npm - @sun-asterisk/sunlint - Versions diffs - 1.0.6 → 1.1.3 - Mend

@sun-asterisk/sunlint 1.0.6 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (314) hide show

package/rules/{C029_catch_block_logging → common/C029_catch_block_logging}/analyzer.js RENAMED Viewed

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const path = require('path');
-const AIAnalyzer = require('../../core/ai-analyzer');
+const { PatternMatcher } = require('../../utils/pattern-matchers');
+const { RuleHelper } = require('../../utils/rule-helpers');
 class C029Analyzer {
   constructor() {
@@ -10,31 +11,27 @@ class C029Analyzer {
     this.aiAnalyzer = null;
   }
-  async analyze(files, language, config) {
+  async analyze(files, language, options = {}) {
     const violations = [];
-    // Initialize AI analyzer if enabled
-    if (config.ai && config.ai.enabled) {
-      this.aiAnalyzer = new AIAnalyzer(config.ai);
-      console.log('🤖 AI analysis enabled for C029');
-    }
     for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running pattern analysis on ${path.basename(filePath)}`);
+      }
       try {
-        const fileContent = fs.readFileSync(filePath, 'utf8');
-        const fileViolations = await this.analyzeFile(filePath, fileContent, language, config);
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
         violations.push(...fileViolations);
       } catch (error) {
-        console.error(`Error analyzing file ${filePath}:`, error.message);
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
       }
     }
     return violations;
   }
   async analyzeFile(filePath, content, language, config) {
-    // Fallback to pattern-based analysis
-    console.log(`🔍 Running pattern analysis on ${path.basename(filePath)}`);
     switch (language) {
       case 'typescript':
       case 'javascript':
@@ -259,6 +256,43 @@ class C029Analyzer {
       return true;
     }
+    // Check for test assertions - valid form of error handling
+    const testPatterns = [
+      'expect(',
+      'assert(',
+      'tobeinstanceof',
+      'toequal(',
+      'tohavebeencalled',
+      'toBe(',
+      'toHaveBeenCalledWith'
+    ];
+    const hasTestAssertions = testPatterns.some(pattern =>
+      content.includes(pattern.toLowerCase()) || originalContent.toLowerCase().includes(pattern.toLowerCase())
+    );
+    if (hasTestAssertions) {
+      return true;
+    }
+    // Check for Redux/async thunk error handling
+    const reduxErrorHandlers = [
+      'handleaxioserror',
+      'rejectwithvalue',
+      'dispatch(',
+      'seterror(',
+      'return value',
+      'return rejectwithvalue'
+    ];
+    const hasReduxHandling = reduxErrorHandlers.some(pattern =>
+      content.includes(pattern.toLowerCase()) || originalContent.toLowerCase().includes(pattern.toLowerCase())
+    );
+    if (hasReduxHandling) {
+      return true;
+    }
     // Check for logging patterns (expanded from original)
     const loggingPatterns = [
       'console.error',

package/rules/common/C041_no_sensitive_hardcode/analyzer.js ADDED Viewed

@@ -0,0 +1,292 @@
+const fs = require('fs');
+const path = require('path');
+class C041Analyzer {
+  constructor() {
+    this.ruleId = 'C041';
+    this.ruleName = 'No Hardcoded Sensitive Information';
+    this.description = 'Không hardcode hoặc push thông tin nhạy cảm vào repo';
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running C041 analysis on ${path.basename(filePath)}`);
+      }
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, content, language, config) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeTypeScript(filePath, content, config);
+      default:
+        return [];
+    }
+  }
+  async analyzeTypeScript(filePath, content, config) {
+    const violations = [];
+    const lines = content.split('\n');
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
+        return;
+      }
+      // Find potential hardcoded sensitive values
+      const sensitiveMatches = this.findSensitiveHardcode(trimmedLine, line);
+      sensitiveMatches.forEach(match => {
+        violations.push({
+          ruleId: this.ruleId,
+          file: filePath,
+          line: lineNumber,
+          column: match.column,
+          message: match.message,
+          severity: 'error',
+          code: trimmedLine,
+          type: match.type,
