By SonarSource and Eriks Nukis – GNU LGPL 3 – Issue Tracker – Sources – Supported by SonarSource
More versions

SonarJS 4.2.1 – Aug 10, 2018 – SonarQube 6.7+ (Compatible with LTS)
Fix a bug related to custom rules and introduced in 4.2.
Download – Release notes

SonarJS 4.2 – Jul 21, 2018
Allows import of ESLint issues reports, better support of .vue files and small bugfixes
Release notes

SonarJS 4.1 – Feb 13, 2018
7 new rules
Release notes

SonarJS 4.0 – Dec 19, 2017
Support for new LTS, extended "Sonar Way" profile
Release notes

SonarJS 3.3 – Nov 09, 2017
3 new rules, Java 9 runtime support
Release notes

SonarJS 3.2 – Oct 04, 2017
Support for Flow type annotations, 2 new rules
Release notes

SonarJS 3.1.1 – Jun 30, 2017
Bug-fix for "Dirty issues list after SeCheck throws exception"
Release notes

SonarJS 3.1 – Jun 19, 2017
Vue.js support, 1 new rule
Release notes

SonarJS 3.0 – Apr 26, 2017
Kill the noise
Release notes

SonarJS 2.21.1 – Apr 24, 2017
Bug-fix to support //NOSONAR in SonarLint
Release notes

SonarJS 2.21 – Mar 01, 2017
Cross-procedural data flow analysis, infinite loop detection
Release notes

SonarJS 2.20 – Feb 06, 2017
Cognitive Complexity, 8 new rules
Release notes

SonarJS 2.19 – Jan 06, 2017
14 new rules, including 2 rules detecting invalid calls to built-in methods
Release notes

SonarJS 2.18 – Nov 15, 2016
This version brings 10 new rules including several type-based rules.
Release notes

SonarJS 2.17 – Oct 10, 2016
2 new rules including a bug-detection one: "The output of functions that don't return anything should not be used".
Release notes

SonarJS 2.16 – Sep 08, 2016
Most rule severities have been updated to comply with the SonarQube Quality Model. The Symbolic Execution engine detects more issues by supporting all relational operators.
Release notes

SonarJS 2.15 – Aug 16, 2016
2 new rules, support of some ES2017 language features and type tracking on execution paths to improve existing rules relying on types.
Release notes

SonarJS 2.14 – Jun 22, 2016
Support of 5.6 LTS, precise issue location for all rules, improvements of symbolic execution
Release notes

SonarJS 2.13 – May 25, 2016
New rule "Properties should not be accessed on an undefined or null value"
Release notes

SonarJS 2.12 – Apr 19, 2016
First rule relying on symbolic execution engine to detect unconditionally true/false conditions and full support of React JSX.
Release notes

SonarJS 2.11 – Mar 07, 2016
16 new rules to enforce some coding practices relating to ECMAScript 2015 and detection of almost all kinds of dead store and unreachable code based on a complete Control Flow Graph.
Release notes

SonarJS 2.10 – Jan 13, 2016
8 new bug-related rules, new predefined 'Sonar Security Way' profile targeting bug-detection and security rules and automatic exclusion of minified files from analysis
Release notes

SonarJS 2.9 – Dec 04, 2015
13 rules benefit from the UI SonarQube precise issue location mechanism and several improvements and bug fixes.
Release notes

SonarJS 2.8 – Sep 01, 2015
New rules and improvement of existing
Release notes

SonarJS 2.7 – Jun 22, 2015
6 new rules relating to bug detection.
Release notes

SonarJS 2.6 – May 28, 2015
Provides the ability to create some custom rules, to import some IT coverage reports and embeds 2 new rules
Release notes

SonarJS 2.5 – Apr 23, 2015
This version brings 13 new bug and framework related rules. Moreover the SonarQube symbol highlighting mechanism is now available when browsing JavaScript source files.
Release notes

SonarJS 2.4 – Apr 02, 2015
15 new rules mainly relating to bug detection. Moreover, some rules start targeting some JavaScript frameworks like Backbone.
Release notes

SonarJS 2.3 – Feb 17, 2015
Add rule tags and 2 new bug-fixing related rules
Release notes

SonarJS 2.2 – Nov 24, 2014
Adds import of Unit Test results for jstest and js-test-driver XML reports
Release notes

Description

Enables the powerful SonarJS analyzer.

