Eslint-plugin-sonarjs NPM

eslint-plugin-sonarjs

eslint-plugin-sonarjs is an ESLint plugin maintained by Sonar, designed to help developers write Clean Code. This plugin exposes to ESLint users all original JS/TS rules from SonarJS, an analyzer for JavaScript and TypeScript within the Sonar ecosystem. This plugin offers general-purpose rules for detecting code smells and bugs, as well as rules for other aspects of code quality, including testing, accessibility, and more. Additionally, it enhances code security by providing rules to report potential security vulnerabilities.

This ESLint plugin does not contain all the rules from the SonarQube JS/TS analyzer. Aside of the rules available here, SonarQube uses rules from other ESLint plugins (some used as they are, some others have been modified). We recommend installing those ESLint plugins and enabling those rules if you are looking for similar results to SonarQube using ESLint.

If you are a SonarQube or SonarCloud user, to lint your code locally, we suggest using SonarLint IDE extension (available for VSCode, JetBrains IDEs and Eclipse). You can connect SonarLint to your SonarQube/SonarCloud project to synchronize rules configuration, issue statuses, etc.

Changelog

Prerequisites

The prerequisites for using this plugin depend on the ESLint version you are using:

For ESLint 8, you need Node.js version >= 16.
For ESLint 9, you need Node.js version that complies with (^18.18.0 || ^20.9.0 || >=21).

Installation

First, ensure that your project is configured with ESLint. If it is not, please follow the ESLint instructions to set it up.

To install eslint-plugin-sonarjs, use the following npm command (or yarn equivalent):

npm install eslint-plugin-sonarjs --save-dev # locally
npm install eslint-plugin-sonarjs -g         # globally

Usage

The usage of eslint-plugin-sonarjs depends on the ESLint version used by your project.

For ESLint 9

This plugin provides a single configuration named recommended. This configuration enables most of the rules except for a few exceptions, and the rules are enabled with the error severity. You can enable the recommended configuration in your eslint.config.js file:

import sonarjs from 'eslint-plugin-sonarjs';

export default [sonarjs.configs.recommended];

If you don't use the recommended configuration, you need to declare the plugin manually in the plugins field. Enable or disable rules using the rules field:

import sonarjs from 'eslint-plugin-sonarjs';
export default [
  {
    plugins: { sonarjs },
    rules: {
      'sonarjs/no-implicit-dependencies': 'error',
    },
  },
];

For ESLint 8

We include a recommended-legacy configuration to be backward compatible with ESLint v8, equivalent to the recommended configuration for ESLint 9.

Add sonarjs to your .eslintrc file:

{
  "plugins": ["sonarjs"],
  "extends": ["plugin:sonarjs/recommended-legacy"]
}

You can enable some rules manually:

{
  "rules": {
    "sonarjs/cognitive-complexity": "error",
    "sonarjs/no-identical-expressions": "error"
  }
}

TypeScript ESLint parser

Several rules are designed for linting both JavaScript and TypeScript code, and some even rely on type checking through TypeScript. Therefore, you will need to install the @typescript-eslint/parser dependency and instruct ESLint to use this parser through the parserOptions property.

SonarLint

As an alternative to using this ESLint plugin, you can use SonarLint. SonarLint is an IDE extension that helps you detect and fix quality issues as you write code. It provides a broader set of rules compared to the ESLint plugin, improved versions of ESLint rules, and additional features that enhance your linting experience.

Feedback

If you have any questions, encounter any bugs, or have feature requests, please reach out to us through the Sonar Community Forum. Your messages will reach the maintainers of this GitHub repository.

Rules

💼 Configurations enabled in.\ ✅ Set in the recommended configuration.\ 🔧 Automatically fixable by the --fix CLI option.\ 💡 Manually fixable by editor suggestions.\ 💭 Requires type information.\ ❌ Deprecated.

