npm - @sun-asterisk/sunlint - Versions diffs - 1.3.0 → 1.3.2 - Mend

@sun-asterisk/sunlint 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/rules/security/S007_no_plaintext_otp/semantic-config.json ADDED Viewed

@@ -0,0 +1,195 @@
+{
+  "ruleId": "S007",
+  "name": "No Plaintext OTP (Semantic Analysis)",
+  "category": "security",
+  "severity": "error",
+  "type": "semantic",
+  "description": "Detects plaintext OTP storage and transmission using semantic analysis with Symbol Table",
+  "analysis": {
+    "engine": "semantic",
+    "strategy": "symbol-table",
+    "crossFileAnalysis": true,
+    "requiresTypeChecker": false,
+    "cacheResults": true,
+    "timeout": 30000,
+    "maxFiles": 1000
+  },
+  "scope": {
+    "fileTypes": [".ts", ".tsx", ".js", ".jsx"],
+    "excludePatterns": [
+      "**/test/**",
+      "**/tests/**",
+      "**/__tests__/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/node_modules/**",
+      "**/build/**",
+      "**/dist/**"
+    ]
+  },
+  "semanticPatterns": {
+    "otpVariables": {
+      "patterns": [
+        "^(otp|totp|hotp)$",
+        "^(one_?time|onetime)_?(password|pass|code)$",
+        "^(auth|verification|sms|temp|security|access|login)_?code$",
+        "^(two_?factor|2fa|mfa)_?(token|code)$",
+        "^pin_?code$"
+      ],
+      "caseInsensitive": true
+    },
+    "otpFunctions": {
+      "patterns": [
+        "^(generate|create|store|save|send|validate|verify)_?otp$",
+        "^otp_?(generate|create|store|save|send|validate|verify)$",
+        "^(generate|create|store|save|send|validate|verify)_?(auth|verification|sms|temp|security|access|login)_?code$",
+        "^send_?(sms|email|auth)_?code$"
+      ],
+      "methodNames": [
+        "sendOtp", "storeOtp", "saveOtp", "generateOtp", "verifyOtp",
+        "sendSmsCode", "sendAuthCode", "storeAuthCode", "saveAuthCode"
+      ]
+    },
+    "dangerousOperations": {
+      "storage": [
+        "save", "store", "insert", "update", "create", "persist",
+        "collection.insertOne", "collection.updateOne", "db.save",
+        "redis.set", "redis.hset", "cache.put", "cache.set"
+      ],
+      "transmission": [
+        "send", "emit", "post", "put", "response.json", "res.send",
+        "email.send", "sms.send", "notify", "broadcast"
+      ],
+      "browserStorage": [
+        "localStorage.setItem", "sessionStorage.setItem",
+        "localStorage.set", "sessionStorage.set"
+      ],
+      "logging": [
+        "console.log", "console.debug", "console.info",
+        "logger.info", "logger.debug", "log.info"
+      ]
+    },
+    "safeOperations": [
+      "bcrypt.hash", "crypto.createHash", "crypto.createHmac",
+      "hash", "encrypt", "cipher", "secure", "pbkdf2",
+      "scrypt", "argon2", "aes.encrypt", "rsa.encrypt"
+    ]
+  },
+  "violations": {
+    "types": {
+      "semantic_otp_variable_usage": {
+        "severity": "error",
+        "message": "OTP variable used in {context} without encryption",
+        "suggestion": "Encrypt or hash OTP values before {context}"
+      },
+      "semantic_otp_function_call": {
+        "severity": "warning",
+        "message": "Function may handle OTP in plaintext",
+        "suggestion": "Ensure OTP values are encrypted before processing"
+      },
+      "semantic_plaintext_otp_argument": {
+        "severity": "error",
+        "message": "Potential plaintext OTP passed to {operation}",
+        "suggestion": "Encrypt or hash OTP values before storage/transmission"
+      },
+      "semantic_method_chain_otp": {
+        "severity": "error",
+        "message": "Method chain exposes OTP in plaintext",
+        "suggestion": "Use secure methods for OTP handling in method chains"
+      },
