@sun-asterisk/sunlint 1.2.2 → 1.3.1

package/rules/security/S007_no_plaintext_otp/semantic-config.json

@@ -0,0 +1,195 @@
+{
+  "ruleId": "S007",
+  "name": "No Plaintext OTP (Semantic Analysis)",
+  "category": "security",
+  "severity": "error",
+  "type": "semantic",
+  "description": "Detects plaintext OTP storage and transmission using semantic analysis with Symbol Table",
+  
+  "analysis": {
+    "engine": "semantic",
+    "strategy": "symbol-table",
+    "crossFileAnalysis": true,
+    "requiresTypeChecker": false,
+    "cacheResults": true,
+    "timeout": 30000,
+    "maxFiles": 1000
+  },
+  
+  "scope": {
+    "fileTypes": [".ts", ".tsx", ".js", ".jsx"],
+    "excludePatterns": [
+      "**/test/**",
+      "**/tests/**", 
+      "**/__tests__/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/node_modules/**",
+      "**/build/**",
+      "**/dist/**"
+    ]
+  },
+  
+  "semanticPatterns": {
+    "otpVariables": {
+      "patterns": [
+        "^(otp|totp|hotp)$",
+        "^(one_?time|onetime)_?(password|pass|code)$",
+        "^(auth|verification|sms|temp|security|access|login)_?code$",
+        "^(two_?factor|2fa|mfa)_?(token|code)$",
+        "^pin_?code$"
+      ],
+      "caseInsensitive": true
+    },
+    
+    "otpFunctions": {
+      "patterns": [
+        "^(generate|create|store|save|send|validate|verify)_?otp$",
+        "^otp_?(generate|create|store|save|send|validate|verify)$",
+        "^(generate|create|store|save|send|validate|verify)_?(auth|verification|sms|temp|security|access|login)_?code$",
+        "^send_?(sms|email|auth)_?code$"
+      ],
+      "methodNames": [
+        "sendOtp", "storeOtp", "saveOtp", "generateOtp", "verifyOtp",
+        "sendSmsCode", "sendAuthCode", "storeAuthCode", "saveAuthCode"
+      ]
+    },
+    
+    "dangerousOperations": {
+      "storage": [
+        "save", "store", "insert", "update", "create", "persist",
+        "collection.insertOne", "collection.updateOne", "db.save",
+        "redis.set", "redis.hset", "cache.put", "cache.set"
+      ],
+      "transmission": [
+        "send", "emit", "post", "put", "response.json", "res.send",
+        "email.send", "sms.send", "notify", "broadcast"
+      ],
+      "browserStorage": [
+        "localStorage.setItem", "sessionStorage.setItem",
+        "localStorage.set", "sessionStorage.set"
+      ],
+      "logging": [
+        "console.log", "console.debug", "console.info",
+        "logger.info", "logger.debug", "log.info"
+      ]
+    },
+    
+    "safeOperations": [
+      "bcrypt.hash", "crypto.createHash", "crypto.createHmac",
+      "hash", "encrypt", "cipher", "secure", "pbkdf2",
+      "scrypt", "argon2", "aes.encrypt", "rsa.encrypt"
+    ]
+  },
+  
+  "violations": {
+    "types": {
+      "semantic_otp_variable_usage": {
+        "severity": "error",
+        "message": "OTP variable used in {context} without encryption",
+        "suggestion": "Encrypt or hash OTP values before {context}"
+      },
+      "semantic_otp_function_call": {
+        "severity": "warning", 
+        "message": "Function may handle OTP in plaintext",
+        "suggestion": "Ensure OTP values are encrypted before processing"
+      },
+      "semantic_plaintext_otp_argument": {
+        "severity": "error",
+        "message": "Potential plaintext OTP passed to {operation}",
+        "suggestion": "Encrypt or hash OTP values before storage/transmission"
+      },
+      "semantic_method_chain_otp": {
+        "severity": "error",
+        "message": "Method chain exposes OTP in plaintext",
+        "suggestion": "Use secure methods for OTP handling in method chains"
+      },
+      "semantic_data_flow_violation": {
+        "severity": "error",
+        "message": "OTP flows to unsafe operation without encryption",
