DeepScan Frequently Asked Questions

Find answers to commonly asked questions about DeepScan.

General information

I want to know the technical specification for the JavaScript analyzer

DeepScan tries to find more useful issues that linter tools can't by its JavaScript analyzer.

The analyzer follows an execution and data flow of JavaScript program without running it and detects the problems defined by the rule set.

• Technical specification
• Rule set

What's the difference with ESLint or JSLint?

Major design goals of DeepScan are lowering noises and making issue handling more actionable.

So, we try to suppress possible noises like: 1) false alarm, 2) issues too trivial, 3) prohibiting features like '==' completely.

In three ways, DeepScan is different with linters line ESLint, JSHint, and JSLint:

• Beyond Conventions: Focus on finding runtime errors and quality issues rather than coding conventions.
• Semantic Analysis: Follow the execution and data flow of program in greater depth. This enables finding issues that syntax-based linters can't.
• Adaptable & Actionable: By classifying issues by 3-level impacts and filtering noisy issues aggressively, you can focus on major issues first and gradually. Also detailed guides are provided to let you simply know where the problem is.

As of JSLint, it sets quite high restrictions, so DeepScan does not detect all the issues that JSLint might report, but carefully select some of them. For example, instead of preventing '==', DeepScan detectsBAD_TYPE_COERCION alarm only for buggy code like:

if ("abc".startsWith("a") == "true") { }

You can see morehere.

I want to know security information to ensure my code is controlled properly

You can see documentation for the securityhere. It describes physical security about our service and how we handle the user code.

To date, we have understood your concern and been trying to improve our architecture.

For example, we had showed a file content inFiles view by fetching a stored file in our server. But we changed to show a file content by fetching directly from GitHub from the1.8.0 release, and finally removed a dependency for stored user code in the1.9.0 release.

Can I use DeepScan with a React Native application?

DeepScan would almost possibly support a React Native because it was fully engineered to support React and JSX.

For example, it can just analyzethe official F8 app of 2017 powered by React Native.

Please note that DeepScan does not have some specific rules about React Native now while it supports many ofReact-specific rules.

How are grades calculated?

Our grades imply a status quo of your project relative to other open source projects. We calculate the issue density (the number of issues per thousand lines of code) of the project and correlate it with ones of 150 GitHub open source projects.

You can seehere how each grade is calculated.

How do I reanalyze my project?

While we do not provide a direct way to reanalyze the project, you can reanalyze it when you has changed its settings.

Navigate to the project settings and change theRules orExclusion settings. When you apply the changes and are prompted to reanalyze, clickReanalyze button. Your project will be analyzed with the changed settings and you are navigated to the dashboard.

Git

I want to use DeepScan with a Git server behind a firewall

While DeepScan.io supports only the public and/or private repositories in the GitHub (github.com), our enterprise planDeepScan Enterprise helps you use DeepScan in your environment.

• SonarQube plugin: Enables you to inspect JavaScript and TypeScript using DeepScan in your SonarQube platform
• Editor plugins: Enables you to run DeepScan on the fly in your VS Code and IntelliJ
• CLI tool: Enables you to run DeepScan in your command-line environment

Does DeepScan support Bitbucket or GitLab?

Although DeepScan currently supports only GitHub, we have a roadmap for other Git servers such as Bitbucket and GitLab. For now, you can try ourenterprise packages that work independently of a Git server.

How to check my organization access on GitHub?

When you analyze organization repositories or invite organization members, you need to grant DeepScan third-party access to your organizations. Please checkConnection with DeepScan on GitHub.

Once granted, you can do the following:

• See and analyze your organization repositories
• Invite your organization members to join your team

Rules

Does DeepScan support CWE?

DeepScan supports Common Weakness Enumeration (CWE) rules.

You can seehere the full listings of the rules related with CWE. Also you can immediately see a CWE example inDemo.

What is "No value is returned from function" for await operator?

OurMISSING_RETUEN_VALUE complains below code whensetFetched() does not return.

public async fetchData() {    const fetched = await this.fetchFrom();    await this.setFetched(fetched); // No value is returned from function 'setFetched'.}

It seems thatthis.setFetched is not an async function that returns a Promise. If so, it is executed synchronously and the above is equivalent as:

this.setFetched(fetched);await undefined;

Note thatawait undefined stops the execution of the current function, but the execution might resume immediately becauseundefined value is converted to a resolved Promise.

For more rationale about the alarm, the TypeScript Issue"Should awaiting a non-Promise value be an error?" might be helpful.

Did you use this pattern due to some timing issue likesetTimeout(fn, 0)? Then you can kindly ignore our alarm byinline comment:

await this.setFetched(fetched) // deepscan-disable-line

Plans and billing

How many seats and projects can I own and/or manage for DeepScan plans?

Limits for DeepScan plans are listed below. We think these limits can accommodate those with your interests.

• Free plan: 100 seats / 1,000 public projects / 0 private projects
• Trial plan: 100 seats / 1,000 public projects / 5 private projects
• Paid plans: Unlimited paid seats / 1,000 public projects / Private projectsdepending on the plan you choose

If you want more private projects, you need to create a new team and upgrade its plan. Feel free tocontact us if you have any questions related to this.

For more information about plans, seehere.

How to connect teams with the purchased GitHub Marketplace plan

When you purchase a plan from the GitHub Marketplace with your GitHub account, you are requested to select a team to connect with the purchased plan. This is because our subscription is per team so we guide you to select a team of the GitHub Marketplace plan.

Or you canconnect your DeepScan team with the GitHub Marketplace plan which has no connected team at any time:

1. Go to theAccount Settings page
2. From theGitHub Accounts, you can see your GitHub accounts and its connected team
3. ClickSelect Team button in the account you want to connect

Note: Even if you do not connect a team with the plan, you will bepaid from GitHub when the 14-day trial ends.

• The billing is calculated from the day when the trial ends to your next GitHub billing date
• To stop using DeepScan purchased from the GitHub Marketplace, you shouldcancel the subscription directly in GitHub before the trial ends

Payment with the 14-day trial

DeepScan provides the 14-day free trial of our paid service. The payment information with it is the following:

• Trial from our site:No payment. After 14 days the trial willautomatically expire and the private projects will be inactive.
• Purchase from the GitHub Marketplace: You get a 14-day free trial andthe paid subscription will start at the end of the trial. So if you want to use the trial only, you should cancel the subscription from GitHub before the end of the 14-day trial. For more information, see "About billing for GitHub Marketplace."