@sun-asterisk/sunlint 1.0.5

package/config/typescript/security-rules/s050-session-token-weak-hash.js

@@ -0,0 +1,94 @@
+/**
+ * ESLint Rule: S050 - Session Token Weak Entropy or Algorithm
+ * Rule ID: custom/s050
+ * Description: Ensure session tokens use secure algorithms and have at least 64-bit entropy.
+ */
+
+"use strict";
+
+const WEAK_HASH_ALGOS = new Set(["md5", "sha1"]);
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Avoid using weak hash algorithms or low entropy sources for session tokens. Use crypto.randomBytes(16), HMAC, or SHA-256.",
+      recommended: false,
+    },
+    messages: {
+      weakHash:
+        "Avoid using weak hash algorithm '{{algo}}' for session tokens. Use SHA-256, HMAC, or AES instead.",
+      lowEntropy:
+        "Session token should be generated with at least 64-bit entropy. Avoid using '{{func}}'.",
+      smallRandomBytes:
+        "Session token generated with crypto.randomBytes({{bytes}}) has insufficient entropy. Use at least 8 bytes (64-bit).",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Case 1: crypto.createHash("md5") or ("sha1")
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "crypto" &&
+          callee.property.name === "createHash"
+        ) {
+          const [arg] = node.arguments;
+          if (
+            arg &&
+            arg.type === "Literal" &&
+            typeof arg.value === "string"
+          ) {
+            const algo = arg.value.toLowerCase();
+            if (WEAK_HASH_ALGOS.has(algo)) {
+              context.report({
+                node: arg,
+                messageId: "weakHash",
+                data: { algo },
+              });
+            }
+          }
+        }
+
+        // Case 2: crypto.randomBytes(n), n < 8
+        if (
+          callee.type === "MemberExpression" &&
+          callee.object.name === "crypto" &&
+          callee.property.name === "randomBytes"
+        ) {
+          const [arg] = node.arguments;
+          if (
+            arg &&
+            arg.type === "Literal" &&
+            typeof arg.value === "number" &&
+            arg.value < 8
+          ) {
+            context.report({
+              node: arg,
+              messageId: "smallRandomBytes",
+              data: { bytes: arg.value },
+            });
+          }
+        }
+
+        // Case 3: Math.random() or Date.now() used
+        if (
+          callee.type === "MemberExpression" &&
+          ((callee.object.name === "Math" && callee.property.name === "random") ||
+            (callee.object.name === "Date" && callee.property.name === "now"))
+        ) {
+          context.report({
+            node: callee,
+            messageId: "lowEntropy",
+            data: { func: `${callee.object.name}.${callee.property.name}` },
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s052-secure-random-authentication-code.js

@@ -0,0 +1,66 @@
+/**
+ * ESLint Rule: S052 - Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six-digit random number is sufficient).
+ * Rule ID: custom/s052
+ * Description: Ensure that the initial authentication code is generated using a secure random number generator with at least 20 bits of entropy.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Ensure secure random number generation with sufficient entropy",
+      category: "Security",
+      recommended: true,
+    },
+    messages: {
+      insecureRandom: "Insecure random number generator detected.",
+      insufficientEntropy: "Insufficient entropy detected in crypto.randomInt. Ensure at least 20 bits of entropy.",
+    },
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        // Check for insufficient entropy in crypto.randomInt
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.type === "Identifier" &&
+          node.callee.object.name === "crypto" &&
+          node.callee.property.type === "Identifier" &&
+          node.callee.property.name === "randomInt"
+        ) {
+          const args = node.arguments;
+          if (args.length === 2 && args[0].type === "Literal" && args[1].type === "Literal") {
+            const min = args[0].value;
+            const max = args[1].value;
+            const range = max - min;
+
+            // Check if the range provides at least 20 bits of entropy
+            if (range < Math.pow(2, 20)) {
+              context.report({
+                node,
+                messageId: "insufficientEntropy",
+              });
+            }
+          }
+        }
+
+        // Check for calls to Math.random()
+        if (
+          node.callee.type === "MemberExpression" &&
+          node.callee.object.type === "Identifier" &&
+          node.callee.object.name === "Math" &&
+          node.callee.property.type === "Identifier" &&
+          node.callee.property.name === "random"
+        ) {
+          context.report({
+            node,
+            messageId: "insecureRandom",
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s054-verification-default-account.js

