Javascript: Sonarqube Config

What is sonarqube?

I googled; it doesn't seem like much of a code quality platform for JS if it's nontrivial to integrate an eslint config. I'd file an issue with them directly.

It's one of the most popular open source code analyzation platforms. I have contacted them, and they say they use their own custom linting config (sonar lint). The link below explains why they chose to create their own linting config. Anyways, I think it would definitely be beneficial to make the airbnb linting rules compatible with sonarqube.

https://blog.sonarsource.com/sonarqube-javascript-plugin-why-compete-with-jslint-and-jshint/

https://www.sonarqube.org/

@jamrizzi that article's from 2013; since that time, eslint has become the sole defacto linting standard for the JS ecosystem (jscs merged into it), that every single platform I'm aware of uses. Do they have any posts on it that are less out-of-date?

Nope, they're pretty set in their way about this. It's really stupid.

I'd be pretty skeptical about trusting the quality of open source code analysis (for a language) from a product that doesn't follow open source conventions (for that language) ¯\_(ツ)_/¯

Well, you answered my question :(

Has anyone tried this? https://github.com/groupe-sii/sonar-web-frontend-plugin

@miqmago, it looks like it hasn't been updated in years

@ljharb I'm on a project where we're required to write code that passes Sonar checks. We'd rather be picking these issues via eslint in our pipeline.

I think it would be valuable for people in a similar situation, I expect including others who have commented above, to know how they can configure eslint so that it can raise the same issues as Sonar. e.g. for the 7 of the 9 vulnerability checks:

• Code should not be dynamically injected and executed | no-eval
• Function constructors should not be used | no-new-func
• "alert(...)" should not be used | no-alert
• Debugger statements should not be used | no-debugger
• Web SQL databases should not be used | no-restricted-globals (with config for openDatabase)
• Local storage should not be used | eslint-plugin-no-storage
• Console logging should not be used | no-console

e.g. perhaps there is value in adding some docs along the lines of 'how to extend airbnb's lint settings to cover all sonarjs checks'. I'd be happy to contribute to this if you think it's worthwhile, though I think I'm only aware of a small subset of checks at the moment.

One thing that Sonar checks for, which I think is valuable, that I can't find an equivalent for in eslint is the following:

Untrusted content should not be included
Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL.
https://www.sonarsource.com/products/codeanalyzers/sonarjs/rules.html#Vulnerability_Detection

The source code for the check is here:

https://github.com/SonarSource/SonarJS/blob/master/javascript-checks/src/main/java/org/sonar/javascript/checks/UntrustedContentCheck.java

Do you have any thoughts on adding a check like this to airbnb's linting?

Is anyone aware of an eslint rule that already does this?

Also on a sidenote, I think the ideal outcome from my perspective would be for @SonarSource to provide an official preset and rules for eslint, either instead of or alongside SonarSource/SonarJS, which no longer has a supported CLI.

I think that indeed a separate eslint config is the right place to do this (match Sonar).

Separately, we’re always open to enabling more rules when they make sense. Warning on non-relative URLs doesn’t make sense, though, since that would have lots of false positives.

Sweet, where will this project live so I can contribute?

@jamrizzi I've created something at https://github.com/penx/eslint-config-sonar

At the moment I've just configured this for the 5 vulnerabilities that are in the 'Sonar way' preset - is this the preset you're using?

I think it would be good to extend this by:

• adding all rules for 'Sonar way' preset
• adding a second config for 'Sonar way Recommended' preset
• document all eslint equivalents of Sonar rules in the README.md so it can be used as a reference if anyone wants to configure to match a custom Sonar preset
• port any rules not covered by existing eslint plugins

We have been using the airbnb rules for our internal development and we are in the process of implementing Sonar and are like many here not satisfied with the JS support. Additionally there is a complete lack of support for react liniting. I have been investigating this plugin https://github.com/sleroy/SonarEsLintPlugin. It provides the ability to use ESLint yet still get the reporting, and metrics that Sonar provides. The only issue is that you will end up needing to dual maintain the severity levels of rules to map to Sonar. https://github.com/sleroy/SonarEsLintPlugin/blob/master/src/main/resources/eslint/eslint-rules.properties

Since I (and our management types) really like the dashboard, metrics and reporting Sonar supplies I am looking into mapping the airbnb rules into this tool.

Hi,
Any news on this subject ? I'm trying too to integrate the eslint airbnb rules to sonarqube.

In summary, the sonarqube team closes the issue and tells me to talk to the airbnb team, and the airbnb team closes the issue and tells me to talk to the sonarqube team.

So, @NachosSs, until one of the teams takes responsibility for this, there will be no airbnb integration in sonarqube.

@codejamninja where's the link to the sonar issue? i'm happy to comment there to explain why the bug is with their product if it can't do "everything that's possible with eslint".

I’m only aware of this issue, which is still open

https://jira.sonarsource.com/plugins/servlet/mobile#issue/MMF-1231

I don’t see any comment there from sonar at all.

Ok, I thought I filed an issue with SonarQube a while back, but I stand corrected. However, in the past SonarQube has definitely intentionally neglected support for community linting tools.

Here's a quote from the product director and co-founder of SonarQube. This statement was made before eslint, but I can only guess the philosophy still applies.

"To sum it up, the JSLint and JSHint are good JavaScript coding rules engines, but they don't suit our long-term needs. Instead, we're committing to compete strongly with them."

https://blog.sonarsource.com/sonarqube-javascript-plugin-why-compete-with-jslint-and-jshint/

I created an issue on SonarQube. Personally, I think the best solution is for SonarQube to add native support for the .eslintrc file.

https://community.sonarsource.com/t/native-eslint-support/432

Hi all,

I am from SonarSource, the company behind SonarQube. First, I would like to clarify, that we are aware that there is friction for someone already using ESLint trying to use SonarQube and we want to actively work on this subject to make the experience frictionless. The old blog post which was referred to in this thread is no longer relevant.

Currently, we are making it much easier to import issues from external tools into SonarQube, for JS the topic is tracked under this ticket https://jira.sonarsource.com/browse/MMF-1231

We also developed ESLint extension which contains some SonarJS rules, see eslint-plugin-sonarjs

We want to advance our JavaScript analyzer - SonarJS. Concrete plans are being discussed, and this thread is interesting input for us.

@saberduck, I really appreciate this :)

Hi, @saberduck

This SonarQube evolution will allow to use too eslint plugins / extensions like eslint-angular-plugin automatically ? And further more, deal with "new rules" (like TsLint and Eslint allow to create easily custom rules) ?

And could we integrate too stylelint ?

Many thanks for your feedback

@codejamninja Many thanks to initiate this issue

Hello @rochejul,

as a first step, we are going to allow import of ESLint report with SonarJS. This is already work in progress, see the issue here https://github.com/SonarSource/SonarJS/issues/1001 . We plan to deliver this very soon, like in 2 - 3 weeks. This release will also include a bunch of bugfixes for parsing issues.
Using ESLint report, you can use any plugin or custom rule however you wish.

Next, we are going to rewrite our JS analyzer so it will be based on ESLint internally (maintaining parser in Java proved to be a major hindrance for us). This is bigger effort and it will take us bit more time, let's say few months (we are busy with other languages too).

You can already use stylelint with recently released SonarCSS. See docs here https://docs.sonarqube.org/display/PLUG/Sonarcss !