@sun-asterisk/sunlint 1.3.0 → 1.3.1

package/rules/security/S027_no_hardcoded_secrets/categories.json

@@ -0,0 +1,153 @@
+{
+  "S027": {
+    "categories": [
+      {
+        "name": "AWS Credentials",
+        "severity": "critical",
+        "description": "AWS access keys, secret keys, and session tokens",
+        "patterns": [
+          "AKIA[0-9A-Z]{16}",
+          "(aws[-_]?)?(secret[-_]?access[-_]?key|access[-_]?key[-_]?id|awssecretaccesskey|awsaccesskeyid)\\s*[=:]\\s*[\"']?[A-Za-z0-9\\/+=]{20,40}[\"']?",
+          "(aws[-_]?)?session[-_]?token\\s*[=:]\\s*[\"']?[A-Za-z0-9\\/+=]{100,}[\"']?"
+        ],
+        "exclude_patterns": [
+          "(test|mock|fake|example|demo)[-_]?aws",
+          "AWS_REGION|AWS_DEFAULT_REGION"
+        ]
+      },
+      {
+        "name": "JWT & Authentication Tokens",
+        "severity": "critical", 
+        "description": "JWT tokens and authentication credentials",
+        "patterns": [
+          "eyJ[A-Za-z0-9\\-_=]+\\.[A-Za-z0-9\\-_=]+\\.?[A-Za-z0-9\\-_.+/=]*",
+          "(jwt|bearer|auth|authtoken|jwttoken)[-_]?(token|secret)?\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "authorization\\s*[=:]\\s*[\"']?(bearer|basic)\\s+[a-zA-Z0-9\\-_=]{10,}[\"']?"
+        ]
+      },
+      {
+        "name": "API Keys & Secrets",
+        "severity": "high",
+        "description": "Generic API keys and secret tokens",
+        "patterns": [
+          "(api[-_]?key|apikey|secret[-_]?key|secretkey|access[-_]?token|accesstoken)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{16,}[\"']?",
+          "(client[-_]?secret|clientsecret|app[-_]?secret|appsecret)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "(private[-_]?key|privatekey|encryption[-_]?key|encryptionkey)\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{20,}[\"']?",
+          "(password|secret)\\s*[=:]\\s*[\"'][a-zA-Z0-9\\-_=]{6,}[\"']"
+        ],
+        "exclude_patterns": [
+          "(display|row|sort|primary|foreign)[-_]?key",
+          "key(value|path|name|code|id|index)",
+          "^key$",
+          "(test|mock|demo|example).*password",
+          "password.*(test|mock|demo|example|123|dummy)",
+          "wrongpassword|correctpassword|testpassword"
+        ]
+      },
+      {
+        "name": "Database Credentials", 
+        "severity": "high",
+        "description": "Database connection strings and passwords",
+        "patterns": [
+          "(mongodb|mysql|postgres|redis):\\/\\/[^\\/\\s'\"]+:[^\\/\\s'\"]+@[^\\/\\s'\"]+",
+          "(db|database|dbpassword|databasepassword)[-_]?(password|pass|pwd|secret)?\\s*[=:]\\s*[\"']?[a-zA-Z0-9\\-_=]{6,}[\"']?",
+          "connection[-_]?string\\s*[=:]\\s*[\"']?[^\"'\\s]{20,}[\"']?"
+        ]
+      },
+      {
+        "name": "Third-party Service Keys",
+        "severity": "high", 
+        "description": "GitHub, Slack, Stripe and other service tokens",
+        "patterns": [
+          "gh[pousr]_[A-Za-z0-9_]{36}",
+          "xox[baprs]-[A-Za-z0-9-]+",
+          "sk_live_[A-Za-z0-9]{24,}",