@@ -0,0 +1,109 @@
+/**
+ * ESLint Rule: S054 - Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").
+ * Rule ID: custom/s054
+ * Description: Ensure that shared or default accounts like "root", "admin", or "sa" are not used in the codebase.
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow use of default accounts without value check",
+      category: "Best Practices",
+      recommended: false,
+    },
+    messages: {
+      missingValidation: "Default account used without validation.",
+    },
+    schema: [],
+  },
+
+  create(context) {
+    const defaultAccounts = ["root", "admin", "sa"];
+    const sourceCode = context.getSourceCode();
+
+    function isAccountRelatedFunction(node) {
+      const name =
+        (node.type === "FunctionDeclaration" && node.id?.name) ||
+        (node.type === "MethodDefinition" && node.key?.name) ||
+        "";
+      return /account|user|login|access/i.test(name);
+    }
+
+    // Check if validation exists in code like: if (x === "admin")
+    function hasValidation(node) {
+      let validated = false;
+
+      context.getSourceCode().getTokens(node).forEach((token, idx, tokens) => {
+        const prev = tokens[idx - 1]?.value || "";
+        const next = tokens[idx + 1]?.value || "";
+
+        if (
+          token.type === "String" &&
+          defaultAccounts.includes(token.value.replace(/['"]/g, "")) &&
+          (prev === "===" || prev === "!==" || next === "===" || next === "!==")
+        ) {
+          validated = true;
+        }
+      });
+
+      return validated;
+    }
+
+    // Check if any default account string is used (directly or via const)
+    function hasDefaultAccountUsage(node) {
+      const tokens = context.getSourceCode().getTokens(node);
+      return tokens.some((token) => {
+        return (
+          token.type === "String" &&
+          defaultAccounts.includes(token.value.replace(/['"]/g, ""))
+        );
+      });
+    }
+
+    function hasDefaultConstantUsage(node) {
+      const scope = sourceCode.scopeManager.acquire(node);
+      if (!scope) return false;
+
+      const defaultVars = scope.variables.filter((v) => {
+        const def = v.defs[0];
+        return (
+          def &&
+          def.node.init &&
+          typeof def.node.init.value === "string" &&
+          defaultAccounts.includes(def.node.init.value)
+        );
+      });
+
+      const fnText = sourceCode.getText(node);
+      return defaultVars.some((v) => fnText.includes(v.name));
+    }
+
+    function checkFunction(node) {
+      const usesDefaultAccount =
+        hasDefaultAccountUsage(node) || hasDefaultConstantUsage(node);
+
+      if (usesDefaultAccount && !hasValidation(node)) {
+        context.report({
+          node,
+          messageId: "missingValidation",
+        });
+      }
+    }
+
+    return {
+      FunctionDeclaration(node) {
+        if (isAccountRelatedFunction(node)) {
+          checkFunction(node);
+        }
+      },
+      MethodDefinition(node) {
+        if (isAccountRelatedFunction(node)) {
+          checkFunction(node);
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s057-utc-logging.js

@@ -0,0 +1,54 @@
+/**
+ * Custom ESLint rule: S057 – Enforce UTC usage in time formatting/logging
+ * Rule ID: custom/s057
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Avoid using local time formatting in logs; prefer UTC for consistency",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      avoidLocalTime:
+        "Avoid using '{{method}}' for local time formatting. Prefer UTC methods like toISOString() or moment.utc().",
+    },
+  },
+
+  create(context) {
+    const forbiddenMethods = [
+      "toLocaleString",
+      "toLocaleDateString",
+      "toLocaleTimeString",
+      "format", // e.g., moment().format(...) → not utc by default
+    ];
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+
+        // Match: date.toLocaleString(), moment().format()
+        if (callee.type === "MemberExpression") {
+          const method = callee.property.name;
+
+          if (forbiddenMethods.includes(method)) {
+            const objectText = context.getSourceCode().getText(callee.object);
+            // Optional enhancement: only warn for Date or moment() objects
+            if (/Date|moment/.test(objectText)) {
+              context.report({
+                node,
+                messageId: "avoidLocalTime",
+                data: { method },
+              });
+            }
+          }
+        }
+      },
+    };
+  },
+};

