@sun-asterisk/sunlint 1.2.2 → 1.3.1

package/rules/security/S027_no_hardcoded_secrets/categories.json

@@ -0,0 +1,153 @@
+{
+  "S027": {
+    "categories": [
+      {
+        "name": "AWS Credentials",
+        "severity": "critical",
+        "description": "AWS access keys, secret keys, and session tokens",
+        "patterns": [
+          "AKIA[0-9A-Z]{16}",
+          "(aws[-_]?)?(secret[-_]?access[-_]?key|access[-_]?key[-_]?id|awssecretaccesskey|awsaccesskeyid)\\s*[=:]\\s*[\"']?[A-Za-z0-9\\/+=]{20,40}[\"']?",
+          "(aws[-_]?)?session[-_]?token\\s*[=:]\\s*[\"']?[A-Za-z0-9\\/+=]{100,}[\"']?"
+        ],
+        "exclude_patterns": [
+          "(test|mock|fake|example|demo)[-_]?aws",
+          "AWS_REGION|AWS_DEFAULT_REGION"
+        ]
+      },
+      {
+        "name": "JWT & Authentication Tokens",
+        "severity": "critical", 
+        "description": "JWT tokens and authentication credentials",
+        "patterns": [
+          "eyJ[A-Za-z0-9\\-_=]+\\.[A-Za-z0-9\\-_=]+\\.?[A-Za-z0-9\\-_.+/=]*",
+          "(jwt|bearer|auth|authtoken|jwttoken)[-_]?(token|secret)?\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "authorization\\s*[=:]\\s*[\"']?(bearer|basic)\\s+[a-zA-Z0-9\\-_=]{10,}[\"']?"
+        ]
+      },
+      {
+        "name": "API Keys & Secrets",
+        "severity": "high",
+        "description": "Generic API keys and secret tokens",
+        "patterns": [
+          "(api[-_]?key|apikey|secret[-_]?key|secretkey|access[-_]?token|accesstoken)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{16,}[\"']?",
+          "(client[-_]?secret|clientsecret|app[-_]?secret|appsecret)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "(private[-_]?key|privatekey|encryption[-_]?key|encryptionkey)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "(password|secret)\\s*[=:]\\s*[\"'][a-zA-Z0-9\\-_=]{6,}[\"']"
+        ],
+        "exclude_patterns": [
+          "(display|row|sort|primary|foreign)[-_]?key",
+          "key(value|path|name|code|id|index)",
+          "^key$",
+          "(test|mock|demo|example).*password",
+          "password.*(test|mock|demo|example|123|dummy)",
+          "wrongpassword|correctpassword|testpassword"
+        ]
+      },
+      {
+        "name": "Database Credentials", 
+        "severity": "high",
+        "description": "Database connection strings and passwords",
+        "patterns": [
+          "(mongodb|mysql|postgres|redis):\\/\\/[^\\/\\s'\"]+:[^\\/\\s'\"]+@[^\\/\\s'\"]+",
+          "(db|database|dbpassword|databasepassword)[-_]?(password|pass|pwd|secret)?\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{6,}[\"']?",
+          "connection[-_]?string\\s*[=:]\\s*[\"']?[^\"'\\s]{20,}[\"']?"
+        ]
+      },
+      {
+        "name": "Third-party Service Keys",
+        "severity": "high", 
+        "description": "GitHub, Slack, Stripe and other service tokens",
+        "patterns": [
+          "gh[pousr]_[A-Za-z0-9_]{36}",
+          "xox[baprs]-[A-Za-z0-9-]+",
+          "sk_live_[A-Za-z0-9]{24,}",
+          "(github|slack|stripe|paypal)[-_]?(token|key|secret)[\\s:=]+[\"']?[a-zA-Z0-9\\-_=]{16,}[\"']?"
+        ]
+      },
+      {
+        "name": "Suspicious Variable Names",
+        "severity": "medium",
+        "description": "Variables with sensitive naming patterns",
+        "patterns": [
+          "(client|app|service)[-_]?(id|key|token|secret)[\"']?\\s*[:=]\\s*[\"'][A-Za-z0-9\\-_=]{12,}[\"']?",
+          "(oauth|openid)[-_]?(client[-_]?id|secret)[\\s:=]+[\"']?[a-zA-Z0-9\\-_=]{10,}[\"']?"