Name	Description	💼	🔧	💡	💭	❌
anchor-precedence	Alternatives in regular expressions should be grouped when used with anchors	✅			💭
argument-type	Arguments to built-in functions should match documented types	✅			💭
arguments-order	Parameters should be passed in the correct order	✅			💭
arguments-usage	"arguments" should not be accessed directly
array-callback-without-return	Callbacks of array methods should have return statements	✅			💭
array-constructor	Array constructors should not be used			💡
arrow-function-convention	Braces and parentheses should be used consistently with arrow functions
assertions-in-tests	Tests should include assertions	✅
aws-apigateway-public-api	Creating public APIs is security-sensitive	✅
aws-ec2-rds-dms-public	Allowing public network access to cloud resources is security-sensitive	✅
aws-ec2-unencrypted-ebs-volume	Using unencrypted EBS volumes is security-sensitive	✅
aws-efs-unencrypted	Using unencrypted EFS file systems is security-sensitive	✅
aws-iam-all-privileges	Policies granting all privileges are security-sensitive	✅
aws-iam-all-resources-accessible	Policies granting access to all resources of an account are security-sensitive
aws-iam-privilege-escalation	AWS IAM policies should limit the scope of permissions given	✅
aws-iam-public-access	Policies authorizing public access to resources are security-sensitive	✅
aws-opensearchservice-domain	Using unencrypted Elasticsearch domains is security-sensitive	✅
aws-rds-unencrypted-databases	Using unencrypted RDS DB resources is security-sensitive	✅
aws-restricted-ip-admin-access	Administration services access should be restricted to specific IP addresses	✅
aws-s3-bucket-granted-access	Granting access to S3 buckets to all or authenticated users is security-sensitive	✅
aws-s3-bucket-insecure-http	Authorizing HTTP communications with S3 buckets is security-sensitive	✅
aws-s3-bucket-public-access	Allowing public ACLs or policies on a S3 bucket is security-sensitive	✅
aws-s3-bucket-server-encryption	Disabling server-side encryption of S3 buckets is security-sensitive					❌
aws-s3-bucket-versioning	Disabling versioning of S3 buckets is security-sensitive	✅
aws-sagemaker-unencrypted-notebook	Using unencrypted SageMaker notebook instances is security-sensitive	✅
aws-sns-unencrypted-topics	Using unencrypted SNS topics is security-sensitive	✅
aws-sqs-unencrypted-queue	Using unencrypted SQS queues is security-sensitive	✅
bitwise-operators	Bitwise operators should not be used in boolean contexts	✅
block-scoped-var	Variables should be used in the blocks where they are declared	✅
bool-param-default	Optional boolean parameters should have default value
call-argument-line	Function call arguments should not start on new lines	✅
certificate-transparency	Disabling Certificate Transparency monitoring is security-sensitive	✅
chai-determinate-assertion	Chai assertions should have only one reason to succeed	✅
class-name	Class names should comply with a naming convention	✅
class-prototype	Class methods should be used instead of "prototype" assignments				💭
code-eval	Dynamically executing code is security-sensitive	✅
cognitive-complexity	Cognitive Complexity of functions should not be too high	✅
comma-or-logical-or-case	Comma and logical OR operators should not be used in switch cases	✅
comment-regex	Track comments matching a regular expression
concise-regex	Regular expression quantifiers and character classes should be used concisely	✅			💭
conditional-indentation	A conditionally executed single line should be denoted by indentation					❌
confidential-information-logging	Allowing confidential information to be logged is security-sensitive	✅
constructor-for-side-effects	Objects should not be created to be dropped immediately without being used	✅
content-length	Allowing requests with excessive content length is security-sensitive	✅
content-security-policy	Disabling content security policy fetch directives is security-sensitive	✅
cookie-no-httponly	Creating cookies without the "HttpOnly" flag is security-sensitive	✅
cookies	Writing cookies is security-sensitive					❌
cors	Having a permissive Cross-Origin Resource Sharing policy is security-sensitive	✅
csrf	Disabling CSRF protections is security-sensitive	✅
cyclomatic-complexity	Cyclomatic Complexity of functions should not be too high
declarations-in-global-scope	Variables and functions should not be declared in the global scope
deprecation	Deprecated APIs should not be used	✅			💭
destructuring-assignment-syntax	Destructuring syntax should be used for assignments