+        "suggestion": "Ensure OTP is encrypted before reaching this operation"
+      },
+      "semantic_cross_file_otp_violation": {
+        "severity": "warning",
+        "message": "Imported OTP symbol used unsafely",
+        "suggestion": "Ensure consistent OTP security across file boundaries"
+      }
+    },
+    
+    "severityMapping": {
+      "storage": "error",
+      "transmission": "error",
+      "browser_storage": "warning", 
+      "logging": "warning",
+      "unknown_dangerous": "info"
+    }
+  },
+  
+  "dataFlow": {
+    "enabled": true,
+    "maxDistance": 20,
+    "trackAcrossFiles": true,
+    "trackThroughCallbacks": true,
+    "trackAsyncFlows": true
+  },
+  
+  "performance": {
+    "symbolTableCaching": true,
+    "maxAnalysisDepth": 10,
+    "maxCrossFileReferences": 100,
+    "timeoutPerFile": 5000
+  },
+  
+  "reporting": {
+    "includeSymbolContext": true,
+    "includeCrossFileReferences": true,
+    "includeDataFlowPath": true,
+    "includeCodeSnippets": true,
+    "confidenceThreshold": 0.7
+  },
+  
+  "examples": {
+    "violations": [
+      {
+        "description": "Direct OTP storage",
+        "code": "const otp = generateOtp(); await user.save({ otp });",
+        "reason": "OTP variable flows directly to storage operation"
+      },
+      {
+        "description": "OTP in response",
+        "code": "return response.json({ authCode, success: true });",
+        "reason": "OTP variable included in API response"
+      },
+      {
+        "description": "Method chain violation",
+        "code": "this.otpCode.save();",
+        "reason": "OTP flows through method chain to unsafe operation"
+      }
+    ],
+    
+    "safePatterns": [
+      {
+        "description": "Encrypted storage",
+        "code": "const hashedOtp = await bcrypt.hash(otp, 10); await user.save({ hashedOtp });",
+        "reason": "OTP is hashed before storage"
+      },
+      {
+        "description": "Secure transmission",
+        "code": "const encrypted = encrypt(otp, key); await send(encrypted);",
+        "reason": "OTP is encrypted before transmission"
+      }
+    ]
+  },
+  
+  "metadata": {
+    "version": "1.0.0",
+    "lastUpdated": "2024-01-20",
+    "author": "SunLint Security Team",
+    "references": [
+      "OWASP A02:2021 - Cryptographic Failures",
+      "NIST SP 800-63B - Authentication Guidelines", 
+      "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm"
+    ],
+    "tags": ["security", "authentication", "otp", "encryption", "semantic"]
+  }
+}

package/rules/security/S007_no_plaintext_otp/semantic-wrapper.js

@@ -0,0 +1,280 @@
+/**
+ * S007 Semantic Wrapper
+ * Integrates S007SemanticAnalyzer with HeuristicEngine
+ * Provides compatibility layer between semantic analysis and existing framework
+ */
+
+const S007SemanticAnalyzer = require('./semantic-analyzer');
+const SemanticRuleBase = require('../../../core/semantic-rule-base');
+
+class S007SemanticWrapper extends SemanticRuleBase {
+  constructor(options = {}) {
+    super('S007', {
+      category: 'security',
+      severity: 'error',
+      description: 'Detects plaintext OTP storage and transmission using semantic analysis',
+      crossFileAnalysis: true,
+      requiresTypeChecker: false,
+      cacheResults: true,
+      ...options
+    });
+    
+    this.semanticAnalyzer = new S007SemanticAnalyzer('S007');
+    this.verbose = options.verbose || false;
+  }
+
+  /**
+   * Initialize with semantic engine
+   */
+  async initialize(semanticEngine) {
+    await super.initialize(semanticEngine);
+    
+    // Initialize the semantic analyzer
+    await this.semanticAnalyzer.initialize(semanticEngine);
+    
+    if (this.verbose) {
+      console.log(`🧠 S007SemanticWrapper initialized with semantic engine`);
+    }
+  }
+
+  /**
