@sun-asterisk/sunlint 1.2.1 → 1.3.0

package/rules/common/C041_no_sensitive_hardcode/ast-analyzer.js

@@ -0,0 +1,296 @@
+const fs = require('fs');
+const path = require('path');
+
+class C041ASTAnalyzer {
+  constructor() {
+    this.ruleId = 'C041';
+    this.ruleName = 'No Hardcoded Sensitive Information (AST-Enhanced)';
+    this.description = 'AST-based detection of hardcoded sensitive information - superior to regex approach';
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🎯 Running C041 AST analysis on ${path.basename(filePath)}`);
+      }
+      
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = await this.analyzeFile(filePath, content, language, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFile(filePath, content, language, config) {
+    switch (language) {
+      case 'typescript':
+      case 'javascript':
+        return this.analyzeJSTS(filePath, content, config);
+      default:
+        return [];
+    }
+  }
+
+  async analyzeJSTS(filePath, content, config) {
+    const violations = [];
+    
+    try {
+      // Try AST analysis first (like ESLint approach)
+      const astViolations = await this.analyzeWithAST(filePath, content, config);
+      if (astViolations.length > 0) {
+        violations.push(...astViolations);
+      }
+    } catch (astError) {
+      if (config.verbose) {
+        console.log(`⚠️ AST analysis failed for ${path.basename(filePath)}, falling back to regex`);
+      }
+      
+      // Fallback to regex-based analysis
+      const regexViolations = await this.analyzeWithRegex(filePath, content, config);
+      violations.push(...regexViolations);
+    }
+    
+    return violations;
+  }
+
+  async analyzeWithAST(filePath, content, config) {
+    const violations = [];
+    
+    // Import AST modules dynamically
+    let astModules;
+    try {
+      astModules = require('../../../core/ast-modules');
+    } catch (error) {
+      throw new Error('AST modules not available');
+    }
+
+    // Try to parse with AST
+    let ast;
+    try {
+      // Use the registry's parseCode method
+      ast = await astModules.parseCode(content, 'javascript', filePath);
+      if (!ast) {
+        throw new Error('AST parsing returned null');
+      }
+    } catch (parseError) {
+      throw new Error(`Parse error: ${parseError.message}`);
+    }
+
+    // Traverse AST to find sensitive information - mimicking ESLint's approach
+    const rootNode = ast.program || ast; // Handle both Babel and ESLint formats
+    this.traverseAST(rootNode, (node) => {
+      if (this.isLiteralNode(node)) {
+        const violation = this.checkLiteralForSensitiveInfo(node, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+      
+      if (this.isTemplateLiteralNode(node)) {
+        const violation = this.checkTemplateLiteralForSensitiveInfo(node, filePath, content);
+        if (violation) {
+          violations.push(violation);
+        }
+      }
+    });
+
+    return violations;
+  }
+
+  traverseAST(node, callback) {
+    if (!node || typeof node !== 'object') return;
+    
+    callback(node);
+    
+    for (const key in node) {
+      if (key === 'parent' || key === 'leadingComments' || key === 'trailingComments') continue;
+      
+      const child = node[key];
+      if (Array.isArray(child)) {
+        child.forEach(item => this.traverseAST(item, callback));
+      } else if (child && typeof child === 'object') {
+        this.traverseAST(child, callback);
+      }
+    }
+  }
+
+  isLiteralNode(node) {
+    // Support both ESLint format (Literal) and Babel format (StringLiteral)
+    return node && (node.type === 'Literal' || node.type === 'StringLiteral') && typeof node.value === 'string';
+  }
+
+  isTemplateLiteralNode(node) {
+    return node && node.type === 'TemplateLiteral' && 
+           node.quasis && node.quasis.length === 1 && // No variable interpolation
+           node.expressions && node.expressions.length === 0;
+  }
+
+  checkLiteralForSensitiveInfo(node, filePath, content) {
+    const value = node.value;
+    if (!value || value.length < 4) return null;
+    
+    const lines = content.split('\n');
+    const lineNumber = node.loc.start.line;
+    const lineText = lines[lineNumber - 1] || '';
+    
+    // Skip if it's in UI/component context - same as ESLint
+    if (this.isFalsePositive(value, lineText)) {
+      return null;
+    }
+    
+    // Check against sensitive patterns - enhanced version of ESLint patterns
+    const sensitivePattern = this.detectSensitivePattern(value, lineText);
+    if (sensitivePattern) {
+      return {
+        ruleId: this.ruleId,
+        file: filePath,
+        line: lineNumber,
+        column: node.loc.start.column + 1,
+        message: sensitivePattern.message,
