Update metadata before release (#3601)

Author: saberduck

css-sonarpedia/sonarpedia.json

@@ -3,7 +3,7 @@
   "languages": [
     "CSS"
   ],
-  "latest-update": "2022-11-22T14:32:56.265429Z",
+  "latest-update": "2022-12-05T15:35:17.052030Z",
   "options": {
     "no-language-in-filenames": true
   }

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S5332.html

@@ -1,20 +1,20 @@
-<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code> or non-secure <code>http</code> lack encryption of transported data, as well as
-the capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify or corrupt the
+<p>Clear-text protocols such as <code>ftp</code>, <code>telnet</code>, or <code>http</code> lack encryption of transported data, as well as the
+capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify, or corrupt the
 transported content. These protocols are not secure as they expose applications to an extensive range of risks:</p>
 <ul>
-  <li> Sensitive data exposure </li>
-  <li> Traffic redirected to a malicious endpoint </li>
-  <li> Malware infected software update or installer </li>
-  <li> Execution of client side code </li>
-  <li> Corruption of critical information </li>
+  <li> sensitive data exposure </li>
+  <li> traffic redirected to a malicious endpoint </li>
+  <li> malware-infected software update or installer </li>
+  <li> execution of client-side code </li>
+  <li> corruption of critical information </li>
 </ul>
 <p>Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks
 involving communications being sniffed or tampered with can still happen.</p>
 <p>For example, attackers could successfully compromise prior security layers by:</p>
 <ul>
-  <li> Bypassing isolation mechanisms </li>
-  <li> Compromising a component of the network </li>
-  <li> Getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
+  <li> bypassing isolation mechanisms </li>
+  <li> compromising a component of the network </li>
+  <li> getting the credentials of an internal IAM account (either from a service account or an actual person) </li>
 </ul>
 <p>In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network
 components. By layering various security practices (segmentation and encryption, for example), the application will follow the
@@ -30,27 +30,27 @@
 <h2>Ask Yourself Whether</h2>
 <ul>
   <li> Application data needs to be protected against falsifications or leaks when transiting over the network. </li>
-  <li> Application data transits over a network that is considered untrusted. </li>
+  <li> Application data transits over an untrusted network. </li>
   <li> Compliance rules require the service to encrypt data in transit. </li>
   <li> Your application renders web pages with a relaxed mixed content policy. </li>
-  <li> OS level protections against clear-text traffic are deactivated. </li>
+  <li> OS-level protections against clear-text traffic are deactivated. </li>
 </ul>
 <p>There is a risk if you answered yes to any of those questions.</p>
 <h2>Recommended Secure Coding Practices</h2>
 <ul>
   <li> Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most
   common clear-text protocols:
     <ul>
-      <li> Use<code>ssh</code> as an alternative to <code>telnet</code> </li>
-      <li> Use <code>sftp</code>, <code>scp</code> or <code>ftps</code> instead of <code>ftp</code> </li>
-      <li> Use <code>https</code> instead of <code>http</code> </li>
-      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP </li>
+      <li> Use <code>ssh</code> as an alternative to <code>telnet</code>. </li>
+      <li> Use <code>sftp</code>, <code>scp</code>, or <code>ftps</code> instead of <code>ftp</code>. </li>
+      <li> Use <code>https</code> instead of <code>http</code>. </li>
+      <li> Use <code>SMTP</code> over <code>SSL/TLS</code> or <code>SMTP</code> with <code>STARTTLS</code> instead of clear-text SMTP. </li>
     </ul>  </li>
-  <li> Enable encryption of cloud components communications whenever it’s possible. </li>
+  <li> Enable encryption of cloud components communications whenever it is possible. </li>
   <li> Configure your application to block mixed content when rendering web pages. </li>
-  <li> If available, enforce OS level deactivation of all clear-text traffic </li>
+  <li> If available, enforce OS-level deactivation of all clear-text traffic. </li>
 </ul>
-<p>It is recommended to secure all transport channels (even local network) as it can take a single non secure connection to compromise an entire
+<p>It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire
 application or system.</p>
 <h2>Sensitive Code Example</h2>
 <pre>
@@ -453,7 +453,7 @@ <h2>Compliant Solution</h2>
 <h2>Exceptions</h2>
 <p>No issue is reported for the following cases because they are not considered sensitive:</p>
 <ul>
-  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code> </li>
+  <li> Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or <code>localhost</code>. </li>
 </ul>
 <h2>See</h2>
 <ul>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6477.html