+   * Analyze single file using semantic analysis
+   */
+  async analyzeFile(filePath, options = {}) {
+    if (this.verbose) {
+      console.log(`🧠 S007: Analyzing ${filePath} with semantic analysis`);
+    }
+
+    try {
+      // Delegate to semantic analyzer
+      await this.semanticAnalyzer.analyzeFile(filePath, options);
+      
+      // Get violations from semantic analyzer
+      const semanticViolations = this.semanticAnalyzer.getViolations();
+      
+      // Add violations to our collection
+      for (const violation of semanticViolations) {
+        this.addViolation(violation);
+      }
+      
+      // Clear violations from semantic analyzer for next file
+      this.semanticAnalyzer.clearViolations();
+      
+      if (this.verbose && semanticViolations.length > 0) {
+        console.log(`🧠 S007: Found ${semanticViolations.length} semantic violations in ${filePath}`);
+      }
+      
+    } catch (error) {
+      console.error(`❌ S007: Semantic analysis failed for ${filePath}:`, error.message);
+      
+      // Fallback to regex analysis if semantic fails
+      if (options.fallbackToRegex !== false) {
+        await this.fallbackToRegexAnalysis(filePath, options);
+      }
+    }
+  }
+
+  /**
+   * Fallback to regex analysis if semantic analysis fails
+   */
+  async fallbackToRegexAnalysis(filePath, options) {
+    try {
+      if (this.verbose) {
+        console.log(`⚠️ S007: Falling back to regex analysis for ${filePath}`);
+      }
+      
+      // Use the existing regex analyzer as fallback
+      const RegexAnalyzer = require('./analyzer');
+      const regexAnalyzer = new RegexAnalyzer();
+      
+      const regexViolations = await regexAnalyzer.analyze([filePath], 'typescript', options);
+      
+      // Add regex violations with lower confidence
+      for (const violation of regexViolations) {
+        this.addViolation({
+          ...violation,
+          analysisMethod: 'regex_fallback',
+          confidence: 0.7, // Lower confidence for fallback
+          source: 'regex_analyzer'
+        });
+      }
+      
+      if (this.verbose && regexViolations.length > 0) {
+        console.log(`🔧 S007: Found ${regexViolations.length} regex violations (fallback) in ${filePath}`);
+      }
+      
+    } catch (fallbackError) {
+      console.error(`❌ S007: Fallback analysis also failed for ${filePath}:`, fallbackError.message);
+    }
+  }
+
+  /**
+   * Get supported file types
+   */
+  isValidFileType(filePath) {
+    const supportedExtensions = ['.ts', '.tsx', '.js', '.jsx'];
+    const path = require('path');
+    const ext = path.extname(filePath);
+    return supportedExtensions.includes(ext);
+  }
+
+  /**
+   * Enhanced violation adding with semantic context
+   */
+  addViolation(violation) {
+    const enhancedViolation = {
+      ...violation,
+      
+      // Add semantic metadata
+      analysisEngine: 'semantic',
+      analysisMethod: violation.analysisMethod || 'semantic',
+      confidence: violation.confidence || 0.9,
+      timestamp: Date.now(),
+      
+      // Ensure required fields
+      ruleId: this.ruleId,
+      category: this.config.category,
+      severity: violation.severity || this.config.severity,
+      
+      // Add semantic-specific fields
+      semanticContext: violation.symbolContext || {},
+      crossFileReferences: violation.crossFileReferences || [],
+      dataFlowAnalysis: violation.dataFlowAnalysis || null,
+      
+      // Enhanced suggestions for semantic violations
+      suggestion: this.enhanceSemanticSuggestion(violation),
+      
+      // Code context
+      codeSnippet: violation.codeSnippet || null,
+      
+      // Metadata
+      metadata: {
+        engineVersion: '3.0',
+        analysisType: 'semantic',
+        symbolTableUsed: true,
