eslint-plugin-sonarjs
v2.0.4
Published
SonarJS rules for ESLint
Downloads
5,258,852
Readme
eslint-plugin-sonarjs 
SonarJS rules for ESLint to help developers produce Clean Code by detecting bugs and suspicious patterns.
Prerequisites
- Node.js (>=16.x) with ESLint 8.
- Node.js (^18.18.0 || ^20.9.0 || >=21) with ESLint 9.
Usage
- If you don't have ESLint yet configured for your project, follow these instructions.
- Install
eslint-plugin-sonarjsusingnpm(oryarn) for your project or globally:
npm install eslint-plugin-sonarjs --save-dev # install for your project
npm install eslint-plugin-sonarjs -g # or install globally- Add
eslint-plugin-sonarjsto the plugins of your ESLint config.
For ESLint 9: add plugins option to your eslint.config.js and include the recommended config to enable all rules:
import sonarjs from "eslint-plugin-sonarjs";
[
sonarjs.configs.recommended,
{
"plugins": {
sonarjs,
}
}
]For ESLint 8: add plugins option to your .eslintrc and plugin:sonarjs/recommended-legacy to the extends option to enable all recommended rules:
{
"plugins": ["sonarjs"],
"extends": ["plugin:sonarjs/recommended-legacy"]
}- or enable only some rules manually:
{
"rules": {
"sonarjs/cognitive-complexity": "error",
"sonarjs/no-identical-expressions": "error"
// etc.
}
}- To allow each of the rules to fully perform, use
@typescript-eslint/parseras a parser for ESLint and set the parserOptions.project option. This enables type checking which is beneficial or even essential for some rules.
Available Configurations
This plugin provides only a recommended configuration. Almost all rules are activated in this profile with a few exceptions (check the disabled tag in the rules list). The recommended configuration activates rules with error severity.
We include a recommended-legacy configuration to be backward compatible with ESLint v8, with the same rule configuration..
ESLint and Sonar
This plugin exposes to ESLint users all JS/TS rules from Sonar-* products (aka SonarJS). We extracted the rules to be beneficial for the ESLint community.
If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest using SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.
Rules
💼 Configurations enabled in.
✅ Set in the recommended configuration.
🔧 Automatically fixable by the --fix CLI option.
💡 Manually fixable by editor suggestions.
💭 Requires type information.
❌ Deprecated.
| Name | Description | 💼 | 🔧 | 💡 | 💭 | ❌ | | :------------------------------------------------------------------------------------------------------ | :----------------------------------------------------------------------------------------------------------------------------- | :-- | :-- | :-- | :-- | :-- | | accessor-pairs | Property getters and setters should come in pairs | | | | | | | alt-text | Image, area, button with image and object elements should have an alternative text | ✅ | | | | | | anchor-has-content | Anchors should contain accessible content | ✅ | | 💡 | | | | anchor-is-valid | Anchor tags should not be used as buttons | ✅ | | | | | | anchor-precedence | Alternatives in regular expressions should be grouped when used with anchors | ✅ | | | 💭 | | | argument-type | Arguments to built-in functions should match documented types | ✅ | | | 💭 | | | arguments-order | Parameters should be passed in the correct order | ✅ | | | 💭 | | | arguments-usage | "arguments" should not be accessed directly | | | | | | | array-callback-without-return | Callbacks of array methods should have return statements | ✅ | | | 💭 | | | array-constructor | Array constructors should not be used | | | 💡 | | | | arrow-function-convention | Braces and parentheses should be used consistently with arrow functions | | | | | | | assertions-in-tests | Tests should include assertions | ✅ | | | | | | aws-apigateway-public-api | Creating public APIs is security-sensitive | ✅ | | | | | | aws-ec2-rds-dms-public | Allowing public network access to cloud resources is security-sensitive | ✅ | | | | | | aws-ec2-unencrypted-ebs-volume | Using unencrypted EBS volumes is security-sensitive | ✅ | | | | | | aws-efs-unencrypted | Using unencrypted EFS file systems is security-sensitive | ✅ | | | | | | aws-iam-all-privileges | Policies granting all privileges are security-sensitive | ✅ | | | | | | aws-iam-all-resources-accessible | Policies granting access to all resources of an account are security-sensitive | | | | | | | aws-iam-privilege-escalation | AWS IAM policies should limit the scope of permissions given | ✅ | | | | | | aws-iam-public-access | Policies authorizing public access to resources are security-sensitive | ✅ | | | | | | aws-opensearchservice-domain | Using unencrypted Elasticsearch domains is security-sensitive | ✅ | | | | | | aws-rds-unencrypted-databases | Using unencrypted RDS DB resources is security-sensitive | ✅ | | | | | | aws-restricted-ip-admin-access | Administration services access should be restricted to specific IP addresses | ✅ | | | | | | aws-s3-bucket-granted-access | Granting access to S3 buckets to all or authenticated users is security-sensitive | ✅ | | | | | | aws-s3-bucket-insecure-http | Authorizing HTTP communications with S3 buckets is security-sensitive | ✅ | | | | | | aws-s3-bucket-public-access | Allowing public ACLs or policies on a S3 bucket is security-sensitive | ✅ | | | | | | aws-s3-bucket-server-encryption | Disabling server-side encryption of S3 buckets is security-sensitive | | | | | ❌ | | aws-s3-bucket-versioning | Disabling versioning of S3 buckets is security-sensitive | ✅ | | | | | | aws-sagemaker-unencrypted-notebook | Using unencrypted SageMaker notebook instances is security-sensitive | ✅ | | | | | | aws-sns-unencrypted-topics | Using unencrypted SNS topics is security-sensitive | ✅ | | | | | | aws-sqs-unencrypted-queue | Using unencrypted SQS queues is security-sensitive | ✅ | | | | | | bitwise-operators | Bitwise operators should not be used in boolean contexts | ✅ | | | | | | bool-param-default | Optional boolean parameters should have default value | | | | | | | brace-style | An open curly brace should be located at the end of a line | | 🔧 | | | ❌ | | call-argument-line | Function call arguments should not start on new lines | ✅ | | | | | | certificate-transparency | Disabling Certificate Transparency monitoring is security-sensitive | ✅ | | | | | | chai-determinate-assertion | Chai assertions should have only one reason to succeed | ✅ | | | | | | class-name | Class names should comply with a naming convention | ✅ | | | | | | class-prototype | Class methods should be used instead of "prototype" assignments | | | | 💭 | | | code-eval | Dynamically executing code is security-sensitive | ✅ | | | | | | cognitive-complexity | Cognitive Complexity of functions should not be too high | ✅ | | | | | | comma-or-logical-or-case | Comma and logical OR operators should not be used in switch cases | ✅ | | | | | | comment-regex | Track comments matching a regular expression | | | | | | | concise-regex | Regular expression quantifiers and character classes should be used concisely | ✅ | | | 💭 | | | conditional-indentation | A conditionally executed single line should be denoted by indentation | | | | | ❌ | | confidential-information-logging | Allowing confidential information to be logged is security-sensitive | ✅ | | | | | | constructor-for-side-effects | Objects should not be created to be dropped immediately without being used | ✅ | | | | | | content-length | Allowing requests with excessive content length is security-sensitive | ✅ | | | | | | content-security-policy | Disabling content security policy fetch directives is security-sensitive | ✅ | | | | | | cookie-no-httponly | Creating cookies without the "HttpOnly" flag is security-sensitive | ✅ | | | | | | cookies | Writing cookies is security-sensitive | | | | | ❌ | | cors | Having a permissive Cross-Origin Resource Sharing policy is security-sensitive | ✅ | | | | | | csrf | Disabling CSRF protections is security-sensitive | ✅ | | | | | | cyclomatic-complexity | Cyclomatic Complexity of functions should not be too high | | | | | | | declarations-in-global-scope | Variables and functions should not be