+        ],
+        "exclude_patterns": [
+          "(send|verify|update|register|reset).*password",
+          "password.*(reset|verify|update|first|time)"
+        ]
+      },
+      {
+        "name": "Base64 Encoded Secrets",
+        "severity": "medium",
+        "description": "Potentially encoded sensitive data",
+        "patterns": [
+          "(?:^|[\\s=:'\"])([A-Za-z0-9+\\/]{64,}={0,2})(?:[\\s'\";}]|$)"
+        ],
+        "exclude_patterns": [
+          "^[a-zA-Z0-9+\\/]*$",
+          "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+          "(test|demo|example|sample|mock)",
+          "^\\/[a-zA-Z0-9\\/\\-_]+$",
+          "^[a-zA-Z0-9\\/\\-_\\.]+$",
+          "[a-zA-Z]+[a-zA-Z\\/\\-_]{20,}",
+          "[a-zA-Z]+Slice\\/",
+          "[a-zA-Z]+Company\\/",
+          "[a-zA-Z]+Management\\/",
+          "[a-zA-Z]+Component",
+          "[a-zA-Z]+Setting",
+          "[a-zA-Z]+Match",
+          "Selector$",
+          "Controller$",
+          "Service$",
+          "Api$",
+          "slice\\/",
+          "Component\\/",
+          "management\\/",
+          "company\\/",
+          "import.*from",
+          "require\\("
+        ]
+      },
+      {
+        "name": "Environment Variables",
+        "severity": "low",
+        "description": "Public environment variables that might leak info",
+        "patterns": [
+          "NEXT_PUBLIC_[A-Z0-9_]+[\\s:=]+[\"'][^\"']+[\"']",
+          "react_app_[A-Z0-9_]+[\\s:=]+[\"'][^\"']+[\"']"
+        ],
+        "exclude_patterns": [
+          "NODE_ENV|ENV|ENVIRONMENT|MODE|DEBUG"
+        ]
+      },
+      {
+        "name": "File Path Leaks",
+        "severity": "low", 
+        "description": "Sensitive file patterns",
+        "patterns": [
+          "^\\s*['\"]?\\.env(\\.[a-zA-Z0-9_]+)?['\"]?\\s*$",
+          "^\\s*['\"]?(secrets?|credentials?|private[-_]?keys?)\\.(json|ya?ml|ts|js)['\"]?\\s*$",
+          "^\\s*['\"]?(id_rsa|id_dsa|\\.pem|\\.p12|\\.pfx)['\"]?\\s*$"
+        ],
+        "exclude_patterns": [
+          "process\\.env\\.",
+          "import.*from",
+          "require\\(",
+          "NODE_ENV|ENVIRONMENT|MODE|DEBUG"
+        ]
+      }
+    ],
+    "global_exclude_patterns": [
+      "(test|mock|fake|dummy|placeholder)\\.(js|ts|jsx|tsx)$",
+      "\\.(test|spec|mock)\\.",
+      "__tests__|\\/tests?\\/|\\/spec\\/",
+      "process\\.env\\.",
+      "import.*from.*['\"]",
+      "require\\(['\"]"
+    ],
+    "min_length": 8,
+    "max_length": 1000
+  }
+}

package/rules/security/S027_no_hardcoded_secrets/categorized-analyzer.js

@@ -0,0 +1,250 @@
+const fs = require('fs');
+const path = require('path');
+
+class S027CategorizedAnalyzer {
+  constructor() {
+    this.ruleId = 'S027';
+    this.ruleName = 'No Hardcoded Secrets (Categorized)';
+    this.description = 'Phát hiện thông tin bảo mật theo categories với độ ưu tiên khác nhau';
+    
+    // Load categories config
+    this.config = this.loadConfig();
+    this.categories = this.config.categories;
+    this.globalExcludePatterns = this.config.global_exclude_patterns.map(p => new RegExp(p, 'i'));
+    this.minLength = this.config.min_length || 8;
+    this.maxLength = this.config.max_length || 1000;
+    
+    // Compile patterns for performance
+    this.compilePatterns();
+  }
+  
+  loadConfig() {
+    const configPath = path.join(__dirname, 'categories.json');
+    try {
+      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      return config.S027;
+    } catch (error) {
+      console.error('Failed to load S027 categories config:', error.message);
+      return { categories: [], global_exclude_patterns: [] };
+    }
+  }
+  
+  compilePatterns() {
+    this.categories.forEach(category => {
+      category.compiledPatterns = category.patterns.map(p => ({
+        regex: new RegExp(p, 'gm'),
+        original: p
+      }));
+      
+      if (category.exclude_patterns) {
+        category.compiledExcludePatterns = category.exclude_patterns.map(p => new RegExp(p, 'i'));
+      }
+    });
+  }
+  
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    this.currentFilePath = '';
+    
+    for (const filePath of files) {
+      // Skip build/dist/node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      
