Prepare release 10.15.0 (#4824)

README.md

@@ -9,7 +9,7 @@ This repository now hosts [eslint-plugin-sonarjs](./packages/jsts/src/rules/READ
 # Features
 
 - Advanced rules based on pattern matching and control flow analysis
-- [401 JS rules](https://rules.sonarsource.com/javascript) and [406 TS rules](https://rules.sonarsource.com/typescript)
+- [406 JS rules](https://rules.sonarsource.com/javascript) and [411 TS rules](https://rules.sonarsource.com/typescript)
 - [26 CSS rules](https://rules.sonarsource.com/css)
 - Compatible with ECMAScript 2015-2020
 - React JSX, Flow, Vue, and AWS lambda functions support for JavaScript and TypeScript

css-sonarpedia/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CSS"
   ],
-  "latest-update": "2024-03-28T12:39:07.731724Z",
+  "latest-update": "2024-09-17T13:10:55.911474Z",
   "options": {
     "no-language-in-filenames": true
   }

package.json

@@ -96,7 +96,7 @@
     "eslint-plugin-jsx-a11y": "6.8.0",
     "eslint-plugin-react": "7.35.0",
     "eslint-plugin-react-hooks": "4.6.0",
-    "express": "4.19.2",
+    "express": "4.21.0",
     "form-data": "4.0.0",
     "functional-red-black-tree": "1.0.1",
     "htmlparser2": "9.1.0",

packages/jsts/src/rules/README.md

@@ -239,7 +239,7 @@ If you are a [SonarQube](https://www.sonarqube.org) or [SonarCloud](https://sona
 | [no-identical-functions](https://sonarsource.github.io/rspec/#/rspec/S4144/javascript)                  | Functions should not have identical implementations                                                                            | ✅  |     |     |     |     |
 | [no-ignored-exceptions](https://sonarsource.github.io/rspec/#/rspec/S2486/javascript)                   | Exceptions should not be ignored                                                                                               | ✅  |     |     |     |     |
 | [no-ignored-return](https://sonarsource.github.io/rspec/#/rspec/S2201/javascript)                       | Return values from functions without side effects should not be ignored                                                        | ✅  |     |     | 💭  |     |
-| [no-implicit-dependencies](https://sonarsource.github.io/rspec/#/rspec/S4328/javascript)                | Dependencies should be explicit                                                                                                | ✅  |     |     |     |     |
+| [no-implicit-dependencies](https://sonarsource.github.io/rspec/#/rspec/S4328/javascript)                | Dependencies should be explicit                                                                                                |     |     |     |     |     |
 | [no-implicit-global](https://sonarsource.github.io/rspec/#/rspec/S2703/javascript)                      | Variables should be declared explicitly                                                                                        | ✅  |     |     |     |     |
 | [no-in-misuse](https://sonarsource.github.io/rspec/#/rspec/S4619/javascript)                            | "in" should not be used on arrays                                                                                              | ✅  |     | 💡  | 💭  |     |
 | [no-incomplete-assertions](https://sonarsource.github.io/rspec/#/rspec/S2970/javascript)                | Assertions should be complete                                                                                                  | ✅  |     |     |     |     |
@@ -282,6 +282,7 @@ If you are a [SonarQube](https://www.sonarqube.org) or [SonarCloud](https://sona
 | [no-return-type-any](https://sonarsource.github.io/rspec/#/rspec/S4324/javascript)                      | Primitive return types should be used                                                                                          |     |     |     | 💭  |     |
 | [no-same-argument-assert](https://sonarsource.github.io/rspec/#/rspec/S5863/javascript)                 | Assertions should not be given twice the same argument                                                                         | ✅  |     |     |     |     |
 | [no-same-line-conditional](https://sonarsource.github.io/rspec/#/rspec/S3972/javascript)                | Conditionals should start on new lines                                                                                         | ✅  |     | 💡  |     |     |
+| [no-selector-parameter](https://sonarsource.github.io/rspec/#/rspec/S2301/javascript)                   | Methods should not contain selector parameters                                                                                 | ✅  |     |     | 💭  |     |
 | [no-self-compare](https://sonarsource.github.io/rspec/#/rspec/S6679/javascript)                         | "Number.isNaN()" should be used to check for "NaN" value                                                                       | ✅  |     | 💡  |     |     |
 | [no-self-import](https://sonarsource.github.io/rspec/#/rspec/S7060/javascript)                          | Module should not import itself                                                                                                | ✅  |     | 💡  |     |     |
 | [no-skipped-test](https://sonarsource.github.io/rspec/#/rspec/S1607/javascript)                         | Tests should not be skipped without providing a reason                                                                         | ✅  |     |     |     |     |