declared in the global scope | | | | | | | default-param-last | Function parameters with default values should be last | ✅ | | | | | | deprecation | Deprecated APIs should not be used | ✅ | | | 💭 | | | destructuring-assignment-syntax | Destructuring syntax should be used for assignments | | | | | | | different-types-comparison | Strict equality operators should not be used with dissimilar types | ✅ | | 💡 | 💭 | | | disabled-auto-escaping | Disabling auto-escaping in template engines is security-sensitive | ✅ | | | 💭 | | | disabled-resource-integrity | Using remote artifacts without integrity checks is security-sensitive | ✅ | | | 💭 | | | disabled-timeout | Disabling Mocha timeouts should be explicit | ✅ | | | | | | dns-prefetching | Allowing browsers to perform DNS prefetching is security-sensitive | | | | | ❌ | | duplicates-in-character-class | Character classes in regular expressions should not contain the same character twice | ✅ | | | 💭 | | | elseif-without-else | "if ... else if" constructs should end with "else" clauses | | | | | | | empty-string-repetition | Repeated patterns in regular expressions should not match the empty string | ✅ | | | 💭 | | | encryption | Encrypting data is security-sensitive | | | | | ❌ | | encryption-secure-mode | Encryption algorithms should be used with secure mode and padding scheme | ✅ | | | | | | enforce-trailing-comma | Trailing commas should be used | | 🔧 | | | ❌ | | existing-groups | Replacement strings should reference existing regular expression groups | ✅ | | | 💭 | | | expression-complexity | Expressions should not be too complex | | | | | | | file-header | Track lack of copyright and license headers | | | | | | | file-name-differ-from-class | Default export names and file names should match | | | | | | | file-permissions | Setting loose POSIX file permissions is security-sensitive | ✅ | | | | | | file-uploads | File uploads should be restricted | ✅ | | | | | | fixme-tag | Track uses of "FIXME" tags | ✅ | | | | | | for-in | "for...in" loops should filter properties before acting on them | | | | | | | for-loop-increment-sign | A "for" loop update clause should move the counter in the right direction | ✅ | | | | | | frame-ancestors | Disabling content security policy frame-ancestors directive is security-sensitive | ✅ | | | | | | function-inside-loop | Functions should not be defined inside loops | ✅ | | | | | | function-name | Function and method names should comply with a naming convention | | | | | | | function-return-type | Functions should always return the same type | ✅ | | | 💭 | | | future-reserved-words | Future reserved words should not be used as identifiers | ✅ | | | | | | generator-without-yield | Generators should explicitly "yield" a value | ✅ | | | | | | hashing | Using weak hashing algorithms is security-sensitive | ✅ | | | | | | hidden-files | Statically serving hidden files is security-sensitive | ✅ | | | | | | hook-use-state | The return value of "useState" should be destructured and named symmetrically | ✅ | | 💡 | | | | html-has-lang | HTML elements should have a valid language attribute | ✅ | | 💡 | | | | in-operator-type-error | "in" should not be used with primitive types | ✅ | | | 💭 | | | inconsistent-function-call | Functions should be called consistently with or without "new" | ✅ | | | | | | index-of-compare-to-positive-number | "indexOf" checks should not be for positive numbers | ✅ | | | 💭 | | | insecure-cookie | Creating cookies without the "secure" flag is security-sensitive | ✅ | | | | | | insecure-jwt-token | JWT should be signed and verified with strong cipher algorithms | ✅ | | | | | | inverted-assertion-arguments | Assertion arguments should be passed in the correct order | ✅ | | 💡 | | | | jsx-key | JSX list components should have a key property | ✅ | | | | | | jsx-no-constructed-context-values | React Context Provider values should have stable identities | ✅ | | | | | | jsx-no-useless-fragment | Redundant React fragments should be removed | ✅ | 🔧 | 💡 | | | | label-has-associated-control | Label elements should have a text label