+        crossFileAnalysis: this.config.crossFileAnalysis,
+        ...violation.metadata
+      }
+    };
+    
+    super.addViolation(enhancedViolation);
+  }
+
+  /**
+   * Enhance suggestions with semantic context
+   */
+  enhanceSemanticSuggestion(violation) {
+    const baseSuggestion = violation.suggestion || 'Ensure OTP security best practices';
+    
+    // Add context-specific suggestions based on semantic analysis
+    const contextSuggestions = [];
+    
+    if (violation.symbolContext) {
+      const context = violation.symbolContext;
+      
+      if (context.operation) {
+        contextSuggestions.push(`Consider replacing '${context.operation}' with a secure alternative`);
+      }
+      
+      if (context.dataFlow && context.dataFlow.length > 1) {
+        contextSuggestions.push('Review the data flow path to identify where encryption should be applied');
+      }
+      
+      if (context.crossFileReferences && context.crossFileReferences.length > 0) {
+        contextSuggestions.push('Ensure security measures are consistent across all files using this OTP symbol');
+      }
+    }
+    
+    // Combine base suggestion with context-specific suggestions
+    if (contextSuggestions.length > 0) {
+      return `${baseSuggestion}. Additional recommendations: ${contextSuggestions.join('; ')}.`;
+    }
+    
+    return baseSuggestion;
+  }
+
+  /**
+   * Generate analysis report with semantic insights
+   */
+  generateReport() {
+    const baseReport = super.generateReport();
+    
+    // Add semantic-specific statistics
+    const semanticStats = this.calculateSemanticStats();
+    
+    return {
+      ...baseReport,
+      semanticAnalysis: {
+        enabled: true,
+        symbolTableUsed: true,
+        crossFileAnalysisPerformed: this.config.crossFileAnalysis,
+        dataFlowAnalysisPerformed: true,
+        statistics: semanticStats
+      }
+    };
+  }
+
+  /**
+   * Calculate semantic analysis statistics
+   */
+  calculateSemanticStats() {
+    const violations = this.getViolations();
+    
+    const stats = {
+      totalViolations: violations.length,
+      violationsByType: {},
+      violationsByContext: {},
+      averageConfidence: 0,
+      crossFileViolations: 0,
+      dataFlowViolations: 0
+    };
+    
+    // Analyze violation types and contexts
+    for (const violation of violations) {
+      // Count by type
+      const type = violation.type || 'unknown';
+      stats.violationsByType[type] = (stats.violationsByType[type] || 0) + 1;
+      
+      // Count by context
+      if (violation.symbolContext && violation.symbolContext.usageContext) {
+        const context = violation.symbolContext.usageContext;
+        stats.violationsByContext[context] = (stats.violationsByContext[context] || 0) + 1;
+      }
+      
+      // Count cross-file violations
+      if (violation.crossFileReferences && violation.crossFileReferences.length > 0) {
+        stats.crossFileViolations++;
+      }
+      
+      // Count data flow violations
+      if (violation.dataFlowAnalysis) {
+        stats.dataFlowViolations++;
+      }
+    }
+    
+    // Calculate average confidence
+    if (violations.length > 0) {
+      const totalConfidence = violations.reduce((sum, v) => sum + (v.confidence || 0.9), 0);
+      stats.averageConfidence = totalConfidence / violations.length;
+    }
+    
+    return stats;
+  }
+
+  /**
+   * Cleanup semantic resources
+   */
+  async cleanup() {
+    if (this.semanticAnalyzer && typeof this.semanticAnalyzer.cleanup === 'function') {
+      await this.semanticAnalyzer.cleanup();
+    }
+    
+    await super.cleanup();
+    
+    if (this.verbose) {
+      console.log(`🧠 S007SemanticWrapper cleanup completed`);
+    }
+  }
+}
+
+module.exports = S007SemanticWrapper;