@@ -1,28 +1,38 @@
-<p>React expects a unique identifier <code>key</code> in each component to optimize rendering. Missing keys will negatively impact performance and can
-bring your application to a halt when there are enough elements.</p>
-<p>Avoid Array indexes since they are not stable. Instead, use a unique attribute like an id.</p>
+<p>React expects a unique identifier <code>key</code> in list components to optimize rendering. Missing keys will negatively impact performance and
+can bring your application to a halt when there are enough elements. Avoid <code>Array</code> indexes since they are not stable. Instead, use a unique
+attribute like an ID or a combination of attributes.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-const React = require('react');
-class App extends React.Component {
-  render() {
-    &lt;LoginButton /&gt;;
-  }
+function Blog(props) {
+  return (
+    &lt;ul&gt;
+      {props.posts.map((post) =&gt;
+        &lt;li&gt;
+          {post.title}
+        &lt;/li&gt;
+      )}
+    &lt;/ul&gt;
+  );
 }
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-const React = require('react');
-class App extends React.Component {
-  render() {
-    &lt;LoginButton key="loginBtn" /&gt;;
-  }
+function Blog(props) {
+  return (
+    &lt;ul&gt;
+      {props.posts.map((post) =&gt;
+        &lt;li key={post.id}&gt;
+          {post.title}
+        &lt;/li&gt;
+      )}
+    &lt;/ul&gt;
+  );
 }
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a
-  href="https://reactjs.org/docs/reconciliation.html#recursing-on-children">https://reactjs.org/docs/reconciliation.html#recursing-on-children</a> -
-  React API reference </li>
+  <li> <a href="https://reactjs.org/docs/reconciliation.html#recursing-on-children">Recursing On Children</a> - React API reference </li>
+  <li> {rule:javascript:S6479} </li>
+  <li> {rule:javascript:S6486} </li>
 </ul>
 

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6477.json

@@ -7,14 +7,15 @@
     "constantCost": "5min"
   },
   "tags": [
-    "reactjs",
-    "jsx"
+    "react",
+    "jsx",
+    "performance"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6477",
   "sqKey": "S6477",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "infeasible",
   "compatibleLanguages": [
     "JAVASCRIPT",
     "TYPESCRIPT"

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6478.html

@@ -1,12 +1,12 @@
-<p>Nested components are recreated on each render because React does not know that they haven’t changed. This hurts performance as the components are
-recreated at each render. However, this can also hide surprising bugs where the state of the nested components is lost between renders. Trying to
-<code>useCallback</code> hooks for child components should also be discouraged. You should refactor this code to define the component on its own,
-passing props if required.</p>
+<p>Nested components are defined in an enclosing one and can be simple functions or arrow expressions. React recreates them systematically during the
+render pass because it doesn’t know they haven’t changed. This hurts performance as the components are recreated too many times. However, this can
+also hide surprising bugs where the state of the nested components is lost between renders. Trying to use <code>useCallback</code> hooks for child
+components is also discouraged. You should actually refactor this code to define a component on its own, passing props if needed.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 function Component() {
   function UnstableNestedComponent() {
-    return &lt;div/&gt;;
+    return &lt;div /&gt;;
   }
 