+      this.currentFilePath = filePath;
+      
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.error(`Error analyzing ${filePath}:`, error.message);
+        }
+      }
+    }
+    
+    return violations;
+  }
+  
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'build/', 'dist/', 'node_modules/', '.git/',
+      'coverage/', '.next/', '.cache/', 'tmp/',
+      '.lock', '.log', '.min.js', '.bundle.js'
+    ];
+    
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+  
+  analyzeFile(content, filePath) {
+    const violations = [];
+    // Handle different line endings (Windows \r\n, Unix \n, Mac \r)
+    const lines = content.split(/\r?\n/);
+    
+    // Check if this is a test file for context
+    const isTestFile = this.isTestFile(filePath);
+    
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
+        return;
+      }
+      
+      // Check global exclude patterns first
+      if (this.matchesGlobalExcludes(line)) {
+        return;
+      }
+      
+      // Check each category
+      this.categories.forEach(category => {
+        const categoryViolations = this.checkCategory(
+          category, line, lineNumber, filePath, isTestFile
+        );
+        violations.push(...categoryViolations);
+      });
+    });
+    
+    return violations;
+  }
+  
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.(test|spec)\./i,
+      /__tests__/i,
+      /\/tests?\//i,
+      /\/spec\//i,
+      /setupTests/i,
+      /testSetup/i,
+      /test[-_]/i,  // Matches test- or test_
+      /^.*\/test[^\/]*\.js$/i  // Matches files starting with test
+    ];
+    
+    return testPatterns.some(pattern => pattern.test(filePath));
+  }
+  
+  isCommentOrImport(line) {
+    return line.startsWith('//') || line.startsWith('/*') || 
+           line.startsWith('import') || line.startsWith('export') ||
+           line.startsWith('*') || line.startsWith('<');
+  }
+  
+  matchesGlobalExcludes(line) {
+    return this.globalExcludePatterns.some(pattern => pattern.test(line));
+  }
+  
+  checkCategory(category, line, lineNumber, filePath, isTestFile) {
+    const violations = [];
+    
+    category.compiledPatterns.forEach(({ regex, original }) => {
+      let match;
+      
+      // Reset regex lastIndex for global patterns
+      regex.lastIndex = 0;
+      
+      while ((match = regex.exec(line)) !== null) {
+        const matchedText = match[0];
+        const column = match.index + 1;
+        
+        // Check length constraints
+        if (matchedText.length < this.minLength || matchedText.length > this.maxLength) {
+          continue;
+        }
+        
+        // Check category-specific excludes
+        if (category.compiledExcludePatterns && 
+            category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
+          continue;
+        }
+        
+        // Be more lenient in test files for lower severity categories
+        // But still report critical/high severity issues even in test files
+        if (isTestFile && category.severity === 'low') {
+          continue;
+        }
+        
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: column,
+          message: `[${category.name}] Potential ${category.severity} security risk: '${matchedText}'. ${category.description}`,
+          severity: this.mapSeverity(category.severity),
+          ruleId: this.ruleId,
+          category: category.name,
+          categoryDescription: category.description,
+          matchedPattern: original,
+          matchedText: matchedText
+        });
+      }
+    });
+    
+    return violations;
+  }
+  
+  mapSeverity(categorySeverity) {
+    const severityMap = {
+      'critical': 'error',
+      'high': 'warning', 
+      'medium': 'warning',
+      'low': 'info'
+    };
+    
+    return severityMap[categorySeverity] || 'warning';
+  }
+  
+  // Method for getting category statistics
+  getCategoryStats(violations) {
+    const stats = {};
+    
+    violations.forEach(violation => {
+      const category = violation.category;
+      if (!stats[category]) {
+        stats[category] = {
+          count: 0,
+          severity: violation.severity,
+          files: new Set()