different-types-comparison	Strict equality operators should not be used with dissimilar types	✅		💡	💭
disabled-auto-escaping	Disabling auto-escaping in template engines is security-sensitive	✅			💭
disabled-resource-integrity	Using remote artifacts without integrity checks is security-sensitive	✅			💭
disabled-timeout	Disabling Mocha timeouts should be explicit	✅
dns-prefetching	Allowing browsers to perform DNS prefetching is security-sensitive					❌
duplicates-in-character-class	Character classes in regular expressions should not contain the same character twice	✅			💭
elseif-without-else	"if ... else if" constructs should end with "else" clauses
empty-string-repetition	Repeated patterns in regular expressions should not match the empty string	✅			💭
encryption	Encrypting data is security-sensitive					❌
encryption-secure-mode	Encryption algorithms should be used with secure mode and padding scheme	✅
enforce-trailing-comma	Trailing commas should be used		🔧			❌
existing-groups	Replacement strings should reference existing regular expression groups	✅			💭
expression-complexity	Expressions should not be too complex
file-header	Track lack of copyright and license headers
file-name-differ-from-class	Default export names and file names should match
file-permissions	Setting loose POSIX file permissions is security-sensitive	✅
file-uploads	File uploads should be restricted	✅
fixme-tag	Track uses of "FIXME" tags	✅
for-in	"for...in" loops should filter properties before acting on them
for-loop-increment-sign	A "for" loop update clause should move the counter in the right direction	✅
frame-ancestors	Disabling content security policy frame-ancestors directive is security-sensitive	✅
function-inside-loop	Functions should not be defined inside loops	✅
function-name	Function and method names should comply with a naming convention
function-return-type	Functions should always return the same type	✅			💭
future-reserved-words	Future reserved words should not be used as identifiers	✅
generator-without-yield	Generators should explicitly "yield" a value	✅
hashing	Using weak hashing algorithms is security-sensitive	✅
hidden-files	Statically serving hidden files is security-sensitive	✅
in-operator-type-error	"in" should not be used with primitive types	✅			💭
inconsistent-function-call	Functions should be called consistently with or without "new"	✅
index-of-compare-to-positive-number	"indexOf" checks should not be for positive numbers	✅			💭
insecure-cookie	Creating cookies without the "secure" flag is security-sensitive	✅
insecure-jwt-token	JWT should be signed and verified with strong cipher algorithms	✅
inverted-assertion-arguments	Assertion arguments should be passed in the correct order	✅		💡
jsx-no-leaked-render	React components should not render non-boolean condition values	✅		💡	💭
label-position	Only "while", "do", "for" and "switch" statements should be labelled	✅
link-with-target-blank	Authorizing an opened window to access back to the originating window is security-sensitive	✅
max-lines	Files should not have too many lines of code
max-lines-per-function	Functions should not have too many lines of code
max-switch-cases	"switch" statements should not have too many "case" clauses	✅
max-union-size	Union types should not have too many elements
misplaced-loop-counter	"for" loop increment clauses should modify the loops' counters	✅
nested-control-flow	Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply
new-operator-misuse	"new" should only be used with functions and classes	✅			💭
no-all-duplicated-branches	All branches in a conditional structure should not have exactly the same implementation	✅
no-alphabetical-sort	"Array.prototype.sort()" and "Array.prototype.toSorted()" should use a compare function	✅		💡	💭
no-angular-bypass-sanitization	Disabling Angular built-in sanitization is security-sensitive	✅
no-array-delete	"delete" should not be used on arrays	✅			💭
no-associative-arrays	Array indexes should be numeric	✅			💭
no-async-constructor	Constructors should not contain asynchronous operations	✅
no-built-in-override	Built-in objects should not be overridden
no-case-label-in-switch	"switch" statements should not contain non-case labels	✅
no-clear-text-protocols	Using clear-text protocols is security-sensitive	✅
no-code-after-done	Tests should not execute any code after "done()" is called	✅
no-collapsible-if	Mergeable "if" statements should be combined
no-collection-size-mischeck	Collection size and array length comparisons should make sense	✅		💡	💭
