# Sonarts > --- # SonarTS Installation and Setup ## Source https://github.com/SonarSource/SonarTS ## Status: DEPRECATED This documentation is for reference only. SonarTS has been archived and is no longer maintained. For new projects, use **SonarCloud** or **SonarQube** instead. ## Legacy Installation Guide ### Prerequisites - **Java**: JDK 8 or higher - **SonarQube**: 7.9 LTS or compatible version - **Node.js**: 8.x or higher (for development/testing) - **npm**: 5.x or higher ### Installation Steps #### 1. Download SonarTS Plugin Download the latest SonarTS 2.1 JAR file from: https://github.com/SonarSource/SonarTS/releases ```bash # Example: SonarTS 2.1 (final release) wget https://github.com/SonarSource/SonarTS/releases/download/2.1.0.4524/sonar-typescript-plugin-2.1.0.4524.jar ``` #### 2. Install Plugin ```bash # Copy JAR to SonarQube extensions directory cp sonar-typescript-plugin-2.1.0.4524.jar $SONARQUBE_HOME/extensions/plugins/ # Restart SonarQube $SONARQUBE_HOME/bin/[linux|macosx|windows]/sonar.sh restart ``` #### 3. Verify Installation ```bash # Access SonarQube web interface # http://localhost:9000 # Navigate to Administration > Marketplace > Installed Plugins # Should show: SonarTS 2.1 ``` ### Project Configuration Create `sonar-project.properties` in project root: ```properties # Project identification sonar.projectKey=com.example:my-typescript-project sonar.projectName=My TypeScript Project sonar.projectVersion=1.0 # Source code sonar.sources=src sonar.exclusions=**/*.test.ts,**/*.spec.ts,node_modules/** # Language sonar.language=ts # Optional: Test coverage sonar.typescript.lcov.reportPaths=coverage/lcov.info # Optional: Testing sonar.tests=src sonar.test.inclusions=**/*.test.ts,**/*.spec.ts ``` ### SonarScanner Installation #### Via npm (Recommended for TypeScript projects) ```bash # Install SonarScanner for npm npm install -D sonar-scanner # Or globally npm install -g sonar-scanner ``` #### Via Homebrew (macOS) ```bash brew install sonar-scanner ``` #### Via Docker ```bash docker run --rm \ -e SONAR_HOST_URL=http://sonarqube:9000 \ -e SONAR_LOGIN=your-token \ -v "$(pwd):/usr/src" \ sonarsource/sonar-scanner-cli ``` ### Running Analysis #### Local Analysis ```bash # Install dependencies npm install # Run SonarTS analysis npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.login=your-sonarqube-token ``` #### With Coverage Report ```bash # Generate coverage (example with Jest) npm run test:coverage # Run analysis with coverage npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.login=your-sonarqube-token ``` #### Docker Analysis ```bash docker run --rm \ -e SONAR_HOST_URL=http://sonarqube:9000 \ -e SONAR_LOGIN=your-token \ -v "$(pwd):/usr/src" \ sonarsource/sonar-scanner-cli \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src ``` ## Troubleshooting ### Issue: Plugin Not Loading **Error**: TypeScript language not detected **Solution**: 1. Verify JAR file is in `extensions/plugins/` 2. Check file permissions: `chmod 644 sonar-typescript-plugin-*.jar` 3. Restart SonarQube: `sonar.sh restart` 4. Check SonarQube logs: `tail -f logs/sonar.log` ### Issue: No TypeScript Files Detected **Error**: 0 files analyzed **Cause**: File extension or source path configuration **Solution**: ```properties # Ensure .ts and .tsx extensions are recognized sonar.sources=src sonar.inclusions=**/*.ts,**/*.tsx # Exclude test files if needed sonar.exclusions=**/*.test.ts,**/*.spec.ts ``` ### Issue: Analysis Fails with Node Version Error **Error**: Unsupported Node.js version **Solution**: Upgrade Node.js to 8.x or higher ```bash node --version # Check current version nvm install 16 # Upgrade with nvm nvm use 16 ``` ### Issue: Token Authentication Fails **Error**: Unauthorized (401) **Solution**: 1. Generate new token in SonarQube: Administration > Security > Users 2. Verify token is passed correctly: ```bash -Dsonar.login=your-generated-token ``` 3. Check token permissions include "Execute Analysis" ## Integration Examples ### GitHub Actions ```yaml name: SonarTS Analysis on: push: branches: [main] pull_request: branches: [main] jobs: sonarts: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Install dependencies run: npm install - name: Generate coverage run: npm run test:coverage - name: SonarTS analysis env: SONAR_HOST_URL: https://your-sonarqube.com SONAR_LOGIN: ${{ secrets.SONAR_TOKEN }} run: | npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info ``` ### GitLab CI ```yaml sonarts-analysis: stage: test image: node:16 script: - npm install - npm run test:coverage - npm install -D sonar-scanner - npx sonar-scanner -Dsonar.projectKey=$CI_PROJECT_NAME -Dsonar.sources=src -Dsonar.host.url=$SONAR_HOST_URL -Dsonar.login=$SONAR_TOKEN only: - merge_requests - main ``` ### Jenkins Pipeline ```groovy pipeline { agent any stages { stage('Install') { steps { sh 'npm install' } } stage('Test & Coverage') { steps { sh 'npm run test:coverage' } } stage('SonarTS Analysis') { steps { withSonarQubeEnv('SonarQube') { sh ''' npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info ''' } } } stage('Quality Gate') { steps { waitForQualityGate abortPipeline: true } } } } ``` ## Example Project Structure ``` my-typescript-project/ ├── src/ │ ├── app.ts │ ├── services/ │ │ └── api.ts │ └── utils/ │ └── helpers.ts ├── __tests__/ │ ├── app.test.ts │ └── services/ │ └── api.test.ts ├── coverage/ │ ├── lcov.info │ └── index.html ├── sonar-project.properties ├── package.json └── tsconfig.json ``` ## Modern Alternatives Instead of SonarTS, use: ### Option 1: SonarCloud (Recommended for most projects) ```bash # Simple setup - no installation needed # Just connect your GitHub/GitLab/Bitbucket repo # Analysis starts automatically # For manual analysis: npm install -D sonar-scanner npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.host.url=https://sonarcloud.io \ -Dsonar.organization=your-org \ -Dsonar.login=$SONARCLOUD_TOKEN ``` ### Option 2: SonarQube (Enterprise alternative) ```bash # Docker Compose example version: '3' services: sonarqube: image: sonarqube:latest-lts ports: - "9000:9000" environment: SONARQUBE_JDBC_URL: jdbc:postgresql://postgres:5432/sonarqube SONARQUBE_JDBC_USERNAME: sonarqube SONARQUBE_JDBC_PASSWORD: sonarqube depends_on: - postgres postgres: image: postgres:13 environment: POSTGRES_DB: sonarqube POSTGRES_USER: sonarqube POSTGRES_PASSWORD: sonarqube ``` ### Option 3: ESLint with SonarJS Plugin ```bash npm install -D eslint eslint-plugin-sonarjs ``` ```javascript // .eslintrc.json { "plugins": ["sonarjs"], "extends": ["plugin:sonarjs/recommended"], "rules": { "sonarjs/no-all-duplicated-branches": "warn", "sonarjs/no-identical-expressions": "error" } } ``` ## Summary SonarTS is no longer recommended for new installations. The installation guide above is provided for: - Legacy system maintenance - Understanding SonarTS architecture - Migration planning to modern solutions For new TypeScript projects, use: 1. **SonarCloud** - Easiest setup, cloud-based, free tier available 2. **SonarQube** - Enterprise solution, self-hosted, most control 3. **ESLint** - Lightweight, community-driven, best for continuous feedback All modern solutions provide superior TypeScript analysis with ongoing updates and community support. --- # Migrating from SonarTS to Modern Solutions ## Source https://github.com/SonarSource/SonarTS ## Overview SonarTS was archived in April 2021 and is no longer maintained. This guide helps you migrate from SonarTS to modern SonarQube/SonarCloud or alternative solutions. ## Why Migrate? | Issue | Impact | |-------|--------| | No security updates | Vulnerability exposure | | No new features | Missing modern TypeScript support | | No bug fixes | Stability and reliability issues | | Archived repository | Community support ends | | Modern alternatives available | Better, more capable solutions | ## Migration Timeline ### Immediate (1-2 weeks) - [ ] Assess current SonarTS usage - [ ] Evaluate migration options - [ ] Set up target platform (SonarCloud or SonarQube) - [ ] Run parallel analysis ### Short-term (1 month) - [ ] Test analysis on real projects - [ ] Configure quality gates - [ ] Train team on new platform - [ ] Run