   return (
@@ -28,7 +28,7 @@ <h2>Noncompliant Code Example</h2>
 function Component() {
   return (
     &lt;div&gt;
-      &lt;SomeComponent footer={ () =&gt; &lt;div /&gt; } /&gt;
+      &lt;SomeComponent footer={ () =&gt; &lt;div /&gt; } /&gt; { /* footer is a component nested inside 'Component' */ }
     &lt;/div&gt;
   );
 }
@@ -67,6 +67,19 @@ <h2>Compliant Solution</h2>
   return &lt;SomeComponent footer={ &lt;div /&gt; } /&gt;;
 }
 </pre>
+<pre>
+class Component extends React.Component {
+  render() {
+    return (
+      &lt;div&gt;
+        &lt;SomeComponent /&gt;
+      &lt;/div&gt;
+    );
+  }
+}
+</pre>
 <h2>See</h2>
-<p>TODO</p>
+<ul>
+  <li> <a href="https://reactjs.org/docs/reconciliation.html#elements-of-different-types">Elements Of Different Types</a> - React documentation </li>
+</ul>
 

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6478.json

@@ -7,7 +7,9 @@
     "constantCost": "5min"
   },
   "tags": [
-    "react"
+    "react",
+    "jsx",
+    "performance"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6478",

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6479.html

@@ -1,31 +1,28 @@
 <p>React expects a unique identifier for performance optimizations. An array index is not a stable identifier most of the time. This results in
 unnecessary renders when the array items change index following some mutation. When components have state, this might also provoke bugs that are hard
-to diagnose. We recommend using an explicit identifier to avoid misuse and accidental re-renders. If there is no unique attribute available, consider
-concatenating properties to create one. Using generated values like <code>Math.random()</code> or <code>Date.now()</code> is discouraged as it would
-force a re-render every time and might also provoke bugs if values collide.</p>
-<p>React expects a unique identifier <code>key</code> in each component to optimize rendering. Missing keys will negatively impact performance and can
-bring your application to a halt when there are enough elements.</p>
-<p>Avoid Array indexes since they are not stable. Instead, use a unique attribute like an id.</p>
+to diagnose.</p>
+<p>We recommend using an explicit identifier to avoid misuse and accidental re-renders. If there is no unique attribute available, consider
+concatenating existing properties - hashing them if necessary - or creating a dedicated unique identifier.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
-function generateButtons(buttons) {
-  return buttons.map((button, index) =&gt; {
-    &lt;Button key={index}&gt;button.number&lt;/Button&gt;
+function generateButtons(props) {
+  return props.buttons.map((button, index) =&gt; {
+    &lt;Button key={index}&gt;{button.number}&lt;/Button&gt;
   });
 }
 </pre>
 <h2>Compliant Solution</h2>
 <pre>
-function generateButtons(buttons) {
-  return buttons.map((button, index) =&gt; {
-    &lt;Button key={button.number}&gt;button.number&lt;/Button&gt;
+function generateButtons(props) {
+  return props.buttons.map((button, index) =&gt; {
+    &lt;Button key={button.number}&gt;{button.number}&lt;/Button&gt;
   });
 }
 </pre>
 <h2>See</h2>
 <ul>
-  <li> <a
-  href="https://reactjs.org/docs/reconciliation.html#recursing-on-children">https://reactjs.org/docs/reconciliation.html#recursing-on-children</a> -
-  React API reference </li>
+  <li> <a href="https://reactjs.org/docs/reconciliation.html#recursing-on-children">Recursing On Children</a> - React API reference </li>
+  <li> {rule:javascript:S6477} </li>
+  <li> {rule:javascript:S6486} </li>
 </ul>
 

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6479.json

@@ -1,20 +1,21 @@
 {
-  "title": "Stable unique keys for JSX list components",
+  "title": "No array index for keys in JSX list components",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "5min"
   },
   "tags": [
-    "reactjs",
-    "jsx"
+    "react",
+    "jsx",
+    "performance"
   ],
   "defaultSeverity": "Major",
   "ruleSpecification": "RSPEC-6479",
   "sqKey": "S6479",
   "scope": "All",
-  "quickfix": "unknown",
+  "quickfix": "infeasible",
   "compatibleLanguages": [
     "JAVASCRIPT",
     "TYPESCRIPT"