and an associated control | ✅ | | | | | | label-position | Only "while", "do", "for" and "switch" statements should be labelled | ✅ | | | | | | link-with-target-blank | Authorizing an opened window to access back to the originating window is security-sensitive | ✅ | | | | | | max-switch-cases | "switch" statements should not have too many "case" clauses | ✅ | | | | | | max-union-size | Union types should not have too many elements | | | | | | | media-has-caption | Media elements should have captions | ✅ | | | | | | misplaced-loop-counter | "for" loop increment clauses should modify the loops' counters | ✅ | | | | | | mouse-events-a11y | Mouse events should have corresponding keyboard events | ✅ | | 💡 | | | | nested-control-flow | Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply | | | | | | | new-cap | Constructor names should start with an upper case letter | ✅ | | | | | | new-operator-misuse | "new" should only be used with functions and classes | ✅ | | | 💭 | | | no-accessor-field-mismatch | Getters and setters should access the expected fields | ✅ | | | | | | no-all-duplicated-branches | All branches in a conditional structure should not have exactly the same implementation | ✅ | | | | | | no-alphabetical-sort | "Array.prototype.sort()" and "Array.prototype.toSorted()" should use a compare function | ✅ | | 💡 | 💭 | | | no-angular-bypass-sanitization | Disabling Angular built-in sanitization is security-sensitive | ✅ | | | | | | no-array-delete | "delete" should not be used on arrays | ✅ | | | 💭 | | | no-array-index-key | JSX list components should not use array indexes as key | ✅ | | | | | | no-associative-arrays | Array indexes should be numeric | ✅ | | | 💭 | | | no-async-constructor | Constructors should not contain asynchronous operations | ✅ | | | | | | no-base-to-string | Objects and classes converted or coerced to strings should define a "toString()" method | ✅ | | | 💭 | | | no-built-in-override | Built-in objects should not be overridden | | | | | | | no-case-label-in-switch | "switch" statements should not contain non-case labels | ✅ | | | | | | no-clear-text-protocols | Using clear-text protocols is security-sensitive | ✅ | | | | | | no-code-after-done | Tests should not execute any code after "done()" is called | ✅ | | | | | | no-collapsible-if | Mergeable "if" statements should be combined | | | | | | | no-collection-size-mischeck | Collection size and array length comparisons should make sense | ✅ | | 💡 | 💭 | | | no-commented-code | Sections of code should not be commented out | ✅ | | 💡 | | | | no-dead-store | Unused assignments should be removed | ✅ | | | | | | no-delete-var | "delete" should be used only with object properties | ✅ | | | | | | no-deprecated-react | Deprecated React APIs should not be used | ✅ | | | | | | no-duplicate-in-composite | Union and intersection types should not include duplicated constituents | ✅ | | 💡 | | | | no-duplicate-string | String literals should not be duplicated | | | | | | | no-duplicated-branches | Two branches in a conditional structure should not have exactly the same implementation | ✅ | | | | | | no-element-overwrite | Collection elements should not be replaced unconditionally | ✅ | | | | | | no-empty-after-reluctant | Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string | ✅ | | | 💭 | | | no-empty-alternatives | Alternation in regular expressions should not contain empty alternatives | ✅ | | | 💭 | | | no-empty-collection | Empty collections should not be accessed or iterated | ✅ | | | | | | no-empty-function | Functions should not be empty | ✅ | | 💡 | | | | no-empty-group | Regular expressions should not contain empty groups | ✅ | | | 💭 | | | no-empty-interface | Interfaces should not be empty | | 🔧 | 💡 | | | | no-empty-test-file | Test files should contain at least one test case | ✅ | | | | | | no-equals-in-for-termination | Equality operators should not be used in "for" loop termination conditions | ✅ | | | | | | no-exclusive-tests | Exclusive tests should not be commited to version control | ✅ | | 💡 | | | | no-extend-native | Prototypes of builtin objects should not be modified | ✅ | | | | | | no-extra-arguments | Function calls should not pass extra arguments | ✅ | | | | | | no-extra-semi | Extra semicolons should be removed | | 🔧 | | | ❌ | | no-find-dom-node | React's "findDOMNode" should not be used | ✅ | | | | | | no-for-in-iterable | "for in" should not be used with iterables | | | | 💭 | | | no-function-declaration-in-block | Function declarations should not be made within blocks | | | | | | | no-global-this | The global "this" object should not be used | ✅ | | 💡 | | | | no-globals-shadowing | Special identifiers should not be bound or assigned | ✅ | | | | | | no-gratuitous-expressions | Boolean expressions should not be gratuitous | ✅ | | | | | | no-hardcoded-credentials | Hard-coded credentials are security-sensitive | ✅ | | | | | | no-hardcoded-ip | Using hardcoded IP addresses is security-sensitive | ✅ | | | | | | no-hook-setter-in-body | React's useState hook should not be used directly in the render function or body of a component | ✅ | | | | | | no-identical-conditions | "if/else if" chains and "switch" cases should not have the same condition | ✅ | | | | | | no-identical-expressions | Identical expressions should not be used on both sides of a binary operator | ✅ | | | | | | no-identical-functions | Functions should not have identical implementations | ✅ | | | | | | no-ignored-exceptions | Exceptions should not be ignored | ✅ | | | | | | no-ignored-return | Return values from functions without side effects should not be ignored | ✅ | | | 💭 | | | no-implicit-dependencies | Dependencies should be explicit | | | | | | | no-implicit-global | Variables should be declared explicitly | ✅ | | | | | | no-in-misuse | "in" should not be used on arrays | ✅ | | 💡 | 💭 | | | no-incomplete-assertions | Assertions should be complete | ✅ | | | | | | no-inconsistent-returns | Functions should use "return" consistently | | | | | | | no-incorrect-string-concat | Strings and non-strings should not be added | | | | 💭 | | | no-infinite-loop | Loops should not be infinite | ✅ | | | | | | no-internal-api-use | Users should not use internal APIs | ✅ | | | | | | no-intrusive-permissions | Using intrusive permissions is security-sensitive | ✅ | | | | | | no-invalid-await | "await" should only be used with promises | ✅ | | | 💭 | | | no-invariant-returns | Function returns should not be invariant | ✅ | | | | | | no-inverted-boolean-check | Boolean checks should not be inverted | ✅ | 🔧 | 💡 | | | | no-ip-forward | Forwarding client IP address is security-sensitive | ✅ | | | | | | no-labels | Labels should not be used | ✅ | | | | | | no-literal-call | Literals should not be used as functions | ✅ | | | | | | no-lonely-if | If statements should not be the only statement in else blocks | ✅ | 🔧 | | | | | no-mime-sniff | Allowing browsers to sniff MIME types is security-sensitive | ✅ | | | | | | no-misleading-array-reverse | Array-mutating methods should not be used misleadingly | ✅ | | 💡 | 💭 | | | no-misused-promises | Promises should not be misused | ✅ | | 💡 | 💭 | | | no-mixed-content | Allowing mixed-content is security-sensitive | ✅ | | | | | | no-nested-assignment | Assignments should not be made from within sub-expressions | ✅ | | | | | | no-nested-conditional | Ternary operators should not be nested | ✅ | | | | | | no-nested-functions | Functions should not be nested too deeply | ✅ | | | | | | no-nested-incdec | Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression | | | | | | | no-nested-switch | "switch" statements should not be nested | | | | | | | no-nested-template-literals | Template literals should not be nested | ✅ | | | | | | no-one-iteration-loop | Loops with at most one iteration should be refactored | ✅ | | | | | | no-os-command-from-path | Searching OS commands in PATH is security-sensitive | ✅ | | | | | | no-parameter-reassignment | Initial values of parameters, caught exceptions, and loop variables should not be ignored | ✅ | | | | | | no-primitive-wrappers | Wrapper objects should not be used for primitive types | ✅ | | 💡 | | | | no-redeclare | Variables and functions should not be redeclared | ✅ | | | | | | no-redundant-assignments | Assignments should not be redundant | ✅ | | | | | | no-redundant-boolean | Boolean literals should not be used in comparisons | ✅ | | | | | | no-redundant-jump | Jump statements should not be redundant | ✅ | | 💡 | | | | no-redundant-optional | Optional property declarations should not use both '?' and 'undefined' syntax | ✅ | | 💡 | 💭 | | | no-redundant-parentheses | Redundant pairs of parentheses should be removed | | | 💡 | | ❌ | | no-redundant-type-constituents | Type constituents of unions and intersections should not be redundant | ✅ | | | 💭 | | | no-reference-error | Variables should be defined before being used | | | | | | | no-referrer-policy | Disabling strict HTTP no-referrer policy is security-sensitive | ✅ | | | | | | no-require-or-define | "import" should be used to include external code | | | | 💭 | | | no-return-type-any | Primitive return types should be used | | | | 💭 | | | no-same-argument-assert | Assertions should not be given twice the same argument | ✅ | | | | | | no-same-line-conditional | Conditionals should start on new lines | ✅ | | 💡 | | | | no-selector-parameter | Methods should not contain selector parameters | ✅ | | | 💭 | | | no-self-compare | "Number.isNaN()" should be used to check for "NaN" value | ✅ | | 💡 | | | | no-self-import | Module should not import itself | ✅ | | 💡 | | | | no-skipped-test | Tests should not be skipped without providing a reason | ✅ | | | | | | no-small-switch | "if" statements should be preferred over "switch" when simpler | ✅ | | | | | | no-tab | Tabulation characters should not be used | | | | | ❌ | | no-table-as-layout | HTML "<table>" should not be used for layout purposes | ✅ | | | | | | no-this-alias | "this" should not be assigned to variables | | | | | | | no-throw-literal | Literals should not be thrown | ✅ | | 💡 | 💭 | | | no-try-promise | Promise rejections should not be caught by "try" blocks | ✅ | | | 💭 | | | no-undefined-argument | "undefined" should not be passed as the value of optional parameters | ✅ | | 💡 | 💭 | | | no-undefined-assignment | "undefined" should not be assigned | | | | | | | no-unenclosed-multiline-block | Multiline blocks should be enclosed in curly braces | ✅ | | | | | | no-uniq-key | JSX list components keys should match up between renders | ✅ | | | | | | no-unknown-property | JSX elements should not use unknown properties and attributes | ✅ | | 💡 | | | | no-unreachable | All code should be reachable | ✅ | | 💡 | | | | no-unsafe | React legacy lifecycle methods should not be used | ✅ | | | | | | no-unsafe-unzip | Expanding archive files without controlling resource consumption is security-sensitive | ✅ | | | | | | no-unstable-nested-components | React components should not be nested | ✅ | | | | | | no-unthrown-error | Errors should not be created without being thrown | ✅ | | 💡 | | | | no-unused-collection | Collection contents should be used | ✅ | | | | | | no-unused-expressions | Non-empty statements should change control flow or have at least one side-effect | ✅ | | | | | | no-unused-function-argument | Unused function parameters should be removed | | | 💡 | | | | no-unused-private-class-members | Unused private class members should be removed | ✅ | | 💡 | | | | no-use-of-empty-return-value | The return value of void functions should not be used | ✅ | | | | | | no-useless-call | Calls to ".call()" and ".apply()" methods should not be redundant | ✅ | | 💡 | | | | no-useless-catch | "catch" clauses should do more than rethrow | ✅ | | | | | | no-useless-constructor | Unnecessary constructors should be removed | ✅ | | 💡 | | | | no-useless-increment | Values should not be uselessly incremented | ✅ | | | | | | no-useless-intersection | Type intersections should use meaningful types | ✅ | | | 💭 | | | no-useless-react-setstate | React state setter function should not be called with its matching state variable | ✅ | | | | | | no-var | Variables should be declared with "let" or "const" | ✅ | 🔧 | | | | | [no-variabl