packages/jsts/src/rules/S2301/meta.ts

@@ -23,8 +23,8 @@
 export const meta = {
   type: 'suggestion',
   docs: {
-    description: 'Methods should not contain selector arguments',
-    recommended: false,
+    description: 'Methods should not contain selector parameters',
+    recommended: true,
     url: 'https://sonarsource.github.io/rspec/#/rspec/S2301/javascript',
     requiresTypeChecking: true,
   },

packages/jsts/src/rules/S4328/meta.ts

@@ -24,7 +24,7 @@ export const meta = {
   type: 'suggestion',
   docs: {
     description: 'Dependencies should be explicit',
-    recommended: true,
+    recommended: false,
     url: 'https://sonarsource.github.io/rspec/#/rspec/S4328/javascript',
     requiresTypeChecking: false,
   },

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2092.html

@@ -94,5 +94,7 @@ <h2>See</h2>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/315">CWE-315 - Cleartext Storage of Sensitive Information in a Cookie</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/614">CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222576">Application Security and
+  Development: V-222576</a> - The application must set the secure flag on session cookies. </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2092.json

@@ -45,6 +45,9 @@
       "6.1.1",
       "6.1.2",
       "6.1.3"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222576"
     ]
   },
   "compatibleLanguages": [

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2245.html

@@ -45,8 +45,7 @@ <h2>See</h2>
   <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10 2021 Category A2 - Cryptographic Failures</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
   Exposure</a> </li>
-  <li> <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/338">CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</a>

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2612.html

@@ -88,5 +88,7 @@ <h2>See</h2>
   href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP File Permission</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/266">CWE-266 - Incorrect Privilege Assignment</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430">Application Security and
+  Development: V-222430</a> - The application must execute without excessive account permissions. </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2612.json

@@ -39,6 +39,9 @@
     ],
     "ASVS 4.0": [
       "4.3.3"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222430"
     ]
   },
   "compatibleLanguages": [

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2755.html

@@ -58,5 +58,7 @@ <h3>Standards</h3>
   Entities (XXE)</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/611">CWE-611 - Information Exposure Through XML External Entity Reference</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/827">CWE-827 - Improper Control of Document Type Definition</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S2755.json

@@ -38,6 +38,9 @@
     ],
     "ASVS 4.0": [
       "5.5.2"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222608"
     ]
   },
   "quickfix": "unknown",

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3330.html

@@ -95,5 +95,7 @@ <h2>See</h2>
   (XSS)</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1004">CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag</a> </li>
   <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE">HTTPONLY_COOKIE</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222575">Application Security and
+  Development: V-222575</a> - The application must set the HTTPOnly flag on session cookies. </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3330.json

@@ -39,6 +39,9 @@
     ],
     "ASVS 4.0": [
       "3.4.2"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222575"
     ]
   },
   "compatibleLanguages": [