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6480.html

@@ -1,7 +1,7 @@
 <p>Using <code>Function.prototype.bind</code> and arrows functions as attributes will negatively impact performance in React. Each time the parent is
 rendered, the function will be re-created and trigger a render of the component causing excessive renders and more memory use. Wrapping the function
-in a useCallback hook will avoid additional renders. This rule ignores <code>Refs</code>. This rule does not raise findings on DOM nodes since that
-may require wrapping the DOM in a component. Still, better performance can be achieved if this rule is respected in DOM nodes too.</p>
+in a <code>useCallback</code> hook will avoid additional renders. This rule ignores <code>Refs</code>. This rule does not raise findings on DOM nodes
+since that may require wrapping the DOM in a component. Still, better performance can be achieved if this rule is respected in DOM nodes too.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>
 &lt;Component onClick={this._handleClick.bind(this)}&gt;&lt;/Component&gt;
@@ -16,6 +16,59 @@ <h2>Compliant Solution</h2>
 
 &lt;Component onClick={handleClick}&gt;&lt;/Component&gt;
 </pre>
+<p>Situation can become more complicated when you need to pass additional parameters to the handler. Consider following component printing the list of
+letters. Consider following non-compliant example</p>
+<pre>
+class Alphabet extends React.Component {
+    handleClick(letter) {
+        console.log(`clicked ${letter}`);
+    }
+    render() {
+        return (&lt;div&gt;&lt;ul&gt;
+            {letters.map(letter =&gt;
+                &lt;li key={letter} onClick={() =&gt; this.handleClick(letter)}&gt;{letter}&lt;/li&gt;
+            )}
+        &lt;/ul&gt;&lt;/div&gt;)
+    }
+}
+</pre>
+<p>To avoid creating the arrow function you can factor out <code>li</code> element as separate child component and use <code>props</code> to pass the
+<code>letter</code> and <code>onClick</code> handler.</p>
+<pre>
+class Alphabet extends React.Component {
+    handleClick(letter) {
+        console.log(`clicked ${letter}`);
+    }
+    render() {
+        return (&lt;div&gt;&lt;ul&gt;
+            {letters.map(letter =&gt;
+                &lt;Letter key={letter} letter={letter} handleClick={this.handleClick}&gt;&lt;/Letter&gt;
+            )}
+        &lt;/ul&gt;&lt;/div&gt;)
+    }
+}
+
+class Letter extends React.Component {
+    constructor(props) {
+        super(props);
+        this.handleClick = this.handleClick.bind(this)
+    }
+    handleClick() {
+        this.props.handleClick(this.props.letter);
+    }
+    render() {
+        return &lt;li onClick={this.handleClick}&gt; {this.props.letter} &lt;/li&gt;
+    }
+}
+</pre>
+<p>alternatively you could rewrite <code>Letter</code> as a function and use <code>useCallback</code></p>
+<pre>
+function Letter({ handleClick, letter }) {
+    const onClick = React.useCallback(() =&gt; handleClick(letter), [letter])
+
+    return &lt;li onClick={onClick}&gt;{letter}&lt;/li&gt;
+}
+</pre>
 <h2>See</h2>
 <ul>
   <li> <a href="https://reactjs.org/docs/faq-functions.html">Passing Functions to Components</a> - React documentation </li>

javascript-checks/src/main/resources/org/sonar/l10n/javascript/rules/javascript/S6480.json

@@ -1,13 +1,13 @@
 {
-  "title": "Disallow `.bind()` and arrow functions in JSX props ",
+  "title": "Disallow `.bind()` and arrow functions in JSX props",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {
     "func": "Constant\/Issue",
     "constantCost": "5min"
   },
   "tags": [
-    "reactjs",
+    "react",
     "jsx",
     "performance"
   ],