+          confidence: match.confidence,
+          suggestion: match.suggestion
+        });
+      });
+    });
+    return violations;
+  }
+  isCommentOrImport(line) {
+    const trimmed = line.trim();
+    return trimmed.startsWith('//') ||
+           trimmed.startsWith('/*') ||
+           trimmed.startsWith('*') ||
+           trimmed.startsWith('import ') ||
+           trimmed.startsWith('export ');
+  }
+  findSensitiveHardcode(line, originalLine) {
+    const matches = [];
+    // Skip template literals with variables - they are dynamic, not hardcoded
+    if (line.includes('${') || line.includes('`')) {
+      return matches;
+    }
+    // Skip if line is clearly configuration, type definition, or UI-related
+    if (this.isConfigOrUIContext(line)) {
+      return matches;
+    }
+    // Look for suspicious patterns with better context awareness
+    const patterns = [
+      {
+        name: 'suspicious_password_variable',
+        regex: /(const|let|var)\s+\w*[Pp]ass[Ww]ord\w*\s*=\s*['"`]([^'"`]{4,})['"`]/g,
+        severity: 'error',
+        message: 'Potential hardcoded password in variable assignment',
+        suggestion: 'Move sensitive values to environment variables or secure config files'
+      },
+      {
+        name: 'suspicious_secret_variable',
+        regex: /(const|let|var)\s+\w*[Ss]ecret\w*\s*=\s*['"`]([^'"`]{6,})['"`]/g,
+        severity: 'error',
+        message: 'Potential hardcoded secret in variable assignment',
+        suggestion: 'Use environment variables for secrets'
+      },
+      {
+        name: 'suspicious_short_password',
+        regex: /(const|let|var)\s+(?!use)\w*([Pp]ass|[Dd]b[Pp]ass|[Aa]dmin)(?!word[A-Z])\w*\s*=\s*['"`]([^'"`]{4,})['"`]/g,
+        severity: 'error',
+        message: 'Potential hardcoded password or admin credential',
+        suggestion: 'Use environment variables for credentials'
+      },
+      {
+        name: 'api_key',
+        regex: /(const|let|var)\s+\w*[Aa]pi[Kk]ey\w*\s*=\s*['"`]([^'"`]{10,})['"`]/g,
+        severity: 'error',
+        message: 'Potential hardcoded API key detected',
+        suggestion: 'Use environment variables for API keys'
+      },
+      {
+        name: 'auth_token',
+        regex: /(const|let|var)\s+\w*[Tt]oken\w*\s*=\s*['"`]([^'"`]{16,})['"`]/g,
+        severity: 'error',
+        message: 'Potential hardcoded authentication token detected',
+        suggestion: 'Store tokens in secure storage, not in source code'
+      },
+      {
+        name: 'database_url',
+        regex: /['"`](mongodb|mysql|postgres|redis):\/\/[^'"`]+['"`]/gi,
+        severity: 'error',
+        message: 'Hardcoded database connection string detected',
+        suggestion: 'Use environment variables for database connections'
+      },
+      {
+        name: 'suspicious_url',
+        regex: /['"`]https?:\/\/(?!localhost|127\.0\.0\.1|example\.com|test\.com|www\.w3\.org|www\.google\.com|googleapis\.com)[^'"`]{20,}['"`]/gi,
+        severity: 'warning',
+        message: 'Hardcoded external URL detected (consider configuration)',
+        suggestion: 'Consider moving URLs to configuration files'
+      }
+    ];
+    // Additional context-aware checks
+    patterns.forEach(pattern => {
+      let match;
+      while ((match = pattern.regex.exec(line)) !== null) {
+        // Skip false positives
+        if (this.isFalsePositive(line, match[0], pattern.name)) {
+          continue;
+        }
+        matches.push({
+          type: pattern.name,
+          column: match.index + 1,
+          message: pattern.message,
+          confidence: this.calculateConfidence(line, match[0], pattern.name),
+          suggestion: pattern.suggestion
+        });
+      }
+    });
+    return matches;
+  }
+  isConfigOrUIContext(line) {
+    const lowerLine = line.toLowerCase();
+    // UI/Component contexts - likely false positives
+    const uiContexts = [
+      'inputtype', 'type:', 'type =', 'type:', 'inputtype=',
+      'routes =', 'route:', 'path:', 'routes:',
+      'import {', 'export {', 'from ', 'import ',
+      'interface', 'type ', 'enum ',
+      'props:', 'defaultprops',
+      'schema', 'validator',
+      'hook', 'use', 'const use', 'import.*use',
+      // React/UI specific
+      'textinput', 'input ', 'field ', 'form',
+      'component', 'page', 'screen', 'modal',