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S3358.html

@@ -15,7 +15,8 @@ <h2>Why is this an issue?</h2>
 }
 </pre>
 <h3>Exceptions</h3>
-<p>This rule does not apply in JSX expressions to support conditional rendering and conditional attributes.</p>
+<p>This rule does not apply in JSX expressions to support conditional rendering and conditional attributes as long as the nesting happens in separate
+JSX expression containers, i.e. JSX elements embedding JavaScript code, as shown below:</p>
 <pre>
 return (
 &lt;&gt;
@@ -30,6 +31,22 @@ <h3>Exceptions</h3>
 &lt;/&gt;
 );
 </pre>
+<p>If you have nested ternaries in the same JSX expression container, refactor your logic into a separate function like that:</p>
+<pre>
+function myComponent(condition) {
+  if (condition &lt; 0) {
+    return '&lt;DownSign&gt;it is negative&lt;/DownSign&gt;';
+  } else if (condition &gt; 0) {
+    return '&lt;UpSign&gt;it is positive&lt;/UpSign&gt;';
+  } else {
+    return '&lt;BarSign&gt;it is zero&lt;/BarSign&gt;';
+  }
+}
+
+return (
+  {myComponent(foo)}
+);
+</pre>
 <h2>Resources</h2>
 <h3>Articles &amp; blog posts</h3>
 <ul>

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4123.json

@@ -1,5 +1,4 @@
 {
-  "title": "\"await\" should only be used with promises",
   "type": "CODE_SMELL",
   "code": {
     "impacts": {
@@ -21,6 +20,7 @@
   "sqKey": "S4123",
   "scope": "Main",
   "quickfix": "unknown",
+  "title": "\"await\" should only be used with promises",
   "compatibleLanguages": [
     "JAVASCRIPT",
     "TYPESCRIPT"

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4426.html

@@ -192,8 +192,7 @@ <h3>Standards</h3>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf">NIST 800-131A</a> - Recommendation for Transitioning the

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4502.html

@@ -72,6 +72,10 @@ <h2>See</h2>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/352">CWE-352 - Cross-Site Request Forgery (CSRF)</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> <a href="https://owasp.org/www-community/attacks/csrf">OWASP: Cross-Site Request Forgery</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-community/attacks/csrf">Cross-Site Request Forgery</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222603">Application Security and
+  Development: V-222603</a> - The application must protect from Cross-Site Request Forgery (CSRF) vulnerabilities. </li>
+  <li> PortSwigger - <a href="https://portswigger.net/research/web-storage-the-lesser-evil-for-session-tokens">Web storage: the lesser evil for
+  session tokens</a> </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4502.json

@@ -39,6 +39,9 @@
     "ASVS 4.0": [
       "13.2.3",
       "4.2.2"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222603"
     ]
   },
   "compatibleLanguages": [

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4790.html

@@ -33,8 +33,7 @@ <h2>See</h2>
   Exposure</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
   Misconfiguration</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements">Mobile AppSec
-  Verification Standard - Cryptography Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-CRYPTO/">Mobile AppSec Verification Standard - Cryptography Requirements</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography">Mobile Top 10 2016 Category M5 -
   Insufficient Cryptography</a> </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/1240">CWE-1240 - Use of a Risky Cryptographic Primitive</a> </li>

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4830.html

@@ -141,8 +141,10 @@ <h3>Standards</h3>
   Misconfiguration</a> </li>
   <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication">Mobile Top 10 2016 Category M3 - Insecure
   Communication</a> </li>
-  <li> OWASP - <a href="https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements">Mobile AppSec
-  Verification Standard - Network Communication Requirements</a> </li>
+  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-NETWORK/">Mobile AppSec Verification Standard - Network Communication Requirements</a>
+  </li>
   <li> CWE - <a href="https://cwe.mitre.org/data/definitions/295">CWE-295 - Improper Certificate Validation</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222550">Application Security and
+  Development: V-222550</a> - The application must validate certificates by constructing a certification path to an accepted trust anchor. </li>
 </ul>
 

sonar-plugin/javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S4830.json

@@ -52,6 +52,9 @@
     "ASVS 4.0": [
       "1.9.2",
       "9.2.1"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222550"
     ]
   },
   "quickfix": "unknown",