no-commented-code	Sections of code should not be commented out	✅		💡
no-control-regex	Regular expressions should not contain control characters	✅			💭
no-dead-store	Unused assignments should be removed	✅
no-delete-var	"delete" should be used only with object properties	✅
no-duplicate-in-composite	Union and intersection types should not include duplicated constituents	✅		💡
no-duplicate-string	String literals should not be duplicated
no-duplicated-branches	Two branches in a conditional structure should not have exactly the same implementation	✅
no-element-overwrite	Collection elements should not be replaced unconditionally	✅
no-empty-after-reluctant	Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string	✅			💭
no-empty-alternatives	Alternation in regular expressions should not contain empty alternatives	✅			💭
no-empty-character-class	Empty character classes should not be used	✅			💭
no-empty-collection	Empty collections should not be accessed or iterated	✅
no-empty-group	Regular expressions should not contain empty groups	✅			💭
no-empty-test-file	Test files should contain at least one test case	✅
no-equals-in-for-termination	Equality operators should not be used in "for" loop termination conditions	✅
no-exclusive-tests	Exclusive tests should not be commited to version control	✅		💡
no-extra-arguments	Function calls should not pass extra arguments	✅
no-fallthrough	Switch cases should end with an unconditional "break" statement	✅
no-for-in-iterable	"for in" should not be used with iterables				💭
no-function-declaration-in-block	Function declarations should not be made within blocks
no-global-this	The global "this" object should not be used	✅		💡
no-globals-shadowing	Special identifiers should not be bound or assigned	✅
no-gratuitous-expressions	Boolean expressions should not be gratuitous	✅
no-hardcoded-ip	Using hardcoded IP addresses is security-sensitive	✅
no-hardcoded-passwords	Hard-coded passwords are security-sensitive	✅
no-hardcoded-secrets	Hard-coded secrets are security-sensitive	✅
no-hook-setter-in-body	React's useState hook should not be used directly in the render function or body of a component	✅
no-identical-conditions	"if/else if" chains and "switch" cases should not have the same condition	✅
no-identical-expressions	Identical expressions should not be used on both sides of a binary operator	✅
no-identical-functions	Functions should not have identical implementations	✅
no-ignored-exceptions	Exceptions should not be ignored	✅
no-ignored-return	Return values from functions without side effects should not be ignored	✅			💭
no-implicit-dependencies	Dependencies should be explicit
no-implicit-global	Variables should be declared explicitly	✅
no-in-misuse	"in" should not be used on arrays	✅		💡	💭
no-incomplete-assertions	Assertions should be complete	✅
no-inconsistent-returns	Functions should use "return" consistently
no-incorrect-string-concat	Strings and non-strings should not be added				💭
no-internal-api-use	Users should not use internal APIs	✅
no-intrusive-permissions	Using intrusive permissions is security-sensitive	✅
no-invalid-await	"await" should only be used with promises	✅			💭
no-invalid-regexp	Regular expressions should be syntactically valid	✅			💭
no-invariant-returns	Function returns should not be invariant	✅
no-inverted-boolean-check	Boolean checks should not be inverted	✅	🔧	💡
no-ip-forward	Forwarding client IP address is security-sensitive	✅
no-labels	Labels should not be used	✅
no-literal-call	Literals should not be used as functions	✅
no-mime-sniff	Allowing browsers to sniff MIME types is security-sensitive	✅
no-misleading-array-reverse	Array-mutating methods should not be used misleadingly	✅		💡	💭
no-misleading-character-class	Unicode Grapheme Clusters should be avoided inside regex character classes	✅		💡	💭
no-mixed-content	Allowing mixed-content is security-sensitive	✅
no-nested-assignment	Assignments should not be made from within sub-expressions	✅
no-nested-conditional	Ternary operators should not be nested	✅
no-nested-functions	Functions should not be nested too deeply	✅
no-nested-incdec	Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
no-nested-switch	"switch" statements should not be nested
no-nested-template-literals	Template literals should not be nested	✅
no-one-iteration-loop	Loops with at most one iteration should be refactored	✅
no-os-command-from-path	Searching OS commands in PATH is security-sensitive	✅