+          "(github|slack|stripe|paypal)[-_]?(token|key|secret)[\\s:=]+[\"']?[a-zA-Z0-9\\-_=]{16,}[\"']?"
+        ]
+      },
+      {
+        "name": "Suspicious Variable Names",
+        "severity": "medium",
+        "description": "Variables with sensitive naming patterns",
+        "patterns": [
+          "(client|app|service)[-_]?(id|key|token|secret)[\"']?\\s*[:=]\\s*[\"'][A-Za-z0-9\\-_=]{12,}[\"']?",
+          "(oauth|openid)[-_]?(client[-_]?id|secret)[\\s:=]+[\"']?[a-zA-Z0-9\\-_=]{10,}[\"']?"
+        ],
+        "exclude_patterns": [
+          "(send|verify|update|register|reset).*password",
+          "password.*(reset|verify|update|first|time)"
+        ]
+      },
+      {
+        "name": "Base64 Encoded Secrets",
+        "severity": "medium",
+        "description": "Potentially encoded sensitive data",
+        "patterns": [
+          "(?:^|[\\s=:'\"])([A-Za-z0-9+\\/]{64,}={0,2})(?:[\\s'\";}]|$)"
+        ],
+        "exclude_patterns": [
+          "^[a-zA-Z0-9+\\/]*$",
+          "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+          "(test|demo|example|sample|mock)",
+          "^\\/[a-zA-Z0-9\\/\\-_]+$",
+          "^[a-zA-Z0-9\\/\\-_\\.]+$",
+          "[a-zA-Z]+[a-zA-Z\\/\\-_]{20,}",
+          "[a-zA-Z]+Slice\\/",
+          "[a-zA-Z]+Company\\/",
+          "[a-zA-Z]+Management\\/",
+          "[a-zA-Z]+Component",
+          "[a-zA-Z]+Setting",
+          "[a-zA-Z]+Match",
+          "Selector$",
+          "Controller$",
+          "Service$",
+          "Api$",
+          "slice\\/",
+          "Component\\/",
+          "management\\/",
+          "company\\/",
+          "import.*from",
+          "require\\("
+        ]
+      },
+      {
+        "name": "Environment Variables",
+        "severity": "low",
+        "description": "Public environment variables that might leak info",
+        "patterns": [
+          "NEXT_PUBLIC_[A-Z0-9_]+[\\s:=]+[\"'][^\"']+[\"']",
+          "react_app_[A-Z0-9_]+[\\s:=]+[\"'][^\"']+[\"']"
+        ],
+        "exclude_patterns": [
+          "NODE_ENV|ENV|ENVIRONMENT|MODE|DEBUG"
+        ]
+      },
+      {
+        "name": "File Path Leaks",
+        "severity": "low", 
+        "description": "Sensitive file patterns",
+        "patterns": [
+          "^\\s*['\"]?\\.env(\\.[a-zA-Z0-9_]+)?['\"]?\\s*$",
+          "^\\s*['\"]?(secrets?|credentials?|private[-_]?keys?)\\.(json|ya?ml|ts|js)['\"]?\\s*$",
+          "^\\s*['\"]?(id_rsa|id_dsa|\\.pem|\\.p12|\\.pfx)['\"]?\\s*$"
+        ],
+        "exclude_patterns": [
+          "process\\.env\\.",
+          "import.*from",
+          "require\\(",
+          "NODE_ENV|ENVIRONMENT|MODE|DEBUG"
+        ]
+      }
+    ],
+    "global_exclude_patterns": [
+      "(test|mock|fake|dummy|placeholder)\\.(js|ts|jsx|tsx)$",
+      "\\.(test|spec|mock)\\.",
+      "__tests__|\\/tests?\\/|\\/spec\\/",
+      "process\\.env\\.",
+      "import.*from.*['\"]",
+      "require\\(['\"]"
+    ],
+    "min_length": 8,
+    "max_length": 1000
+  }
+}