+      "semantic_data_flow_violation": {
+        "severity": "error",
+        "message": "OTP flows to unsafe operation without encryption",
+        "suggestion": "Ensure OTP is encrypted before reaching this operation"
+      },
+      "semantic_cross_file_otp_violation": {
+        "severity": "warning",
+        "message": "Imported OTP symbol used unsafely",
+        "suggestion": "Ensure consistent OTP security across file boundaries"
+      }
+    },
+    "severityMapping": {
+      "storage": "error",
+      "transmission": "error",
+      "browser_storage": "warning",
+      "logging": "warning",
+      "unknown_dangerous": "info"
+    }
+  },
+  "dataFlow": {
+    "enabled": true,
+    "maxDistance": 20,
+    "trackAcrossFiles": true,
+    "trackThroughCallbacks": true,
+    "trackAsyncFlows": true
+  },
+  "performance": {
+    "symbolTableCaching": true,
+    "maxAnalysisDepth": 10,
+    "maxCrossFileReferences": 100,
+    "timeoutPerFile": 5000
+  },
+  "reporting": {
+    "includeSymbolContext": true,
+    "includeCrossFileReferences": true,
+    "includeDataFlowPath": true,
+    "includeCodeSnippets": true,
+    "confidenceThreshold": 0.7
+  },
+  "examples": {
+    "violations": [
+      {
+        "description": "Direct OTP storage",
+        "code": "const otp = generateOtp(); await user.save({ otp });",
+        "reason": "OTP variable flows directly to storage operation"
+      },
+      {
+        "description": "OTP in response",
+        "code": "return response.json({ authCode, success: true });",
+        "reason": "OTP variable included in API response"
+      },
+      {
+        "description": "Method chain violation",
+        "code": "this.otpCode.save();",
+        "reason": "OTP flows through method chain to unsafe operation"
+      }
+    ],
+    "safePatterns": [
+      {
+        "description": "Encrypted storage",
+        "code": "const hashedOtp = await bcrypt.hash(otp, 10); await user.save({ hashedOtp });",
+        "reason": "OTP is hashed before storage"
+      },
+      {
+        "description": "Secure transmission",
+        "code": "const encrypted = encrypt(otp, key); await send(encrypted);",
+        "reason": "OTP is encrypted before transmission"
+      }
+    ]
+  },
+  "metadata": {
+    "version": "1.0.0",
+    "lastUpdated": "2024-01-20",
+    "author": "SunLint Security Team",
+    "references": [
+      "OWASP A02:2021 - Cryptographic Failures",
+      "NIST SP 800-63B - Authentication Guidelines",
+      "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm"
+    ],
+    "tags": ["security", "authentication", "otp", "encryption", "semantic"]
+  }
+}

package/rules/security/S007_no_plaintext_otp/semantic-wrapper.js ADDED Viewed

@@ -0,0 +1,280 @@
+/**
+ * S007 Semantic Wrapper
+ * Integrates S007SemanticAnalyzer with HeuristicEngine
+ * Provides compatibility layer between semantic analysis and existing framework
+ */
+const S007SemanticAnalyzer = require('./semantic-analyzer');
+const SemanticRuleBase = require('../../../core/semantic-rule-base');
+class S007SemanticWrapper extends SemanticRuleBase {
+  constructor(options = {}) {
+    super('S007', {
+      category: 'security',
+      severity: 'error',
+      description: 'Detects plaintext OTP storage and transmission using semantic analysis',
+      crossFileAnalysis: true,
+      requiresTypeChecker: false,
+      cacheResults: true,
+      ...options
+    });
+    this.semanticAnalyzer = new S007SemanticAnalyzer('S007');
+    this.verbose = options.verbose || false;
+  }
+  /**
+   * Initialize with semantic engine
+   */
+  async initialize(semanticEngine) {
+    await super.initialize(semanticEngine);
+    // Initialize the semantic analyzer
+    await this.semanticAnalyzer.initialize(semanticEngine);
