Merge branch 'master' into remove-decorated-eslint

# Conflicts: # packages/jsts/src/rules/README.md # packages/jsts/src/rules/S2068/meta.ts # packages/jsts/src/rules/original.ts # packages/jsts/src/rules/plugin.ts
SonarSource · Nov 27, 2024 · edb8cb2 · edb8cb2
2 parents 9c55e6e + 2747614
commit edb8cb2
Show file tree

Hide file tree

Showing 32 changed files with 682 additions and 64 deletions.
diff --git a/README.md b/README.md
@@ -30,15 +30,26 @@ If you want to report a bug, request a feature, or provide other kind of feedbac
 
 # Contributing
 
-#### 1. Request a new feature
+## Prerequisites
+
+To work on this project, it is required to have the following tools installed:
+
+- [JDK 17](https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/what-is-corretto-17.html)
+- [Node.js](https://nodejs.org/en) >= 22
+- [npm](https://www.npmjs.com/) >= 8
+- [Maven](https://maven.apache.org/) >= 3.8
+
+## How-to
+
+### 1. Request a new feature
 
 To request a new feature, create a new thread in [SonarSource Community Forum](https://community.sonarsource.com/). Even if you plan to implement it yourself and submit it back to the community, please create a thread to be sure that we can follow up on it.
 
-#### 2. Pull Request
+### 2. Pull Request
 
 To submit a contribution, create a pull request for this repository. Please make sure that you follow our [code style](https://github.com/SonarSource/sonar-developer-toolset) and that all [tests](/docs/DEV.md#testing) are passing.
 
-#### Work with us
+## Work with us
 
 Would you like to work on this project full-time? We are hiring! Check out https://www.sonarsource.com/hiring
 

diff --git a/docs/DEV.md b/docs/DEV.md
@@ -2,11 +2,14 @@
 
 ## Prerequisites
 
+To work on this project, it is required to have the following tools installed:
+
 - [JDK 17](https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/what-is-corretto-17.html)
-- [Maven](https://maven.apache.org/install.html)
-- Node.js (we recommend using [NVM](https://github.com/nvm-sh/nvm#installing-and-updating))
+- [Node.js](https://nodejs.org/en) >= 22
+- [npm](https://www.npmjs.com/) >= 8
+- [Maven](https://maven.apache.org/) >= 3.8
 
-You can also use Docker container defined in `./.cirrus/nodejs-lts.Dockerfile` which bundles all required dependencies and is used for our CI pipeline.
+You can also use Docker container defined in `./.cirrus/nodejs.Dockerfile` which bundles all required dependencies and is used for our CI pipeline.
 
 ## Build and run unit tests
 

diff --git a/its/ruling/src/test/expected/jsts/Ghost/javascript-S6418.json b/its/ruling/src/test/expected/jsts/Ghost/javascript-S6418.json
@@ -0,0 +1,6 @@
+{
+"Ghost:core/client/app/mirage/config.js": [
+59,
+61
+]
+}
diff --git a/its/ruling/src/test/expected/jsts/searchkit/javascript-S6418.json b/its/ruling/src/test/expected/jsts/searchkit/javascript-S6418.json
@@ -0,0 +1,5 @@
+{
+"searchkit:examples/next/components/sdk-example/index.jsx": [
+34
+]
+}
diff --git a/package.json b/package.json
@@ -57,7 +57,7 @@
   },
   "homepage": "https://github.com/SonarSource/SonarJS#readme",
   "engines": {
-    "node": "^18.17.0 || ^20.9.0 || >=21.1.0"
+    "node": ">=22"
   },
   "type": "module",
   "devDependencies": {

diff --git a/packages/jsts/src/rules/S2068/meta.ts b/packages/jsts/src/rules/S2068/meta.ts
@@ -16,4 +16,4 @@
  */
 export * from './generated-meta.js';
 export const implementation = 'original';
-export const eslintId = 'no-hardcoded-credentials';
+export const eslintId = 'no-hardcoded-passwords';
diff --git a/packages/jsts/src/rules/S2068/rule.ts b/packages/jsts/src/rules/S2068/rule.ts
@@ -26,7 +26,7 @@ import { meta, schema } from './meta.js';
 const DEFAULT_NAMES = ['password', 'pwd', 'passwd'];
 
 const messages = {
-  reviewCredential: 'Review this potentially hardcoded credential.',
+  reviewPassword: 'Review this potentially hard-coded password.',
 };
 
 export const rule: Rule.RuleModule = {
@@ -39,7 +39,7 @@ export const rule: Rule.RuleModule = {
     }
 
     const variableNames =
-      (context.options as FromSchema<typeof schema>)[0]?.credentialWords ?? DEFAULT_NAMES;
+      (context.options as FromSchema<typeof schema>)[0]?.passwordWords ?? DEFAULT_NAMES;
     const literalRegExp = variableNames.map(name => new RegExp(`${name}=.+`));
     return {
       VariableDeclarator: (node: estree.Node) => {
@@ -75,7 +75,7 @@ function checkAssignment(
     patterns.some(pattern => context.sourceCode.getText(variable).includes(pattern))
   ) {
     context.report({
-      messageId: 'reviewCredential',
+      messageId: 'reviewPassword',
       node: initializer,
     });
   }
@@ -84,7 +84,7 @@ function checkAssignment(
 function checkLiteral(context: Rule.RuleContext, patterns: RegExp[], literal: estree.Literal) {
   if (isStringLiteral(literal) && patterns.some(pattern => pattern.test(literal.value as string))) {
     context.report({
-      messageId: 'reviewCredential',
+      messageId: 'reviewPassword',
       node: literal,
     });
   }

diff --git a/packages/jsts/src/rules/S2068/unit.test.ts b/packages/jsts/src/rules/S2068/unit.test.ts
@@ -24,9 +24,9 @@ const ruleTester = new NodeRuleTester({
   parserOptions: { ecmaVersion: 2018, sourceType: 'module' },
 });
 