+        };
+      }
+      stats[category].count++;
+      stats[category].files.add(violation.file);
+    });
+    
+    // Convert Set to array for JSON serialization
+    Object.keys(stats).forEach(category => {
+      stats[category].files = Array.from(stats[category].files);
+      stats[category].fileCount = stats[category].files.length;
+    });
+    
+    return stats;
+  }
+  
+  // Method for filtering by category
+  filterByCategory(violations, categoryNames) {
+    if (!categoryNames || categoryNames.length === 0) {
+      return violations;
+    }
+    
+    return violations.filter(violation => 
+      categoryNames.includes(violation.category)
+    );
+  }
+  
+  // Method for filtering by severity
+  filterBySeverity(violations, minSeverity = 'info') {
+    const severityOrder = ['info', 'warning', 'error'];
+    const minIndex = severityOrder.indexOf(minSeverity);
+    
+    if (minIndex === -1) return violations;
+    
+    return violations.filter(violation => {
+      const violationIndex = severityOrder.indexOf(violation.severity);
+      return violationIndex >= minIndex;
+    });
+  }
+}
+
+module.exports = S027CategorizedAnalyzer;

package/scripts/category-manager.js

@@ -0,0 +1,150 @@
+#!/usr/bin/env node
+
+/**
+ * SunLint Category Management CLI
+ * Utility for managing categories and principles
+ * 
+ * Usage:
+ *   node scripts/category-manager.js list
+ *   node scripts/category-manager.js add <category> <principle> <description>
+ *   node scripts/category-manager.js validate
+ *   node scripts/category-manager.js stats
+ */
+
+const path = require('path');
+const {
+  getValidCategories,
+  getCategoryPrinciples,
+  getCategoryDescription,
+  getCategoryStats,
+  isValidCategory,
+  addCategoryMapping
+} = require('../core/constants/categories');
+
+const command = process.argv[2];
+
+switch (command) {
+  case 'list':
+    listCategories();
+    break;
+    
+  case 'validate':
+    validateCategories();
+    break;
+    
+  case 'stats':
+    showStats();
+    break;
+    
+  case 'add':
+    addCategory(process.argv[3], process.argv[4], process.argv[5]);
+    break;
+    
+  case 'check':
+    checkCategory(process.argv[3]);
+    break;
+    
+  default:
+    showHelp();
+}
+
+function listCategories() {
+  console.log('📋 SunLint Categories & Principles\n');
+  
+  const categories = getValidCategories();
+  categories.forEach(category => {
+    const principles = getCategoryPrinciples(category);
+    const description = getCategoryDescription(category);
+    
+    console.log(`🏷️  ${category.toUpperCase()}`);
+    console.log(`   Principles: ${principles.join(', ')}`);
+    console.log(`   Description: ${description}`);
+    console.log('');
+  });
+}
+
+function validateCategories() {
+  console.log('🔍 Validating Category System\n');
+  
+  const stats = getCategoryStats();
+  console.log(`✅ Total Categories: ${stats.totalCategories}`);
+  console.log(`✅ Total Principles: ${stats.totalPrinciples}`);
+  
+  // Check for missing principles
+  const allPrinciples = Object.values(SUNLINT_PRINCIPLES);
+  const mappedPrinciples = Object.values(CATEGORY_PRINCIPLE_MAP).flat();
+  
+  const missingPrinciples = allPrinciples.filter(p => !mappedPrinciples.includes(p));
+  
+  if (missingPrinciples.length > 0) {
+    console.log(`⚠️  Unmapped Principles: ${missingPrinciples.join(', ')}`);
+  } else {
+    console.log('✅ All principles mapped to categories');
+  }
+  
+  console.log('\n📊 Category Mapping:');
+  Object.entries(CATEGORY_PRINCIPLE_MAP).forEach(([category, principles]) => {
+    console.log(`   ${category} -> ${principles.join(', ')}`);
+  });
+}
+
+function showStats() {
+  const stats = getCategoryStats();
+  console.log('📊 Category Statistics\n');
+  console.log(JSON.stringify(stats, null, 2));
+}
+
+function addCategory(category, principle, description) {
+  if (!category || !principle || !description) {
+    console.error('❌ Usage: add <category> <principle> <description>');
+    return;
+  }
+  
+  console.log(`🔄 Adding category: ${category}`);
+  console.log(`   Principle: ${principle}`);
+  console.log(`   Description: ${description}`);
+  console.log('\n⚠️  This would require updating category-constants.js manually');