baseline analysis ### Medium-term (2-3 months) - [ ] Migrate CI/CD pipelines - [ ] Update documentation - [ ] Archive SonarTS infrastructure - [ ] Decommission SonarTS ## Option 1: Migrate to SonarCloud (Easiest) ### Advantages - Zero installation/maintenance - Free tier available - Cloud-based (no server) - Integrated with GitHub, GitLab, Bitbucket, Azure DevOps - Automatic analysis on every push - AI CodeFix (premium) - Better JavaScript/TypeScript support ### Migration Steps #### 1. Create SonarCloud Account ```bash # Visit https://sonarcloud.io # Sign up with GitHub/GitLab/Bitbucket/Azure DevOps account # Create organization ``` #### 2. Add Repository ```bash # In SonarCloud: # - Click "Add project" # - Select your repository # - Follow setup wizard ``` #### 3. Update Configuration Create `sonar-project.properties`: ```properties sonar.projectKey=your-org:project-name sonar.projectName=My Project sonar.projectVersion=1.0 # No sonar.language=ts needed - auto-detected sonar.sources=src sonar.tests=__tests__ sonar.exclusions=node_modules/**,coverage/** # Coverage sonar.typescript.lcov.reportPaths=coverage/lcov.info ``` #### 4. Generate Token ```bash # In SonarCloud: # - User menu > Security > Generate Tokens # - Copy token # - Add to CI/CD secrets as SONARCLOUD_TOKEN ``` #### 5. Update CI/CD Pipeline **GitHub Actions**: ```yaml name: SonarCloud Analysis on: push: branches: [main, develop] pull_request: branches: [main] jobs: sonarcloud: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: fetch-depth: 0 # Full history for better analysis - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: '18' - name: Install dependencies run: npm install - name: Run tests with coverage run: npm run test:coverage - name: SonarCloud scan uses: SonarSource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }} ``` **GitLab CI**: ```yaml sonarcloud: image: node:18 stage: test script: - npm install - npm run test:coverage - npm install -D sonarcloud - npx sonar-scanner -Dsonar.projectKey=$CI_PROJECT_NAMESPACE:$CI_PROJECT_NAME -Dsonar.sources=src -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=$SONAR_ORGANIZATION -Dsonar.login=$SONAR_TOKEN only: - merge_requests - main ``` #### 6. Verify Results ```bash # Wait for analysis to complete (1-5 minutes) # Check SonarCloud dashboard: # - Code quality metrics # - Security hotspots # - Coverage report # - Pull request feedback ``` ### Cost Comparison | Feature | SonarCloud Free | SonarCloud Pro | |---------|-----------------|----------------| | Public repositories | Free | Free | | Private repositories | Free (limited) | Paid | | Pull request reviews | Yes | Yes | | AI CodeFix | No | Yes | | Advanced security | Basic | Full | | Support | Community | Priority | ## Option 2: Migrate to SonarQube (Enterprise) ### Advantages - Self-hosted (full control) - No SaaS dependency - Enterprise features - Custom plugins - Compliance-friendly ### Migration Steps #### 1. Install SonarQube **Docker Compose (Recommended)**: ```yaml version: '3.8' services: sonarqube: image: sonarqube:lts container_name: sonarqube environment: SONARQUBE_JDBC_URL: jdbc:postgresql://postgres:5432/sonarqube SONARQUBE_JDBC_USERNAME: sonarqube SONARQUBE_JDBC_PASSWORD: sonarqube SONAR_ADMIN_PASSWORD: admin ports: - "9000:9000" volumes: - sonarqube_data:/opt/sonarqube/data - sonarqube_extensions:/opt/sonarqube/extensions - sonarqube_logs:/opt/sonarqube/logs depends_on: - postgres networks: - sonarnet postgres: image: postgres:13 container_name: postgres environment: POSTGRES_DB: sonarqube POSTGRES_USER: sonarqube POSTGRES_PASSWORD: sonarqube volumes: - postgres_data:/var/lib/postgresql/data networks: - sonarnet volumes: sonarqube_data: sonarqube_extensions: sonarqube_logs: postgres_data: networks: sonarnet: ``` **Start services**: ```bash docker-compose up -d # Access at http://localhost:9000 # Default credentials: admin/admin ``` #### 2. Create Project ```bash # In SonarQube web interface: # - Administration > Projects > Create Project # - Enter project key and display name ``` #### 3. Generate Token ```bash # User menu > My Account > Security # Generate token # Copy and store securely ``` #### 4. Configure Project `sonar-project.properties`: ```properties sonar.projectKey=my-typescript-project sonar.projectName=My TypeScript Project sonar.sources=src sonar.tests=__tests__ sonar.typescript.lcov.reportPaths=coverage/lcov.info sonar.exclusions=node_modules/** ``` #### 5. Run Analysis ```bash npx sonar-scanner \ -Dsonar.projectKey=my-typescript-project \ -Dsonar.sources=src \ -Dsonar.typescript.lcov.reportPaths=coverage/lcov.info \ -Dsonar.host.url=http://sonarqube:9000 \ -Dsonar.login=your-token ``` #### 6. Integrate with CI/CD ```bash # Jenkins Declarative Pipeline pipeline { agent any environment { SONAR_HOST = credentials('sonar-host-url') SONAR_TOKEN = credentials('sonar-token') } stages { stage('Build & Test') { steps { sh ''' npm install npm run test:coverage ''' } } stage('SonarQube Analysis') { steps { sh ''' npx sonar-scanner \ -Dsonar.projectKey=my-project \ -Dsonar.sources=src \ -Dsonar.host.url=${SONAR_HOST} \ -Dsonar.login=${SONAR_TOKEN} ''' } } stage('Quality Gate') { steps { timeout(time: 5, unit: 'MINUTES') { waitForQualityGate abortPipeline: true } } } } } ``` ## Option 3: Lightweight Migration to ESLint ### For projects wanting simpler analysis ```bash # Install ESLint and SonarJS plugin npm install -D eslint eslint-plugin-sonarjs typescript @typescript-eslint/parser ``` `.eslintrc.json`: ```json { "parser": "@typescript-eslint/parser", "parserOptions": { "ecmaVersion": 2021, "sourceType": "module" }, "plugins": ["sonarjs", "@typescript-eslint"], "extends": [ "eslint:recommended", "plugin:@typescript-eslint/recommended", "plugin:sonarjs/recommended" ], "rules": { "sonarjs/no-all-duplicated-branches": "warn", "sonarjs/no-identical-expressions": "error", "sonarjs/cognitive-complexity": ["warn", 15] } } ``` **package.json**: ```json { "scripts": { "lint": "eslint src", "lint:fix": "eslint src --fix" } } ``` ## Comparing Rule Coverage ### SonarTS Rules Rules that must be replaced in migration: | Rule | SonarTS | SonarCloud/Qube | ESLint | |------|---------|-----------------|--------| | no-all-duplicated-branches | ✓ | ✓ | sonarjs | | no-identical-expressions | ✓ | ✓ | sonarjs | | cognitive-complexity | ✓ | ✓ | sonarjs | | dead code detection | ✓ | ✓ | no-unreachable | | security hotspots | ✓ | ✓ (Enhanced) | - | | coverage reporting | ✓ | ✓ | - | ## Data Migration ### Export SonarTS Results ```bash # Get project analysis data via API curl -u user:password \ "http://sonarqube:9000/api/ce/activity?project=my-project" \ > sonarts-analysis.json # Export quality gate settings curl -u user:password \ "http://sonarqube:9000/api/qualitygates/show?name=MyQualityGate" \ > quality-gate.json ``` ### Import to New Platform **SonarCloud**: No import needed - start fresh with better analysis **SonarQube**: Configure same quality gates and rules: ```bash # Via web interface: # - Administration > Quality Gates > Copy existing gate # - Adjust rules based on new JavaScript/TypeScript analyzer ``` ## Rollout Plan ### Phase 1: Setup (Week 1) ``` [ ] Choose migration target (SonarCloud/SonarQube/ESLint) [ ] Create account/infrastructure [ ] Configure initial project [ ] Run parallel analysis on sample project [ ] Compare results ``` ### Phase 2: Pilot (Week 2-3) ``` [ ] Migrate 2-3 sample projects [ ] Test CI/CD integration [ ] Train team [ ] Document new workflow [ ] Collect feedback ``` ### Phase 3: Rollout (Week 4+) ``` [ ] Migrate all projects batch by batch [ ] Update CI/CD for all repositories [ ] Archive SonarTS configuration [ ] Decommission SonarTS infrastructure [ ] Monitor for issues ``` ### Phase 4: Cleanup (Month 2) ``` [ ] Remove SonarTS plugin [ ] Delete legacy SonarQube instance (if self-hosted) [ ] Archive SonarTS documentation [ ] Final verification ``` ## Troubleshooting Migration ### Issue: Quality Gate Stricter in New Platform **Cause**: Modern analyzers find more issues **Solution**: 1. Run parallel analysis to measure impact 2. Adjust quality gate rules gradually 3. Focus on CRITICAL and BLOCKER issues first 4. Gradually increase