package/rules/security/S027_no_hardcoded_secrets/categorized-analyzer.js

@@ -0,0 +1,250 @@
+const fs = require('fs');
+const path = require('path');
+
+class S027CategorizedAnalyzer {
+  constructor() {
+    this.ruleId = 'S027';
+    this.ruleName = 'No Hardcoded Secrets (Categorized)';
+    this.description = 'Phát hiện thông tin bảo mật theo categories với độ ưu tiên khác nhau';
+    
+    // Load categories config
+    this.config = this.loadConfig();
+    this.categories = this.config.categories;
+    this.globalExcludePatterns = this.config.global_exclude_patterns.map(p => new RegExp(p, 'i'));
+    this.minLength = this.config.min_length || 8;
+    this.maxLength = this.config.max_length || 1000;
+    
+    // Compile patterns for performance
+    this.compilePatterns();
+  }
+  
+  loadConfig() {
+    const configPath = path.join(__dirname, 'categories.json');
+    try {
+      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      return config.S027;
+    } catch (error) {
+      console.error('Failed to load S027 categories config:', error.message);
+      return { categories: [], global_exclude_patterns: [] };
+    }
+  }
+  
+  compilePatterns() {
+    this.categories.forEach(category => {
+      category.compiledPatterns = category.patterns.map(p => ({
+        regex: new RegExp(p, 'gm'),
+        original: p
+      }));
+      
+      if (category.exclude_patterns) {
+        category.compiledExcludePatterns = category.exclude_patterns.map(p => new RegExp(p, 'i'));
+      }
+    });
+  }
+  
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    this.currentFilePath = '';
+    
+    for (const filePath of files) {
+      // Skip build/dist/node_modules
+      if (this.shouldSkipFile(filePath)) {
+        continue;
+      }
+      
+      this.currentFilePath = filePath;
+      
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileViolations = this.analyzeFile(content, filePath);
+        violations.push(...fileViolations);
+      } catch (error) {
+        if (options.verbose) {
+          console.error(`Error analyzing ${filePath}:`, error.message);
+        }
+      }
+    }
+    
+    return violations;
+  }
+  
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'build/', 'dist/', 'node_modules/', '.git/',
+      'coverage/', '.next/', '.cache/', 'tmp/',
+      '.lock', '.log', '.min.js', '.bundle.js'
+    ];
+    
+    return skipPatterns.some(pattern => filePath.includes(pattern));
+  }
+  
+  analyzeFile(content, filePath) {
+    const violations = [];
+    // Handle different line endings (Windows \r\n, Unix \n, Mac \r)
+    const lines = content.split(/\r?\n/);
+    
+    // Check if this is a test file for context
+    const isTestFile = this.isTestFile(filePath);
+    
+    lines.forEach((line, index) => {
+      const lineNumber = index + 1;
+      const trimmedLine = line.trim();
+      
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
+        return;
+      }
+      
+      // Check global exclude patterns first
+      if (this.matchesGlobalExcludes(line)) {
+        return;
+      }
+      
+      // Check each category
+      this.categories.forEach(category => {
+        const categoryViolations = this.checkCategory(
+          category, line, lineNumber, filePath, isTestFile
+        );
+        violations.push(...categoryViolations);
+      });
+    });
+    
+    return violations;
+  }
+  
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.(test|spec)\./i,
+      /__tests__/i,
+      /\/tests?\//i,
+      /\/spec\//i,
+      /setupTests/i,
+      /testSetup/i,
+      /test[-_]/i,  // Matches test- or test_
+      /^.*\/test[^\/]*\.js$/i  // Matches files starting with test
+    ];
+    
+    return testPatterns.some(pattern => pattern.test(filePath));
+  }
+  
+  isCommentOrImport(line) {
+    return line.startsWith('//') || line.startsWith('/*') || 
+           line.startsWith('import') || line.startsWith('export') ||
+           line.startsWith('*') || line.startsWith('<');
+  }
+  
+  matchesGlobalExcludes(line) {
+    return this.globalExcludePatterns.some(pattern => pattern.test(line));
+  }
+  
+  checkCategory(category, line, lineNumber, filePath, isTestFile) {
+    const violations = [];
+    
+    category.compiledPatterns.forEach(({ regex, original }) => {
+      let match;
+      
+      // Reset regex lastIndex for global patterns
+      regex.lastIndex = 0;
+      
+      while ((match = regex.exec(line)) !== null) {
+        const matchedText = match[0];
+        const column = match.index + 1;
+        
+        // Check length constraints
+        if (matchedText.length < this.minLength || matchedText.length > this.maxLength) {
+          continue;
+        }
+        
+        // Check category-specific excludes
+        if (category.compiledExcludePatterns && 
+            category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
+          continue;
+        }
+        
+        // Be more lenient in test files for lower severity categories
+        // But still report critical/high severity issues even in test files
+        if (isTestFile && category.severity === 'low') {
+          continue;
+        }
+        
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: column,
+          message: `[${category.name}] Potential ${category.severity} security risk: '${matchedText}'. ${category.description}`,
+          severity: this.mapSeverity(category.severity),
+          ruleId: this.ruleId,
+          category: category.name,
+          categoryDescription: category.description,
+          matchedPattern: original,
+          matchedText: matchedText
+        });
+      }
+    });
+    
+    return violations;
+  }
+  
+  mapSeverity(categorySeverity) {
+    const severityMap = {
+      'critical': 'error',
+      'high': 'warning', 
+      'medium': 'warning',
+      'low': 'info'
+    };
+    
+    return severityMap[categorySeverity] || 'warning';
+  }
+  
+  // Method for getting category statistics
+  getCategoryStats(violations) {
+    const stats = {};
+    
+    violations.forEach(violation => {
+      const category = violation.category;
+      if (!stats[category]) {
+        stats[category] = {
+          count: 0,
+          severity: violation.severity,
+          files: new Set()
+        };
+      }
+      stats[category].count++;
+      stats[category].files.add(violation.file);
+    });
+    
+    // Convert Set to array for JSON serialization
+    Object.keys(stats).forEach(category => {
+      stats[category].files = Array.from(stats[category].files);
+      stats[category].fileCount = stats[category].files.length;
+    });
+    
+    return stats;
+  }
+  
+  // Method for filtering by category
+  filterByCategory(violations, categoryNames) {
+    if (!categoryNames || categoryNames.length === 0) {
+      return violations;
+    }
+    
+    return violations.filter(violation => 
+      categoryNames.includes(violation.category)
+    );
+  }
+  
+  // Method for filtering by severity
+  filterBySeverity(violations, minSeverity = 'info') {
+    const severityOrder = ['info', 'warning', 'error'];
+    const minIndex = severityOrder.indexOf(minSeverity);
+    
+    if (minIndex === -1) return violations;
+    
+    return violations.filter(violation => {
+      const violationIndex = severityOrder.indexOf(violation.severity);
+      return violationIndex >= minIndex;
+    });
+  }
+}
+
+module.exports = S027CategorizedAnalyzer;

package/scripts/prepare-release.sh

@@ -135,7 +135,7 @@ sunlint --rule=C006 --input=src --format=summary
 
 # TypeScript Analysis
 --typescript               # Enable TypeScript analysis
---typescript-engine <type> # Engine: eslint, sunlint, hybrid
+--typescript-engine <type> # Engine: eslint, heuristic, hybrid
 
 # Output Control
 --format <format>          # Output: eslint, json, summary, table