+    if (this.verbose) {
+      console.log(`🧠 S007SemanticWrapper initialized with semantic engine`);
+    }
+  }
+  /**
+   * Analyze single file using semantic analysis
+   */
+  async analyzeFile(filePath, options = {}) {
+    if (this.verbose) {
+      console.log(`🧠 S007: Analyzing ${filePath} with semantic analysis`);
+    }
+    try {
+      // Delegate to semantic analyzer
+      await this.semanticAnalyzer.analyzeFile(filePath, options);
+      // Get violations from semantic analyzer
+      const semanticViolations = this.semanticAnalyzer.getViolations();
+      // Add violations to our collection
+      for (const violation of semanticViolations) {
+        this.addViolation(violation);
+      }
+      // Clear violations from semantic analyzer for next file
+      this.semanticAnalyzer.clearViolations();
+      if (this.verbose && semanticViolations.length > 0) {
+        console.log(`🧠 S007: Found ${semanticViolations.length} semantic violations in ${filePath}`);
+      }
+    } catch (error) {
+      console.error(`❌ S007: Semantic analysis failed for ${filePath}:`, error.message);
+      // Fallback to regex analysis if semantic fails
+      if (options.fallbackToRegex !== false) {
+        await this.fallbackToRegexAnalysis(filePath, options);
+      }
+    }
+  }
+  /**
+   * Fallback to regex analysis if semantic analysis fails
+   */
+  async fallbackToRegexAnalysis(filePath, options) {
+    try {
+      if (this.verbose) {
+        console.log(`⚠️ S007: Falling back to regex analysis for ${filePath}`);
+      }
+      // Use the existing regex analyzer as fallback
+      const RegexAnalyzer = require('./analyzer');
+      const regexAnalyzer = new RegexAnalyzer();
+      const regexViolations = await regexAnalyzer.analyze([filePath], 'typescript', options);
+      // Add regex violations with lower confidence
+      for (const violation of regexViolations) {
+        this.addViolation({
+          ...violation,
+          analysisMethod: 'regex_fallback',
+          confidence: 0.7, // Lower confidence for fallback
+          source: 'regex_analyzer'
+        });
+      }
+      if (this.verbose && regexViolations.length > 0) {
+        console.log(`🔧 S007: Found ${regexViolations.length} regex violations (fallback) in ${filePath}`);
+      }
+    } catch (fallbackError) {
+      console.error(`❌ S007: Fallback analysis also failed for ${filePath}:`, fallbackError.message);
+    }
+  }
+  /**
+   * Get supported file types
+   */
+  isValidFileType(filePath) {
+    const supportedExtensions = ['.ts', '.tsx', '.js', '.jsx'];
+    const path = require('path');
+    const ext = path.extname(filePath);
+    return supportedExtensions.includes(ext);
+  }
+  /**
+   * Enhanced violation adding with semantic context
+   */
+  addViolation(violation) {
+    const enhancedViolation = {
+      ...violation,
+      // Add semantic metadata
+      analysisEngine: 'semantic',
+      analysisMethod: violation.analysisMethod || 'semantic',
+      confidence: violation.confidence || 0.9,
+      timestamp: Date.now(),
+      // Ensure required fields
+      ruleId: this.ruleId,
+      category: this.config.category,
+      severity: violation.severity || this.config.severity,
+      // Add semantic-specific fields
+      semanticContext: violation.symbolContext || {},
+      crossFileReferences: violation.crossFileReferences || [],
+      dataFlowAnalysis: violation.dataFlowAnalysis || null,
+      // Enhanced suggestions for semantic violations
+      suggestion: this.enhanceSemanticSuggestion(violation),
+      // Code context
+      codeSnippet: violation.codeSnippet || null,
+      // Metadata
+      metadata: {
+        engineVersion: '3.0',