+      // Route/navigation specific
+      'navigation', 'route', 'path', 'url:', 'route:',
+      'setuppassword', 'resetpassword', 'forgotpassword',
+      'changepassword', 'confirmpassword'
+    ];
+    return uiContexts.some(context => lowerLine.includes(context));
+  }
+  isFalsePositive(line, matchedText, patternName) {
+    const lowerLine = line.toLowerCase();
+    const lowerMatch = matchedText.toLowerCase();
+    // Global false positive indicators
+    const globalFalsePositives = [
+      'test', 'mock', 'example', 'demo', 'sample', 'placeholder', 'dummy', 'fake',
+      'xmlns', 'namespace', 'schema', 'w3.org', 'google.com', 'googleapis.com',
+      'error', 'message', 'missing', 'invalid', 'failed'
+    ];
+    // Check if the line contains any global false positive indicators
+    const hasGlobalFalsePositive = globalFalsePositives.some(pattern =>
+      lowerLine.includes(pattern) || lowerMatch.includes(pattern)
+    );
+    if (hasGlobalFalsePositive) {
+      return true;
+    }
+    // Common false positive patterns
+    const falsePositivePatterns = {
+      'suspicious_password_variable': [
+        'inputtype', 'type:', 'type =', 'activation', 'forgot_password', 'reset_password',
+        'setup_password', 'route', 'path', 'hook', 'use', 'change', 'confirm',
+        'validation', 'component', 'page', 'screen', 'textinput', 'input',
+        'trigger', 'useeffect', 'password.*trigger', 'renewpassword'
+      ],
+      'suspicious_short_password': [
+        'inputtype', 'type:', 'type =', 'activation', 'forgot_password', 'reset_password',
+        'setup_password', 'route', 'path', 'hook', 'use', 'change', 'confirm',
+        'validation', 'component', 'page', 'screen', 'textinput'
+      ],
+      'suspicious_secret_variable': [
+        'component', 'props', 'state', 'hook', 'use'
+      ],
+      'suspicious_url': [
+        'localhost', '127.0.0.1', 'example.com', 'test.com', 'placeholder',
+        'mock', 'w3.org', 'google.com', 'recaptcha', 'googleapis.com'
+      ],
+      'api_key': [
+        'test-', 'mock-', 'example-', 'demo-', 'missing', 'error', 'message'
+      ]
+    };
+    const patterns = falsePositivePatterns[patternName] || [];
+    // Check if line contains any pattern-specific false positive indicators
+    const hasPatternFalsePositive = patterns.some(pattern =>
+      lowerLine.includes(pattern) || lowerMatch.includes(pattern)
+    );
+    // Special handling for password-related patterns
+    if (patternName === 'hardcoded_password') {
+      // Allow if it's clearly UI/component related
+      if (lowerLine.includes('input') ||
+          lowerLine.includes('field') ||
+          lowerLine.includes('form') ||
+          lowerLine.includes('component') ||
+          lowerLine.includes('type') ||
+          lowerLine.includes('route') ||
+          lowerLine.includes('path') ||
+          lowerMatch.includes('activation') ||
+          lowerMatch.includes('forgot_password') ||
+          lowerMatch.includes('reset_password') ||
+          lowerMatch.includes('setup_password')) {
+        return true;
+      }
+    }
+    return hasPatternFalsePositive;
+  }
+  calculateConfidence(line, match, patternName) {
+    let confidence = 0.8; // Base confidence
+    // Reduce confidence for potential false positives
+    const lowerLine = line.toLowerCase();
+    if (lowerLine.includes('test') || lowerLine.includes('mock') || lowerLine.includes('example')) {
+      confidence -= 0.3;
+    }
+    if (lowerLine.includes('const') || lowerLine.includes('let') || lowerLine.includes('var')) {
+      confidence += 0.1; // Variable assignments more likely to be hardcode
+    }
+    if (lowerLine.includes('type') || lowerLine.includes('component') || lowerLine.includes('props')) {
+      confidence -= 0.2; // UI-related less likely to be sensitive
+    }
+    return Math.max(0.3, Math.min(1.0, confidence));
+  }
+}
+module.exports = new C041Analyzer();

package/rules/common/C042_boolean_name_prefix/analyzer.js ADDED Viewed

@@ -0,0 +1,300 @@
+/**
+ * Heuristic analyzer for: C042 – Boolean variable names should start with proper prefixes
+ * Purpose: Detect boolean variables that don't follow naming conventions
+ */
+class C042Analyzer {
+  constructor() {
+    this.ruleId = 'C042';
+    this.ruleName = 'Boolean Variable Naming';
