" clauses should be last | ✅ | ||||
prefer-enum-initializers | Enum member values should be either all initialized or none | ✅ | 💡 | |||
prefer-for-of | "for of" should be used with Iterables | ✅ | 💡 | |||
prefer-function-type | Function types should be preferred | ✅ | 🔧 | |||
prefer-immediate-return | Local variables should not be declared and then immediately returned or thrown | 🔧 | ||||
prefer-namespace-keyword | "module" should not be used | ✅ | 🔧 | |||
prefer-nullish-coalescing | Nullish coalescing should be preferred | ✅ | 💡 | 💭 | ||
prefer-object-literal | Object literal syntax should be used | |||||
prefer-object-spread | Object spread syntax should be used instead of "Object.assign" | ✅ | 🔧 | |||
prefer-promise-shorthand | Shorthand promises should be used | ✅ | 💡 | |||
prefer-single-boolean-return | Return of boolean expressions should not be wrapped into an "if-then-else" statement | ✅ | 💡 | |||
prefer-spread | Spread syntax should be used instead of "apply()" | ✅ | 💡 | |||
prefer-string-starts-ends-with | Ends of strings should be checked with "startsWith()" and "endsWith()" | ✅ | 🔧 | 💡 | 💭 | |
prefer-template | Template strings should be used instead of concatenation | 🔧 | ||||
prefer-type-guard | Type predicates should be used | ✅ | 💡 | |||
prefer-while | A "while" loop should be used instead of a "for" loop | ✅ | 🔧 | |||
process-argv | Using command line arguments is security-sensitive | ❌ | ||||
production-debug | Delivering code in production with debug features activated is security-sensitive | ✅ | ||||
pseudo-random | Using pseudorandom number generators (PRNGs) is security-sensitive | ✅ | ||||
public-static-readonly | Public "static" fields should be read-only | ✅ | 💡 | |||
publicly-writable-directories | Using publicly writable directories is security-sensitive | ✅ | ||||
reduce-initial-value | "Array.reduce()" calls should include an initial value | ✅ | 💭 | |||
redundant-type-aliases | Redundant type aliases should not be used | ✅ | ||||
regex-complexity | Regular expressions should not be too complicated | ✅ | 💭 | |||
regular-expr | Using regular expressions is security-sensitive | ❌ | ||||
rules-of-hooks | React Hooks should be properly called | ✅ | ||||
semi | Statements should end with semicolons | 🔧 | ❌ | |||
session-regeneration | A new session should be created during user authentication | ✅ | ||||
shorthand-property-grouping | Shorthand object properties should be grouped at the beginning or end of an object declaration | |||||
single-char-in-character-classes | Character classes in regular expressions should not contain only one character | ✅ | 💭 | |||
single-character-alternation | Single-character alternations in regular expressions should be replaced with character classes | ✅ | 💭 | |||
slow-regex | Using slow regular expressions is security-sensitive | ✅ | 💭 | |||
sockets | Using Sockets is security-sensitive | ❌ | ||||
sonar-block-scoped-var | Variables should be used in the blocks where they are declared | ✅ | ||||
sonar-jsx-no-leaked-render | React components should not render non-boolean condition values | ✅ | 💡 | 💭 | ||
sonar-max-lines | Files should not have too many lines of code | |||||
sonar-max-lines-per-function | Functions should not have too many lines of code | |||||
sonar-max-params | Functions should not have too many parameters | ✅ | ||||
sonar-no-control-regex | Regular expressions should not contain control characters | ✅ | 💭 | |||
sonar-no-dupe-keys | Member names should not be duplicated within a class or object literal | ✅ | 💡 | |||
sonar-no-empty-character-class | Empty character classes should not be used | ✅ | 💭 | |||
sonar-no-fallthrough | Switch cases should end with an unconditional "break" statement | ✅ | ||||
sonar-no-invalid-regexp | Regular expressions should be syntactically valid | ✅ | 💭 | |||
sonar-no-magic-numbers | Magic numbers should not be used | |||||
sonar-no-misleading-character-class | Unicode Grapheme Clusters should be avoided inside regex character classes | ✅ | 💡 | 💭 | ||
sonar-no-regex-spaces | Regular expressions should not contain multiple spaces | ✅ | 💡 | 💭 | ||
sonar-no-unused-class-component-methods | Unused methods of React components should be removed | ✅ | ||||
sonar-no-unused-vars | Unused local variables and functions should be removed | ✅ | ||||
sonar-prefer-optional-chain | Optional chaining should be preferred | ✅ | 🔧 | 💡 | ||
sonar-prefer-read-only-props | React props should be read-only | ✅ | 💡 | 💭 | ||
sonar-prefer-regexp-exec | "RegExp.exec()" should be preferred over "String.match()" | ✅ | 💡 | 💭 | ||
sql-queries | Formatting SQL queries is security-sensitive | ✅ | ||||
stable-tests | Tests should be stable | ✅ | ||||
standard-input | Reading the Standard Input is security-sensitive | ❌ | ||||
stateful-regex | Regular expressions with the global flag should be used with caution | ✅ | ||||
strict-transport-security | Disabling Strict-Transport-Security policy is security-sensitive | ✅ | ||||
strings-comparison | Comparison operators should not be used with strings | 💭 | ||||
super-invocation | "super()" should be invoked appropriately | ✅ | ||||
switch-without-default | "switch" statements should have "default" clauses | 💡 | 💭 | |||
table-header | Tables should have headers | ✅ | ||||
table-header-reference | Table cells should reference their headers | ✅ | ||||
test-check-exception | Tests should check which exception is thrown | ✅ | ||||
todo-tag | Track uses of "TODO" tags | ✅ | ||||
too-many-break-or-continue-in-loop | Loops should not contain more than a single "break" or "continue" statement | |||||
unicode-aware-regex | Regular expressions using Unicode character classes or property escapes should enable the unicode flag | 💭 | ||||
unnecessary-character-escapes | Unnecessary character escapes should be removed | ✅ | 💡 | |||
unused-import | Unnecessary imports should be removed | ✅ | 💡 | 💭 | ||
unused-named-groups | Names of regular expressions named groups should be used | ✅ | 💭 | |||
unverified-certificate | Server certificates should be verified during SSL/TLS connections | ✅ | ||||
unverified-hostname | Server hostnames should be verified during SSL/TLS connections | ✅ | ||||
updated-const-var | "const" variables should not be reassigned | ✅ | ||||
updated-loop-counter | Loop counters should not be assigned within the loop body | ✅ | ||||
use-isnan | "NaN" should not be used in comparisons | ✅ | 💡 | |||
use-type-alias | Type aliases should be used | ✅ | ||||
useless-string-operation | Results of operations on strings should not be ignored | 💭 | ❌ | |||
values-not-convertible-to-numbers | Values not convertible to numbers should not be used in numeric comparisons | 💭 | ||||
variable-name | Variable, property and parameter names should comply with a naming convention | |||||
void-use | "void" should not be used | ✅ | 💭 | |||
weak-ssl | Weak SSL/TLS protocols should not be used | ✅ | ||||
web-sql-database | Web SQL databases should not be used | 💭 | ❌ | |||
x-powered-by | Disclosing fingerprints from web application technologies is security-sensitive | ✅ | ||||
xml-parser-xxe | XML parsers should not be vulnerable to XXE attacks | ✅ | ||||
xpath | Executing XPath expressions is security-sensitive | ❌ |