-const options = [{ credentialWords: ['password', 'pwd', 'passwd'] }];
+const options = [{ passwordWords: ['password', 'pwd', 'passwd'] }];
 
-ruleTester.run('Hardcoded credentials should be avoided', rule, {
+ruleTester.run('Hard-coded passwords should be avoided', rule, {
   valid: [
     {
       code: `let password = ""`,
@@ -44,7 +44,7 @@ ruleTester.run('Hardcoded credentials should be avoided', rule, {
       options,
       errors: [
         {
-          message: 'Review this potentially hardcoded credential.',
+          message: 'Review this potentially hard-coded password.',
           line: 1,
           endLine: 1,
           column: 16,
@@ -66,7 +66,7 @@ ruleTester.run('Hardcoded credentials should be avoided', rule, {
       errors: 1,
     },
     {
-      code: `let credentials = { user: "foo", passwd: "bar" };`,
+      code: `let passwords = { user: "foo", passwd: "bar" };`,
       options,
       errors: 1,
     },
@@ -77,12 +77,12 @@ ruleTester.run('Hardcoded credentials should be avoided', rule, {
     },
     {
       code: `let secret = "foo"`,
-      options: [{ credentialWords: ['secret'] }],
+      options: [{ passwordWords: ['secret'] }],
       errors: 1,
     },
     {
       code: `let url = "https://example.com?token=hl2OAIXXZ60";`,
-      options: [{ credentialWords: ['token'] }],
+      options: [{ passwordWords: ['token'] }],
       errors: 1,
     },
     {

diff --git a/packages/jsts/src/rules/S6418/cb.fixture.ts b/packages/jsts/src/rules/S6418/cb.fixture.ts
@@ -0,0 +1,53 @@
+function func() {
+  const token = 'rf6acB24J//1FZLRrKpjmBUYSnUX5CHlt/iD5vVVcgVuAIOB6hzcWjDnv16V6hDLevW0Qs4hKPbP1M4YfuDI16sZna1/VGRLkAbTk6xMPs4epH6A3ZqSyyI-H92y' // Noncompliant
+//              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  let api_key = 'not enough entropy'
+  api_key = 'rf6acB24J//1FZLRrKpjmBUYSnUX5CHlt/iD5vVVcgVuAIOB6hzcWjDnv16V6hDLevW0Qs4hKPbP1M4YfuDI16sZna1/VGRLkAbTk6xMPs4epH6A3ZqSyyI-H92y' // Noncompliant
+}
+function entropyTooLow() {
+  const token = 'rf6acB24J//1FZLRrKpjmBUYSnUX5CHlt/iD5vVaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+}
+class MyClass {
+  secret = '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.=' // Noncompliant
+}
+
+function inFunctionCall() {
+  callWithSecret({ secret: '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.=' }) // Noncompliant
+
+  function callWithSecret({}) {}
+}
+function functionWithSecret({ secret = '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.=' }) { // Noncompliant
+//                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  }
+function cleanFunction(someArg, parameter='a string', anotherParameter: 42, ...args) {
+  another_call(42, 'a string', parameter, { a_keyword: 42 }, args)
+
+  function another_call(...foo) {}
+}
+
+const someObject = {
+  secret: '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.=', // Noncompliant
+//        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  not_a_problem: 'not_a_secret',
+  42: 'forty-two'
+}
+
+function multipleAssignment() {
+  let nothing = 1, secret = '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v.~=', nothing_else = 2; // Noncompliant
+//                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+}
+function assignmentWithType() {
+  const secret: string = '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.=' // Noncompliant
+  let someVar: string;
+  const anotherVar: number = 42
+}
+
+function defaultValues(foo) {
+  let secret;
+  secret = foo || '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.='; // Noncompliant
+  secret = foo ?? '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.='; // Noncompliant
+}
+
+function customSecretWord() {
+  const yolo = '1IfHMPanImzX8ZxC-Ud6+YhXiLwlXq$f_-3v~.='; // Noncompliant
+}
diff --git a/packages/jsts/src/rules/S6418/cb.options.json b/packages/jsts/src/rules/S6418/cb.options.json
@@ -0,0 +1,6 @@
+[
+  {
+    "secretWords": "api[_.-]?key,auth,credential,secret,token,yolo",
+    "randomnessSensibility": 5.0
+  }
+]
diff --git a/packages/jsts/src/rules/S6418/cb.test.ts b/packages/jsts/src/rules/S6418/cb.test.ts
@@ -0,0 +1,26 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+import { check } from '../../../tests/tools/index.js';
+import { rule } from './index.js';
+import path from 'path';
+import { describe } from 'node:test';
+
+const sonarId = path.basename(import.meta.dirname);
+
+describe('Rule S6418', () => {
+  check(sonarId, rule, import.meta.dirname);
+});
diff --git a/packages/jsts/src/rules/S6418/index.ts b/packages/jsts/src/rules/S6418/index.ts
@@ -0,0 +1,17 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+export { rule } from './rule.js';
diff --git a/packages/jsts/src/rules/S6418/meta.ts b/packages/jsts/src/rules/S6418/meta.ts
@@ -0,0 +1,19 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2024 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+export * from './generated-meta.js';
+export const implementation = 'original';
+export const eslintId = 'no-hardcoded-secrets';