Skip to content

SONARHTML-262 Add Electron webview security rules#677

Draft
erwan-leforestier-sonarsource wants to merge 2 commits into
masterfrom
SONARHTML-262-263-electron-webview
Draft

SONARHTML-262 Add Electron webview security rules#677
erwan-leforestier-sonarsource wants to merge 2 commits into
masterfrom
SONARHTML-262-263-electron-webview

Conversation

@erwan-leforestier-sonarsource
Copy link
Copy Markdown
Contributor

@erwan-leforestier-sonarsource erwan-leforestier-sonarsource commented May 29, 2026

Summary

Add the new Electron <webview> security rules for disablewebsecurity and sandboxing in HTML, bundling SONARHTML-262 with SONARHTML-263.

Changes

  • add S7074 and S7071 HTML checks for insecure Electron <webview> attributes
  • highlight the triggering attributes precisely and cover the value-sensitive sandboxing cases
  • generate the new S7071 and S7074 rule resources and activate both in Sonar way

Functional Validation

Attached: SONARHTML-262-fv.zip

Unzip and run:
./run.sh

Expected output is in expected-output.txt. The README shows the
before/after comparison so you can reproduce the difference directly.

⚠️⚠️ This is not ready for review ⚠️⚠️

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 29, 2026
edited
Loading

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

1 issue(s) found across 1 file(s):

Rule File Line Message
java:S2325 sonar-html-plugin/src/main/java/org/sonar/plugins/html/checks/security/AbstractWebviewCheck.java 34 Make "isWebview" a "static" method.

Analyzed by SonarQube Agentic Analysis in 3.6 s

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented May 29, 2026
edited by atlassian Bot
Loading

SONARHTML-262

@erwan-leforestier-sonarsource
Copy link
Copy Markdown
Contributor Author

erwan-leforestier-sonarsource commented May 29, 2026

Functional Validation artifact: SONARHTML-262-fv.zip

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026
edited
Loading

Ruling Report

No changes to ruling expected issues in this PR

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 29, 2026

Quality Gate failed Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

@gitar-bot
Copy link
Copy Markdown

gitar-bot Bot commented May 29, 2026

Code Review ✅ Approved 1 resolved / 1 findings

Implements new Electron webview security rules S7074 and S7071 to detect insecure attributes and sandboxing configurations. The unused CheckForNull import was removed, and no further issues were found.

✅ 1 resolved
Quality: Unused import CheckForNull in WebviewDisableWebSecurityCheck

📄 sonar-html-plugin/src/main/java/org/sonar/plugins/html/checks/security/WebviewDisableWebSecurityCheck.java:19
The javax.annotation.CheckForNull import on line 19 is not used anywhere in WebviewDisableWebSecurityCheck.java. It is only used in AbstractWebviewCheck.java. This will likely trigger a compiler warning or static analysis finding.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact 
gitar auto-apply:on         

gitar display:verbose

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gitar-bot gitar-bot[bot] gitar-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erwan-leforestier-sonarsource