+        severity: 'warning', // Match ESLint severity
+        code: lineText.trim(),
+        type: sensitivePattern.type,
+        confidence: sensitivePattern.confidence,
+        suggestion: sensitivePattern.suggestion
+      };
+    }
+    
+    return null;
+  }
+
+  checkTemplateLiteralForSensitiveInfo(node, filePath, content) {
+    if (!node.quasis || node.quasis.length !== 1) return null;
+    
+    const value = node.quasis[0].value.raw;
+    if (!value || value.length < 4) return null;
+    
+    // Create a mock literal node for consistent processing
+    const mockNode = {
+      ...node,
+      value: value,
+      loc: node.loc
+    };
+    
+    return this.checkLiteralForSensitiveInfo(mockNode, filePath, content);
+  }
+
+  detectSensitivePattern(value, lineText) {
+    const lowerValue = value.toLowerCase();
+    const lowerLine = lineText.toLowerCase();
+    
+    // Enhanced patterns based on ESLint rule but with better detection
+    const sensitivePatterns = [
+      {
+        type: 'password',
+        condition: () => /password/i.test(lineText) && value.length >= 4,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.8,
+        suggestion: 'Move sensitive values to environment variables or secure config files'
+      },
+      {
+        type: 'secret',
+        condition: () => /secret/i.test(lineText) && value.length >= 6,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.8,
+        suggestion: 'Use environment variables for secrets'
+      },
+      {
+        type: 'api_key',
+        condition: () => /api[_-]?key/i.test(lineText) && value.length >= 10,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.9,
+        suggestion: 'Use environment variables for API keys'
+      },
+      {
+        type: 'auth_token',
+        condition: () => /auth[_-]?token/i.test(lineText) && value.length >= 16,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.9,
+        suggestion: 'Store tokens in secure storage'
+      },
+      {
+        type: 'access_token',
+        condition: () => /access[_-]?token/i.test(lineText) && value.length >= 16,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.9,
+        suggestion: 'Store tokens in secure storage'
+      },
+      {
+        type: 'database_url',
+        condition: () => /(mongodb|mysql|postgres|redis):\/\//i.test(value) && value.length >= 10,
+        message: 'Potential hardcoded sensitive information detected. Move sensitive values to environment variables or secure config files.',
+        confidence: 0.95,
+        suggestion: 'Use environment variables for database connections'
+      }
+    ];
+    
+    for (const pattern of sensitivePatterns) {
+      if (pattern.condition()) {
+        return pattern;
+      }
+    }
+    
+    return null;
+  }
+
+  isFalsePositive(value, sourceCode) {
+    const lowerValue = value.toLowerCase();
+    const lowerLine = sourceCode.toLowerCase();
+    
+    // Global false positive indicators - same as ESLint
+    const globalFalsePositives = [
+      'test', 'mock', 'example', 'demo', 'sample', 'placeholder', 'dummy', 'fake',
+      'xmlns', 'namespace', 'schema', 'w3.org', 'google.com', 'googleapis.com',
+      'error', 'message', 'missing', 'invalid', 'failed', 'localhost', '127.0.0.1'
+    ];
+    
+    // Check global false positives
+    if (globalFalsePositives.some(pattern => lowerValue.includes(pattern))) {
+      return true;
+    }
+    
+    // Check if line context suggests UI/component usage - same as ESLint
+    if (this.isConfigOrUIContext(lowerLine)) {
+      return true;
+    }
+    
+    return false;
+  }
+
+  isConfigOrUIContext(line) {
+    // Same logic as ESLint rule
+    const uiContexts = [
+      'inputtype', 'type:', 'type =', 'inputtype=',
+      'routes =', 'route:', 'path:', 'routes:', 
+      'import {', 'export {', 'from ', 'import ',
+      'interface', 'type ', 'enum ',
+      'props:', 'defaultprops',
+      'schema', 'validator',
+      'hook', 'use', 'const use', 'import.*use',
+      // React/UI specific
+      'textinput', 'input ', 'field ', 'form',
+      'component', 'page', 'screen', 'modal',
+      // Route/navigation specific  
+      'navigation', 'route', 'path', 'url:', 'route:',
+      'setuppassword', 'resetpassword', 'forgotpassword',
+      'changepassword', 'confirmpassword'
+    ];
+    
+    return uiContexts.some(context => line.includes(context));
+  }
+
+  async analyzeWithRegex(filePath, content, config) {
+    // Fallback to original regex approach if AST fails
+    const originalAnalyzer = require('./analyzer.js');
+    return originalAnalyzer.analyzeTypeScript(filePath, content, config);
+  }
+}
+
+module.exports = new C041ASTAnalyzer();

package/rules/common/C042_boolean_name_prefix/analyzer.js

