SAST Support for React framework (JavaScript)

Problem to solve

Support React (JavaScript framework) as part of JavaScript SAST.

Intended users

Security Analyst, DevOps Engineer

Further details

This request came in via customer ticket (internal): https://gitlab.zendesk.com/agent/tickets/118486

Proposal

Initial Thoughts

Our documentation states that we support JavaScript through the use of ESLint Security Plugin.

However, it doesn't look like their ESLint setup includes any JSX rules, which would be needed for React.

Most likely it will need a similar setup to the ESlint React plugin.

Plan from Grooming

Add eslint-plugin-react to our eslint analyzer and restrict it to the following rules:

• react/no-unescaped-entities
• react/no-unsafe
• react/jsx-no-target-blank
• react/no-danger-with-children
• react/no-danger

Documentation

Update SAST documentation page to describe this as a scanner and use case we support now. Update documentation to indicate how to use the scanner and ensure that it is enabled.

What does success look like, and how can we measure that?

SAST works for React based projects.

What is the type of buyer?

Existing Gold/Ultimate tier

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.