package/config/typescript/security-rules/s058-no-ssrf.js

@@ -0,0 +1,73 @@
+/**
+ * Custom ESLint rule: S058 – Detect possible SSRF via unvalidated user-controlled URLs
+ * Rule ID: custom/s058
+ */
+
+"use strict";
+
+module.exports = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Detect SSRF vulnerabilities via unvalidated user-controlled URLs",
+      recommended: true,
+    },
+    schema: [],
+    messages: {
+      ssrfRisk:
+        "Possible SSRF: URL '{{url}}' comes from untrusted source. Validate or sanitize input.",
+    },
+  },
+
+  create(context) {
+    const riskySources = [
+      "req.body",
+      "req.query",
+      "req.params",
+      "input",
+      "form",
+    ];
+    const riskyFunctions = [
+      "fetch",
+      "axios.get",
+      "axios.post",
+      "axios.request",
+      "http.request",
+      "https.request",
+    ];
+
+    function isUserInput(nodeText) {
+      return riskySources.some((src) => nodeText.includes(src));
+    }
+
+    function isHttpFunction(callee) {
+      if (callee.type === "Identifier")
+        return riskyFunctions.includes(callee.name);
+      if (callee.type === "MemberExpression") {
+        const fullName = `${callee.object.name}.${callee.property.name}`;
+        return riskyFunctions.includes(fullName);
+      }
+      return false;
+    }
+
+    return {
+      CallExpression(node) {
+        const callee = node.callee;
+        if (!isHttpFunction(callee)) return;
+
+        const firstArg = node.arguments[0];
+        if (!firstArg) return;
+
+        const argText = context.getSourceCode().getText(firstArg);
+        if (isUserInput(argText)) {
+          context.report({
+            node: firstArg,
+            messageId: "ssrfRisk",
+            data: { url: argText },
+          });
+        }
+      },
+    };
+  },
+};

package/config/typescript/test-s005-working.ts

@@ -0,0 +1,22 @@
+function doAdminTask() {}
+function doAction() {}
+function isAuthenticated(req: any): boolean {
+  return true;
+}
+
+function doPost(request: any, response: any) { // ❌
+  const origin = request.getHeader("Origin");
+
+  if (origin === "https://admin.example.com") {
+    doAdminTask();
+  }
+}
+
+function doPost_safe(request: any, response: any) { // ✅
+  const origin = request.getHeader("Origin");
+  console.log("Origin:", origin);
+
+  if (isAuthenticated(request)) {
+    doAction();
+  }
+}

package/config/typescript/tsconfig.json

@@ -0,0 +1,29 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["ES2020"],
+    "allowJs": true,
+    "outDir": "./dist",
+    "rootDir": "./",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "resolveJsonModule": true,
+    "moduleResolution": "node"
+  },
+  "include": [
+    "**/*.ts",
+    "**/*.tsx",
+    "**/*.js",
+    "**/*.jsx"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist"
+  ]
+}