@@ -0,0 +1,300 @@
+/**
+ * Heuristic analyzer for: C042 – Boolean variable names should start with proper prefixes
+ * Purpose: Detect boolean variables that don't follow naming conventions
+ */
+
+class C042Analyzer {
+  constructor() {
+    this.ruleId = 'C042';
+    this.ruleName = 'Boolean Variable Naming';
+    this.description = 'Boolean variable names should start with is, has, should, can, will, must, may, or check';
+    
+    // User requested to add "check" prefix
+    this.booleanPrefixes = [
+      'is', 'has', 'should', 'can', 'will', 'must', 'may', 'check',
+      'are', 'were', 'was', 'could', 'might', 'shall', 'need', 'want'
+    ];
+    
+    // Common non-boolean patterns to ignore (user feedback)
+    this.ignoredPatterns = [
+      // Fallback/default patterns: var = value || fallback
+      /\w+\s*=\s*\w+\s*\|\|\s*[^|]/,
+      // Assignment patterns that are clearly not boolean
+      /\w+\s*=\s*['"`][^'"`]*['"`]/, // String assignments
+      /\w+\s*=\s*\d+/, // Number assignments
+      /\w+\s*=\s*\{/, // Object assignments
+      /\w+\s*=\s*\[/, // Array assignments
+    ];
+    
+    // Variables that commonly aren't boolean but might look like it
+    this.commonNonBooleans = [
+      'value', 'result', 'data', 'config', 'name', 'id', 'key',
+      'path', 'url', 'src', 'href', 'text', 'message', 'error',
+      'response', 'request', 'params', 'options', 'settings'
+    ];
+  }
+
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`🔍 Running C042 analysis on ${require('path').basename(filePath)}`);
+      }
+      
+      try {
+        const content = require('fs').readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  analyzeFile(content, filePath) {
+    const violations = [];
+    const lines = content.split('\n');
+    
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      
+      // Skip empty lines, comments, imports, and type declarations
+      if (!line || line.startsWith('//') || line.startsWith('/*') || 
+          line.startsWith('import') || line.startsWith('export') ||
+          line.startsWith('declare') || line.startsWith('*')) {
+        continue;
+      }
+      
+      const lineViolations = this.analyzeDeclaration(line, i + 1);
+      lineViolations.forEach(violation => {
+        violations.push({
+          ...violation,
+          file: filePath
+        });
+      });
+    }
+    
+    return violations;
+  }
+  
+  analyzeDeclaration(line, lineNumber) {
+    const violations = [];
+    
+    // Match variable declarations with boolean values
+    const booleanAssignments = this.findBooleanAssignments(line);
+    
+    for (const assignment of booleanAssignments) {
+      const { varName, isBooleanValue, hasPrefix, actualValue } = assignment;
+      
+      // Case 1: Variable is assigned a boolean value but doesn't have proper prefix
+      if (isBooleanValue && !hasPrefix) {
+        // Skip if this matches user feedback patterns (false positives)
+        if (this.shouldSkipBooleanVariableCheck(varName, line, actualValue)) {
+          continue;
+        }
+        
+        violations.push({
+          line: lineNumber,
+          column: line.indexOf(varName) + 1,
+          message: `Boolean variable '${varName}' should start with a descriptive prefix like 'is', 'has', 'should', 'can', or 'check'. Consider: ${this.generateSuggestions(varName).join(', ')}.`,
+          severity: 'warning',
+          ruleId: this.ruleId
+        });
+      }
+      
+      // Case 2: Variable has boolean prefix but is assigned a non-boolean value
+      else if (hasPrefix && !isBooleanValue && actualValue && this.isDefinitelyNotBoolean(actualValue)) {
+        // Only skip very basic cases for prefix misuse
+        if (varName.length <= 2) {
+          continue;
+        }
+        
+        const prefix = this.extractPrefix(varName);
+        violations.push({
+          line: lineNumber,
+          column: line.indexOf(varName) + 1,
+          message: `Variable '${varName}' uses boolean prefix '${prefix}' but is assigned a non-boolean value. Consider renaming or changing the value.`,
+          severity: 'warning',
+          ruleId: this.ruleId
+        });
+      }
+    }
+    
+    return violations;
+  }
+  
+  findBooleanAssignments(line) {
+    const assignments = [];
+    
+    // Match declaration patterns only (avoid duplicates)
+    const patterns = [
+      // let/const/var varName = value
+      /(?:let|const|var)\s+(\w+)\s*(?::\s*\w+\s*)?=\s*(.+?)(?:;|$)/g,
+    ];
+    
+    for (const pattern of patterns) {
+      let match;
+      const seenVariables = new Set(); // Avoid duplicates
+      
+      while ((match = pattern.exec(line)) !== null) {
+        const varName = match[1];