+  console.log('   Add the following to CATEGORY_PRINCIPLE_MAP:');
+  console.log(`   '${category.toLowerCase()}': ['${principle.toUpperCase()}'],`);
+}
+
+function checkCategory(category) {
+  if (!category) {
+    console.error('❌ Usage: check <category>');
+    return;
+  }
+  
+  console.log(`🔍 Checking category: ${category}\n`);
+  
+  const isValid = isValidCategory(category);
+  console.log(`Valid: ${isValid ? '✅' : '❌'}`);
+  
+  if (isValid) {
+    const principles = getCategoryPrinciples(category);
+    const description = getCategoryDescription(category);
+    
+    console.log(`Principles: ${principles.join(', ')}`);
+    console.log(`Description: ${description}`);
+  } else {
+    console.log(`Valid categories: ${getValidCategories().join(', ')}`);
+  }
+}
+
+function showHelp() {
+  console.log(`
+🛠️  SunLint Category Manager
+
+Commands:
+  list      Show all categories and their principles
+  validate  Validate the category system consistency
+  stats     Show category statistics
+  check     Check if a specific category is valid
+  add       Add a new category (manual step required)
+
+Examples:
+  node scripts/category-manager.js list
+  node scripts/category-manager.js check security
+  node scripts/category-manager.js validate
+  node scripts/category-manager.js add accessibility ACCESSIBILITY "Accessibility guidelines"
+`);
+}

package/scripts/generate-rules-registry.js

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const { SimpleRuleParser } = require('../rules/parser/rule-parser-simple');
+
+/**
+ * Generate rules registry from origin-rules
+ * This script creates config/rules/rules-registry-generated.json
+ * from all *-en.md files in origin-rules/ directory
+ */
+
+console.log('📋 Generating rules registry from origin-rules...');
+
+try {
+  const parser = new SimpleRuleParser();
+  const originRulesDir = path.join(__dirname, '..', 'origin-rules');
+  const targetPath = path.join(__dirname, '..', 'config', 'rules', 'rules-registry-generated.json');
+  
+  console.log(`Source: ${originRulesDir}`);
+  console.log(`Target: ${targetPath}`);
+  
+  // Parse all rules from origin-rules
+  const allRules = parser.parseAllRules(originRulesDir);
+  
+  if (allRules.length === 0) {
+    console.error('❌ No rules found in origin-rules directory');
+    process.exit(1);
+  }
+  
+  // Convert to registry format
+  const registry = {
+    rules: {}
+  };
+  
+  allRules.forEach(rule => {
+    if (rule.id) {
+      registry.rules[rule.id] = {
+        name: rule.title || `${rule.id} Rule`,
+        description: rule.description || 'No description available',
+        category: rule.category || 'quality',
+        severity: rule.severity || 'major',
+        languages: rule.language ? [rule.language] : ['All languages'],
+        version: rule.version || '1.0.0',
+        status: rule.status || 'draft',
+        tags: [rule.category || 'quality', 'readability', 'code-quality'],
+        tools: rule.tools || [],
+        framework: rule.framework || 'All',
+        principles: rule.principles || []
+      };
+    }
+  });
+  
+  // Ensure target directory exists
+  const targetDir = path.dirname(targetPath);
+  if (!fs.existsSync(targetDir)) {
+    fs.mkdirSync(targetDir, { recursive: true });
+  }
+  
+  // Write registry file
+  fs.writeFileSync(targetPath, JSON.stringify(registry, null, 2), 'utf8');
+  
+  const rulesCount = Object.keys(registry.rules).length;
+  const fileSize = (fs.statSync(targetPath).size / 1024).toFixed(1);
+  
+  console.log(`✅ Generated registry with ${rulesCount} rules`);
+  console.log(`📁 File: ${targetPath} (${fileSize} KB)`);
+  console.log('');
+  console.log('📊 Rules by category:');
+  
+  // Stats by category
+  const categories = {};
+  Object.values(registry.rules).forEach(rule => {
+    const cat = rule.category || 'unknown';
+    categories[cat] = (categories[cat] || 0) + 1;
+  });
+  
+  Object.entries(categories)
+    .sort(([,a], [,b]) => b - a)
+    .forEach(([category, count]) => {
+      console.log(`   ${category}: ${count} rules`);
+    });
+    
+} catch (error) {
+  console.error('❌ Error generating registry:', error.message);
+  console.error(error.stack);
+  process.exit(1);
+}