strictness over sprints ### Issue: Coverage Not Showing **Ensure**: ```bash # Generate coverage in supported format npm run test:coverage # Verify LCOV file exists ls coverage/lcov.info # Specify in configuration sonar.typescript.lcov.reportPaths=coverage/lcov.info ``` ### Issue: Performance Degradation **Check**: - Analysis time longer than expected - Increase memory allocation - Optimize exclusions (exclude node_modules, coverage, etc.) ## Success Metrics Track after migration: | Metric | Target | |--------|--------| | Analysis time | <10 minutes per run | | PR review time | <5 minutes feedback | | Rule coverage | >90% parity with SonarTS | | Team satisfaction | >4/5 rating | | Issue detection rate | Same or better | ## Summary **Recommended Migration Path**: 1. **For most projects**: SonarCloud (easiest, best support) 2. **For enterprises**: SonarQube LTS (self-hosted, full control) 3. **For lightweight needs**: ESLint + SonarJS plugin (simplest) All modern solutions provide superior TypeScript analysis with ongoing updates, better security detection, and improved developer experience compared to legacy SonarTS. **Start migration today** - SonarTS support has ended, and modern alternatives are production-ready. --- # SonarTS Rules and Detection Capabilities ## Source https://github.com/SonarSource/SonarTS ## Rule Categories SonarTS implemented comprehensive rules for TypeScript code quality and security analysis across multiple categories. ### Code Smells Code smells represent maintainability issues that don't necessarily indicate bugs but suggest design problems: #### Cognitive Complexity - **Rule**: Cognitive Complexity - **Purpose**: Detects overly complex functions that are hard to understand and maintain - **Example**: Deeply nested conditionals and loops #### Duplicated Code - **Rule**: `no-all-duplicated-branches` - **Purpose**: Identifies when all branches of a conditional do the same thing - **Impact**: Suggests code can be simplified - **Example**: ```typescript if (condition) { doSomething(); } else { doSomething(); // Same as above } ``` #### Dead Code - **Rule**: Dead Code Detection - **Purpose**: Finds code that can never be executed - **Example**: ```typescript function test() { return 42; console.log("Never executed"); // Dead code } ``` #### Unused Variables - **Rule**: Unused Variable Detection - **Purpose**: Identifies declared variables that are never read - **Example**: ```typescript const unused = calculateValue(); // Never referenced ``` ### Bugs Bug-prone patterns that are likely to cause incorrect behavior: #### Identical Expressions - **Rule**: `no-identical-expressions` - **Purpose**: Detects logically identical expressions that might indicate a copy-paste error - **Example**: ```typescript if (a > b && a > b) { // Redundant condition // ... } ``` #### Dead Stores - **Rule**: Dead Store Detection - **Purpose**: Variables assigned but the value is never used before being overwritten - **Example**: ```typescript let x = 5; // Dead store x = 10; // Value reassigned before use console.log(x); // Only final value is read ``` #### Logic Errors - Variables used in wrong conditions - Incorrect array indexing - Off-by-one errors in loops ### Vulnerabilities Security-related issues detected through data-flow analysis: #### OWASP Top 10 Coverage - SQL Injection patterns - Cross-Site Scripting (XSS) vectors - Path Traversal vulnerabilities - Sensitive data exposure #### Examples **SQL Injection Detection**: ```typescript const userId = getUserInput(); const query = `SELECT * FROM users WHERE id = ${userId}`; // Tainted data flows into SQL query db.execute(query); ``` **XSS Vulnerability**: ```typescript const userInput = getQueryParameter('name'); document.body.innerHTML = userInput; // Potential XSS ``` **Weak Cryptography**: ```typescript import crypto from 'crypto'; const hash = crypto.createHash('md5'); // Deprecated algorithm ``` ### Design Issues Architectural and design pattern violations: #### Function Parameters - Functions with too many parameters - Mixed parameter types - Unclear parameter purpose #### Class Structure - Classes with too many methods - Circular dependencies - Tight coupling ## Analysis Techniques ### Abstract Syntax Tree (AST) Analysis SonarTS uses AST-based analysis to understand code structure: ```typescript // Rule: All if-else branches do the same thing if (isAdmin) { sendEmail(user); logAction(); } else { sendEmail(user); logAction(); } // Better: sendEmail(user); logAction(); ``` ### Live Variable Analysis Determines which variables are "live" (their values are used) at each point: ```typescript function process() { let temp = getValue(); // Live: value will be used let unused = getOther(); // Dead: never read after assignment unused = 0; // Dead store console.log(temp); } ``` ### Symbolic Execution Traces data flow through the program to detect security issues: ```typescript // Data-flow analysis example const input = request.query.id; // Source: untrusted input const query = buildQuery(input); // Flows through function database.execute(query); // Sink: dangerous operation ``` ### Control Flow Analysis Analyzes program paths to detect unreachable code: ```typescript function example() { if (true) { return; } console.log("Unreachable"); // Detected as unreachable } ``` ## Configuration of Rules ### Rule Properties Each rule in SonarTS has: - **Key**: Unique identifier (e.g., `no-identical-expressions`) - **Name**: Human-readable rule name - **Severity**: INFO, MINOR, MAJOR, CRITICAL, BLOCKER - **Type**: CODE_SMELL, BUG, VULNERABILITY - **Tags**: Category labels (e.g., `pitfall`, `security`, `performance`) ### Severity Levels | Severity | Use Case | |----------|----------| | INFO | Minor style or documentation issues | | MINOR | Minor code quality issues | | MAJOR | Significant quality issues that could affect functionality | | CRITICAL | Critical bugs or security vulnerabilities | | BLOCKER | Issues that must be fixed immediately | ## Rule Examples by Type ### Bug Rules 1. **Identical Conditions** - Condition appears in both if and else branches - Severity: MAJOR - Type: BUG 2. **Collection Size vs Empty Check** - Using `.length` instead of `.isEmpty()` - Severity: MINOR - Type: CODE_SMELL 3. **Infinite Loops** - Loop condition never changes - Severity: MAJOR - Type: BUG ### Vulnerability Rules 1. **Tainted Data Flow** - Unsanitized user input flows to dangerous operations - Severity: CRITICAL - Type: VULNERABILITY 2. **Insecure Randomness** - Using `Math.random()` for security purposes - Severity: CRITICAL - Type: VULNERABILITY 3. **Weak Encryption** - Using deprecated or weak cryptographic algorithms - Severity: CRITICAL - Type: VULNERABILITY ### Code Smell Rules 1. **Cognitive Complexity** - Function is too complex to understand - Severity: MAJOR - Type: CODE_SMELL 2. **Duplicate Literals** - Magic numbers or strings repeated multiple times - Severity: MINOR - Type: CODE_SMELL 3. **Long Parameter Lists** - Function has too many parameters - Severity: MINOR - Type: CODE_SMELL ## Modern Equivalents For current TypeScript projects, use: ### SonarQube/SonarCloud JavaScript/TypeScript Analyzer Provides enhanced versions of these rules with: - More sophisticated data-flow analysis - Additional security rules - Support for modern JavaScript/TypeScript features - AI-powered fix suggestions - Better IDE integration ### ESLint Community-driven JavaScript/TypeScript linting: - Faster feedback (runs locally) - Community plugins - Easier customization - Pre-commit integration ### SonarJS ESLint Plugin `eslint-plugin-sonarjs` provides SonarJS rules for ESLint users: ```javascript // .eslintrc.json { "plugins": ["sonarjs"], "extends": ["plugin:sonarjs/recommended"] } ``` ## Summary SonarTS provided comprehensive analysis across bugs, vulnerabilities, and code smells. Modern solutions offer: - **SonarQube/SonarCloud**: Production-grade analysis with ongoing updates - **ESLint with sonarjs plugin**: Lightweight, community-driven approach - **SonarLint**: Real-time IDE feedback during development For legacy SonarTS installations, migrate to modern solutions for continued support and enhanced capabilities.