+    this.description = 'Boolean variable names should start with is, has, should, can, will, must, may, or check';
+    // User requested to add "check" prefix
+    this.booleanPrefixes = [
+      'is', 'has', 'should', 'can', 'will', 'must', 'may', 'check',
+      'are', 'were', 'was', 'could', 'might', 'shall', 'need', 'want'
+    ];
+    // Common non-boolean patterns to ignore (user feedback)
+    this.ignoredPatterns = [
+      // Fallback/default patterns: var = value || fallback
+      /\w+\s*=\s*\w+\s*\|\|\s*[^|]/,
+      // Assignment patterns that are clearly not boolean
+      /\w+\s*=\s*['"`][^'"`]*['"`]/, // String assignments
+      /\w+\s*=\s*\d+/, // Number assignments
+      /\w+\s*=\s*\{/, // Object assignments
+      /\w+\s*=\s*\[/, // Array assignments
+    ];
+    // Variables that commonly aren't boolean but might look like it
+    this.commonNonBooleans = [
+      'value', 'result', 'data', 'config', 'name', 'id', 'key',
+      'path', 'url', 'src', 'href', 'text', 'message', 'error',
+      'response', 'request', 'params', 'options', 'settings'
+    ];
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running C042 analysis on ${require('path').basename(filePath)}`);
+      }
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    return violations;
+  }
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      // Skip empty lines, comments, imports, and type declarations
+      if (!line || line.startsWith('//') || line.startsWith('/*') ||
+          line.startsWith('import') || line.startsWith('export') ||
+          line.startsWith('declare') || line.startsWith('*')) {
+        continue;
+      }
+      const lineViolations = this.analyzeDeclaration(line, i + 1);
+      lineViolations.forEach(violation => {
+        violations.push({
+          ...violation,
+          file: filePath
+        });
+      });
+    }
+    return violations;
+  }
+  analyzeDeclaration(line, lineNumber) {
+    const violations = [];
+    // Match variable declarations with boolean values
+    const booleanAssignments = this.findBooleanAssignments(line);
+    for (const assignment of booleanAssignments) {
+      const { varName, isBooleanValue, hasPrefix, actualValue } = assignment;
+      // Case 1: Variable is assigned a boolean value but doesn't have proper prefix
+      if (isBooleanValue && !hasPrefix) {
+        // Skip if this matches user feedback patterns (false positives)
+        if (this.shouldSkipBooleanVariableCheck(varName, line, actualValue)) {
+          continue;
+        }
+        violations.push({
+          line: lineNumber,
+          column: line.indexOf(varName) + 1,
+          message: `Boolean variable '${varName}' should start with a descriptive prefix like 'is', 'has', 'should', 'can', or 'check'. Consider: ${this.generateSuggestions(varName).join(', ')}.`,
+          severity: 'warning',
+          ruleId: this.ruleId
+        });
+      }
+      // Case 2: Variable has boolean prefix but is assigned a non-boolean value
+      else if (hasPrefix && !isBooleanValue && actualValue && this.isDefinitelyNotBoolean(actualValue)) {
+        // Only skip very basic cases for prefix misuse
+        if (varName.length <= 2) {
+          continue;
+        }
+        const prefix = this.extractPrefix(varName);
+        violations.push({
+          line: lineNumber,
+          column: line.indexOf(varName) + 1,
+          message: `Variable '${varName}' uses boolean prefix '${prefix}' but is assigned a non-boolean value. Consider renaming or changing the value.`,
+          severity: 'warning',
+          ruleId: this.ruleId
+        });
+      }
+    }
+    return violations;
+  }
+  findBooleanAssignments(line) {
+    const assignments = [];
+    // Match declaration patterns only (avoid duplicates)
+    const patterns = [
+      // let/const/var varName = value
+      /(?:let|const|var)\s+(\w+)\s*(?::\s*\w+\s*)?=\s*(.+?)(?:;|$)/g,
+    ];
+    for (const pattern of patterns) {
+      let match;
+      const seenVariables = new Set(); // Avoid duplicates
+      while ((match = pattern.exec(line)) !== null) {
+        const varName = match[1];
+        const value = match[2].trim();
+        // Skip if already processed
+        if (seenVariables.has(varName)) {
+          continue;
+        }
+        seenVariables.add(varName);