package/core/ai-analyzer.js

@@ -0,0 +1,169 @@
+const fs = require('fs');
+const path = require('path');
+
+class AIAnalyzer {
+  constructor(config = {}) {
+    this.config = config;
+    this.apiKey = process.env.OPENAI_API_KEY || config.apiKey;
+    this.model = config.model || 'gpt-4o-mini';
+    this.provider = config.provider || 'openai';
+  }
+
+  async analyzeWithAI(filePath, content, ruleConfig) {
+    if (!this.apiKey) {
+      console.warn('⚠️  AI API key not found, falling back to pattern analysis');
+      return null;
+    }
+
+    try {
+      const prompt = this.buildPrompt(content, ruleConfig);
+      const response = await this.callAI(prompt);
+      return this.parseAIResponse(response, filePath);
+    } catch (error) {
+      console.error('AI Analysis failed:', error.message);
+      return null;
+    }
+  }
+
+  buildPrompt(content, ruleConfig) {
+    return `You are a code quality expert analyzing code ONLY for logging best practices.
+
+RULE: ${ruleConfig.ruleId} - ${ruleConfig.name}
+DESCRIPTION: ${ruleConfig.description}
+
+IMPORTANT: You are ONLY checking for LOG LEVEL VIOLATIONS. Do NOT analyze function naming, variable naming, or other code quality issues.
+
+ANALYZE THIS CODE FOR LOG LEVEL VIOLATIONS ONLY:
+\`\`\`
+${content}
+\`\`\`
+
+SPECIFIC CRITERIA FOR LOG LEVELS ONLY:
+1. Don't use console.error() or logger.error() for non-critical issues (should use console.warn() or console.log())
+2. Avoid generic error messages without context
+3. Error logs should be reserved for actual errors/exceptions that need immediate attention
+4. Info/debug logs should use appropriate levels
+5. Validation errors should typically use warn level, not error level
+
+FOCUS ONLY ON:
+- console.error() usage
+- logger.error() usage
+- this.logger.error() usage
+- Other error-level logging calls
+
+DO NOT CHECK:
+- Function names
+- Variable names  
+- Code structure
+- Other code quality issues
+
+RESPOND WITH JSON FORMAT:
+{
+  "violations": [
+    {
+      "line": <line_number>,
+      "column": <column_number>, 
+      "message": "<specific_logging_violation_description>",
+      "severity": "warning|error|info",
+      "code": "<code_snippet>",
+      "suggestion": "<how_to_fix_logging>"
+    }
+  ],
+  "summary": "<overall_logging_assessment>"
+}
+
+Be precise about line numbers and provide actionable suggestions for LOG LEVEL issues only.`;
+  }
+
+  async callAI(prompt) {
+    if (this.provider === 'openai') {
+      return await this.callOpenAI(prompt);
+    } else if (this.provider === 'copilot') {
+      return await this.callCopilot(prompt);
+    }
+    throw new Error(`Unsupported AI provider: ${this.provider}`);
+  }
+
+  async callOpenAI(prompt) {
+    const fetch = (await import('node-fetch')).default;
+    
+    const response = await fetch('https://api.openai.com/v1/chat/completions', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${this.apiKey}`
+      },
+      body: JSON.stringify({
+        model: this.model,
+        messages: [
+          {
+            role: 'system',
+            content: 'You are an expert code analyzer specializing in logging best practices. Provide precise, actionable feedback.'
+          },
+          {
+            role: 'user', 
+            content: prompt
+          }
+        ],
+        temperature: 0.1,
+        max_tokens: 2000
+      })
+    });
+
+    if (!response.ok) {
+      throw new Error(`OpenAI API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = await response.json();
+    return data.choices[0].message.content;
+  }
+
+  async callCopilot(prompt) {
+    // TODO: Implement GitHub Copilot API integration
+    // This would require GitHub Copilot API access
+    throw new Error('GitHub Copilot API integration not yet implemented');
+  }
+
+  parseAIResponse(aiResponse, filePath) {
+    try {
+      // Extract JSON from AI response
+      const jsonMatch = aiResponse.match(/\{[\s\S]*\}/);
+      if (!jsonMatch) {
+        throw new Error('No JSON found in AI response');
+      }
+
+      const parsed = JSON.parse(jsonMatch[0]);
+      
+      return parsed.violations.map(violation => ({
+        line: violation.line,
+        column: violation.column || 1,
+        message: violation.message,
+        severity: violation.severity || 'warning',
+        ruleId: 'C019',
+        code: violation.code,
+        suggestion: violation.suggestion,
+        file: filePath,
+        source: 'ai'
+      }));
+    } catch (error) {
+      console.error('Failed to parse AI response:', error.message);
+      return [];
+    }
+  }
+
+  async testConnection() {
+    if (!this.apiKey) {
+      return { success: false, error: 'API key not configured' };
+    }
+
+    try {
+      const testPrompt = 'Respond with: {"status": "ok"}';
+      await this.callAI(testPrompt);
+      return { success: true, provider: this.provider, model: this.model };
+    } catch (error) {
+      return { success: false, error: error.message };
+    }
+  }
+}
+
+module.exports = AIAnalyzer;