First Analysis of a JavaScript Project

Install SonarQube Server (see Setup and Upgrade for more details)
Install SonarQube Scanner and be sure your can call sonar-scanner from the directory where you have your source code
Install SonarJS (see Installing a Plugin for more details)
Run your analysis with the SonarQube Scanner by executing the following command from the root directory of the project:
```
sonar-scanner -Dsonar.projectKey=xxx -Dsonar.sources=.
```
Follow the link provided at the end of the analysis to browse your project's quality in SonarQube UI

Further Analyses

Assuming steps 1-3 above have already been completed, you'll want to encapsulate your analysis parameters in a sonar-project.properties file at the root of your project (see a sample project on GitHub: https://github.com/SonarSource/sonar-scanning-examples/tree/master/sonarqube-scanner). Then subsequent analyses can simply be run with:

sonar-scanner

Configuring Quality Profiles

SonarJS provides 2 Quality Profiles out of the box: "Sonar way" (default) and "Sonar way Recommended".

"Sonar way" Profile

The "Sonar way" Quality Profile is activated by default. It defines a trimmed list of high-value/low-noise rules useful in almost any JS development context. You can check out the list of rules belonging to "Sonar way" on SonarCloud.

"Sonar way Recommended" Profile SINCE 3.0

"Sonar way Recommended" contains all rules from "Sonar way" (bugs and pitfall detection), plus more rules that mandate high code readability and long-term project evolution. You can check out the list of rules belonging to "Sonar way Recommended" on SonarCloud.

Above Predefined Rule Profiles

By using SonarQube UI you can create your own Quality Profiles and activate even more rules which are valuable in your development context. We recommend that you look at the following rules, which are highly valuable but whose activation depends on your environment and coding principles or which require some configuration.

"Non-existent properties should not be read" S3759 (should be activated if you don't use monkey patching)
"Non-existent variables should not be referenced" S3827 (requires configuration)
"Objects should not be created to be dropped immediately without being used" ConstructorFunctionsForSideEffects (activate, if you agree that constructors should not have side effects)
"Variables should be declared with "let" or "const"" S3504. Activate, if you use ES2015. Find more rules with tag "es2015".
"Variables should be defined in the blocks where they are used" S2392 (forces you to declare variables in the most narrow scope)
"Variables should not be shadowed" VariableShadowing (forces you to not shadow variables declared in outer scope)

Advanced Usage

With SonarJS, you can also:

import Coverage Results
import ESLint issues reports
use Grunt to run your analysis
create your own Custom Rules BETA

Advanced Configuration

Property	Scope	Example	Description
sonar.javascript.jQueryObjectAliases	Project-wide	$, jQuery, jQ	SINCE 2.5 Comma-separated list of names used to address jQuery object. Default value is "$, jQuery". NOTE These names are used only to detect jQuery usages, they are not used to build the list of globals.
sonar.javascript.environments	Project-wide	browser, jquery, amd	SINCE 2.20 Comma-separated list of environments names. The analyzer automatically adds global variables based on that list. Available environment names: amd, applescript, atomtest, browser, commonjs, couch, embertest, greasemonkey, jasmine, jest, jquery, meteor, mocha, mongo, nashorn, node, phantomjs, prototypejs, protractor, qunit, rhino, serviceworker, shared-node-browser, shelljs, webextensions, worker, wsh, yui. By default all environments are included.
sonar.javascript.globals	Project-wide	Backbone, IS_DEBUG	SINCE 2.20 Comma-separated list of global variables. Default value is "angular,goog,google,OpenLayers,d3,dojo,dojox,dijit,Backbone,moment,casper".
sonar.javascript.exclusions	Project-wide	libs/**	SINCE 3.3 List of file path patterns to be excluded from analysis of JavaScript files. Default value is `/node_modules/,/bower_components/`