+        const value = match[2].trim();
+        
+        // Skip if already processed
+        if (seenVariables.has(varName)) {
+          continue;
+        }
+        seenVariables.add(varName);
+        
+        // Skip destructuring and complex patterns
+        if (varName.includes('[') || varName.includes('{') || value.includes('{') || value.includes('[')) {
+          continue;
+        }
+        
+        const isBooleanValue = this.isBooleanValue(value);
+        const hasPrefix = this.hasBooleanPrefix(varName);
+        
+        assignments.push({
+          varName,
+          isBooleanValue,
+          hasPrefix,
+          actualValue: value
+        });
+      }
+    }
+    
+    return assignments;
+  }
+  
+  isBooleanValue(value) {
+    const trimmedValue = value.trim();
+    
+    // Direct boolean literals
+    if (trimmedValue === 'true' || trimmedValue === 'false') {
+      return true;
+    }
+    
+    // Boolean expressions that clearly result in boolean
+    const booleanExpressions = [
+      /\w+\s*[<>!=]=/, // Comparisons
+      /\w+\s*(&&|\|\|)/, // Logical operations (but not fallback patterns)
+      /^\!\w+/, // Negation
+      /instanceof\s+/, // instanceof
+      /\.test\(/, // regex.test()
+      /\.includes\(/, // array.includes()
+      /\.hasOwnProperty\(/, // hasOwnProperty
+      /\.some\(/, // array.some()
+      /\.every\(/, // array.every()
+      /typeof\s+.*\s*===/, // typeof checks
+      /Math\.random\(\)\s*[<>]/, // Math.random() comparisons
+      /\.length\s*[<>!=]=/, // Length comparisons
+    ];
+    
+    // Exclude fallback patterns (user feedback - these are NOT boolean)
+    if (trimmedValue.includes('||')) {
+      // Check if it's a boolean expression or just a fallback
+      // If the || is followed by a non-boolean value, it's likely a fallback
+      const parts = trimmedValue.split('||');
+      if (parts.length === 2) {
+        const fallback = parts[1].trim();
+        // If fallback is clearly not boolean, this is not a boolean assignment
+        if (this.isDefinitelyNotBoolean(fallback) || /^\d+$/.test(fallback) || /^['"`]/.test(fallback)) {
+          return false;
+        }
+      }
+    }
+    
+    return booleanExpressions.some(pattern => pattern.test(trimmedValue));
+  }
+  
+  hasBooleanPrefix(varName) {
+    const lowerName = varName.toLowerCase();
+    return this.booleanPrefixes.some(prefix => 
+      lowerName.startsWith(prefix.toLowerCase()) && 
+      lowerName.length > prefix.length
+    );
+  }
+  
+  extractPrefix(varName) {
+    const lowerName = varName.toLowerCase();
+    for (const prefix of this.booleanPrefixes) {
+      if (lowerName.startsWith(prefix.toLowerCase())) {
+        return prefix;
+      }
+    }
+    return '';
+  }
+  
+  shouldSkipBooleanVariableCheck(varName, line, value) {
+    // Skip very short names  
+    if (varName.length <= 2) {
+      return true;
+    }
+    
+    // Skip common non-boolean variable names
+    if (this.commonNonBooleans.includes(varName.toLowerCase())) {
+      return true;
+    }
+    
+    // Skip user feedback patterns (fallback/default patterns)
+    if (this.ignoredPatterns.some(pattern => pattern.test(line))) {
+      return true;
+    }
+    
+    // Skip function parameters and loop variables
+    if (line.includes('function') || line.includes('for') || line.includes('=>')) {
+      return true;
+    }
+    
+    return false;
+  }
+  
+  isDefinitelyNotBoolean(value) {
+    const trimmedValue = value.trim();
+    
+    // String literals (including single quotes)
+    if (trimmedValue.match(/^['"`][^'"`]*['"`]$/)) {
+      return true;
+    }
+    
+    // Number literals
+    if (trimmedValue.match(/^\d+(\.\d+)?$/)) {
+      return true;
+    }
+    
+    // Object/array literals
+    if (trimmedValue.startsWith('{') || trimmedValue.startsWith('[')) {
+      return true;
+    }
+    
+    // null, undefined
+    if (trimmedValue === 'null' || trimmedValue === 'undefined') {
+      return true;
+    }
+    
+    // Common non-boolean patterns
+    if (trimmedValue.includes('new ') || trimmedValue.includes('function')) {
+      return true;
+    }
+    
+    return false;
+  }
+  
+  generateSuggestions(varName) {
+    const suggestions = [];
+    const baseName = varName.replace(/^(is|has|should|can|will|must|may|check)/i, '');
+    const capitalizedBase = baseName.charAt(0).toUpperCase() + baseName.slice(1);
+    
+    // Generate a few reasonable suggestions
+    suggestions.push(`is${capitalizedBase}`);
+    suggestions.push(`has${capitalizedBase}`);
+    suggestions.push(`should${capitalizedBase}`);
+    
+    return suggestions.slice(0, 3); // Limit to 3 suggestions
+  }
+}
+
+module.exports = C042Analyzer;