+        // Skip destructuring and complex patterns
+        if (varName.includes('[') || varName.includes('{') || value.includes('{') || value.includes('[')) {
+          continue;
+        }
+        const isBooleanValue = this.isBooleanValue(value);
+        const hasPrefix = this.hasBooleanPrefix(varName);
+        assignments.push({
+          varName,
+          isBooleanValue,
+          hasPrefix,
+          actualValue: value
+        });
+      }
+    }
+    return assignments;
+  }
+  isBooleanValue(value) {
+    const trimmedValue = value.trim();
+    // Direct boolean literals
+    if (trimmedValue === 'true' || trimmedValue === 'false') {
+      return true;
+    }
+    // Boolean expressions that clearly result in boolean
+    const booleanExpressions = [
+      /\w+\s*[<>!=]=/, // Comparisons
+      /\w+\s*(&&|\|\|)/, // Logical operations (but not fallback patterns)
+      /^\!\w+/, // Negation
+      /instanceof\s+/, // instanceof
+      /\.test\(/, // regex.test()
+      /\.includes\(/, // array.includes()
+      /\.hasOwnProperty\(/, // hasOwnProperty
+      /\.some\(/, // array.some()
+      /\.every\(/, // array.every()
+      /typeof\s+.*\s*===/, // typeof checks
+      /Math\.random\(\)\s*[<>]/, // Math.random() comparisons
+      /\.length\s*[<>!=]=/, // Length comparisons
+    ];
+    // Exclude fallback patterns (user feedback - these are NOT boolean)
+    if (trimmedValue.includes('||')) {
+      // Check if it's a boolean expression or just a fallback
+      // If the || is followed by a non-boolean value, it's likely a fallback
+      const parts = trimmedValue.split('||');
+      if (parts.length === 2) {
+        const fallback = parts[1].trim();
+        // If fallback is clearly not boolean, this is not a boolean assignment
+        if (this.isDefinitelyNotBoolean(fallback) || /^\d+$/.test(fallback) || /^['"`]/.test(fallback)) {
+          return false;
+        }
+      }
+    }
+    return booleanExpressions.some(pattern => pattern.test(trimmedValue));
+  }
+  hasBooleanPrefix(varName) {
+    const lowerName = varName.toLowerCase();
+    return this.booleanPrefixes.some(prefix =>
+      lowerName.startsWith(prefix.toLowerCase()) &&
+      lowerName.length > prefix.length
+    );
+  }
+  extractPrefix(varName) {
+    const lowerName = varName.toLowerCase();
+    for (const prefix of this.booleanPrefixes) {
+      if (lowerName.startsWith(prefix.toLowerCase())) {
+        return prefix;
+      }
+    }
+    return '';
+  }
+  shouldSkipBooleanVariableCheck(varName, line, value) {
+    // Skip very short names
+    if (varName.length <= 2) {
+      return true;
+    }
+    // Skip common non-boolean variable names
+    if (this.commonNonBooleans.includes(varName.toLowerCase())) {
+      return true;
+    }
+    // Skip user feedback patterns (fallback/default patterns)
+    if (this.ignoredPatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+    // Skip function parameters and loop variables
+    if (line.includes('function') || line.includes('for') || line.includes('=>')) {
+      return true;
+    }
+    return false;
+  }
+  isDefinitelyNotBoolean(value) {
+    const trimmedValue = value.trim();
+    // String literals (including single quotes)
+    if (trimmedValue.match(/^['"`][^'"`]*['"`]$/)) {
+      return true;
+    }
+    // Number literals
+    if (trimmedValue.match(/^\d+(\.\d+)?$/)) {
+      return true;
+    }
+    // Object/array literals
+    if (trimmedValue.startsWith('{') || trimmedValue.startsWith('[')) {
+      return true;
+    }
+    // null, undefined
+    if (trimmedValue === 'null' || trimmedValue === 'undefined') {
+      return true;
+    }
+    // Common non-boolean patterns
+    if (trimmedValue.includes('new ') || trimmedValue.includes('function')) {
+      return true;
+    }
+    return false;
+  }
+  generateSuggestions(varName) {
+    const suggestions = [];
+    const baseName = varName.replace(/^(is|has|should|can|will|must|may|check)/i, '');
+    const capitalizedBase = baseName.charAt(0).toUpperCase() + baseName.slice(1);
+    // Generate a few reasonable suggestions
+    suggestions.push(`is${capitalizedBase}`);
+    suggestions.push(`has${capitalizedBase}`);
+    suggestions.push(`should${capitalizedBase}`);
+    return suggestions.slice(0, 3); // Limit to 3 suggestions
+  }
+}
+module.exports = C042Analyzer;