no-parameter-reassignment	Initial values of parameters, caught exceptions, and loop variables should not be ignored	✅
no-primitive-wrappers	Wrapper objects should not be used for primitive types	✅		💡
no-redundant-assignments	Assignments should not be redundant	✅
no-redundant-boolean	Boolean literals should not be used in comparisons	✅
no-redundant-jump	Jump statements should not be redundant	✅		💡
no-redundant-optional	Optional property declarations should not use both '?' and 'undefined' syntax	✅		💡	💭
no-redundant-parentheses	Redundant pairs of parentheses should be removed			💡		❌
no-reference-error	Variables should be defined before being used
no-referrer-policy	Disabling strict HTTP no-referrer policy is security-sensitive	✅
no-regex-spaces	Regular expressions should not contain multiple spaces	✅		💡	💭
no-require-or-define	"import" should be used to include external code				💭
no-return-type-any	Primitive return types should be used				💭
no-same-argument-assert	Assertions should not be given twice the same argument	✅
no-same-line-conditional	Conditionals should start on new lines	✅		💡
no-selector-parameter	Methods should not contain selector parameters	✅			💭
no-skipped-tests	Tests should not be skipped without providing a reason	✅
no-small-switch	"if" statements should be preferred over "switch" when simpler	✅
no-sonar-comments	Track uses of "NOSONAR" comments
no-tab	Tabulation characters should not be used					❌
no-table-as-layout	HTML "<table>" should not be used for layout purposes	✅
no-try-promise	Promise rejections should not be caught by "try" blocks	✅			💭
no-undefined-argument	"undefined" should not be passed as the value of optional parameters	✅		💡	💭
no-undefined-assignment	"undefined" should not be assigned
no-unenclosed-multiline-block	Multiline blocks should be enclosed in curly braces	✅
no-uniq-key	JSX list components keys should match up between renders	✅
no-unsafe-unzip	Expanding archive files without controlling resource consumption is security-sensitive	✅
no-unthrown-error	Errors should not be created without being thrown	✅		💡
no-unused-collection	Collection contents should be used	✅
no-unused-function-argument	Unused function parameters should be removed			💡
no-unused-vars	Unused local variables and functions should be removed	✅
no-use-of-empty-return-value	The return value of void functions should not be used	✅
no-useless-catch	"catch" clauses should do more than rethrow	✅
no-useless-increment	Values should not be uselessly incremented	✅
no-useless-intersection	Type intersections should use meaningful types	✅			💭
no-useless-react-setstate	React state setter function should not be called with its matching state variable	✅
no-variable-usage-before-declaration	Variables declared with "var" should be declared before they are used
no-vue-bypass-sanitization	Disabling Vue.js built-in escaping is security-sensitive	✅
no-weak-cipher	Cipher algorithms should be robust	✅
no-weak-keys	Cryptographic keys should be robust	✅
no-wildcard-import	Wildcard imports should not be used
non-existent-operator	Non-existent operators '=+', '=-' and '=!' should not be used	✅		💡
non-number-in-arithmetic-expression	Arithmetic operators should only have numbers as operands				💭
null-dereference	Properties of variables with "null" or "undefined" values should not be accessed	✅			💭
object-alt-content	"" tags should provide an alternative content	✅
operation-returning-nan	Arithmetic operations should not result in "NaN"				💭
os-command	Using shell interpreter when executing OS commands is security-sensitive	✅
post-message	Origins should be verified during cross-origin communications	✅			💭
prefer-default-last	"default" clauses should be last	✅
prefer-immediate-return	Local variables should not be declared and then immediately returned or thrown		🔧
prefer-object-literal	Object literal syntax should be used
prefer-promise-shorthand	Shorthand promises should be used	✅		💡
prefer-read-only-props	React props should be read-only	✅		💡	💭
prefer-regexp-exec	"RegExp.exec()" should be preferred over "String.match()"	✅		💡	💭
prefer-single-boolean-return	Return of boolean expressions should not be wrapped into an "if-then-else" statement	✅		💡
prefer-type-guard	Type predicates should be used	✅		💡
prefer-while	A "while" loop should be used instead of a "for" loop	✅	🔧
process-argv	Using command line arguments is security-sensitive					❌
production-debug	Delivering code in production with debug features activated is security-sensitive	✅
pseudo-random	Using pseudorandom number generators (