+        analysisType: 'semantic',
+        symbolTableUsed: true,
+        crossFileAnalysis: this.config.crossFileAnalysis,
+        ...violation.metadata
+      }
+    };
+    super.addViolation(enhancedViolation);
+  }
+  /**
+   * Enhance suggestions with semantic context
+   */
+  enhanceSemanticSuggestion(violation) {
+    const baseSuggestion = violation.suggestion || 'Ensure OTP security best practices';
+    // Add context-specific suggestions based on semantic analysis
+    const contextSuggestions = [];
+    if (violation.symbolContext) {
+      const context = violation.symbolContext;
+      if (context.operation) {
+        contextSuggestions.push(`Consider replacing '${context.operation}' with a secure alternative`);
+      }
+      if (context.dataFlow && context.dataFlow.length > 1) {
+        contextSuggestions.push('Review the data flow path to identify where encryption should be applied');
+      }
+      if (context.crossFileReferences && context.crossFileReferences.length > 0) {
+        contextSuggestions.push('Ensure security measures are consistent across all files using this OTP symbol');
+      }
+    }
+    // Combine base suggestion with context-specific suggestions
+    if (contextSuggestions.length > 0) {
+      return `${baseSuggestion}. Additional recommendations: ${contextSuggestions.join('; ')}.`;
+    }
+    return baseSuggestion;
+  }
+  /**
+   * Generate analysis report with semantic insights
+   */
+  generateReport() {
+    const baseReport = super.generateReport();
+    // Add semantic-specific statistics
+    const semanticStats = this.calculateSemanticStats();
+    return {
+      ...baseReport,
+      semanticAnalysis: {
+        enabled: true,
+        symbolTableUsed: true,
+        crossFileAnalysisPerformed: this.config.crossFileAnalysis,
+        dataFlowAnalysisPerformed: true,
+        statistics: semanticStats
+      }
+    };
+  }
+  /**
+   * Calculate semantic analysis statistics
+   */
+  calculateSemanticStats() {
+    const violations = this.getViolations();
+    const stats = {
+      totalViolations: violations.length,
+      violationsByType: {},
+      violationsByContext: {},
+      averageConfidence: 0,
+      crossFileViolations: 0,
+      dataFlowViolations: 0
+    };
+    // Analyze violation types and contexts
+    for (const violation of violations) {
+      // Count by type
+      const type = violation.type || 'unknown';
+      stats.violationsByType[type] = (stats.violationsByType[type] || 0) + 1;
+      // Count by context
+      if (violation.symbolContext && violation.symbolContext.usageContext) {
+        const context = violation.symbolContext.usageContext;
+        stats.violationsByContext[context] = (stats.violationsByContext[context] || 0) + 1;
+      }
+      // Count cross-file violations
+      if (violation.crossFileReferences && violation.crossFileReferences.length > 0) {
+        stats.crossFileViolations++;
+      }
+      // Count data flow violations
+      if (violation.dataFlowAnalysis) {
+        stats.dataFlowViolations++;
+      }
+    }
+    // Calculate average confidence
+    if (violations.length > 0) {
+      const totalConfidence = violations.reduce((sum, v) => sum + (v.confidence || 0.9), 0);
+      stats.averageConfidence = totalConfidence / violations.length;
+    }
+    return stats;
+  }
+  /**
+   * Cleanup semantic resources
+   */
+  async cleanup() {
+    if (this.semanticAnalyzer && typeof this.semanticAnalyzer.cleanup === 'function') {
+      await this.semanticAnalyzer.cleanup();
+    }
+    await super.cleanup();
+    if (this.verbose) {
+      console.log(`🧠 S007SemanticWrapper cleanup completed`);
+    }
+  }
+}
+module.exports = S007SemanticWrapper;

package/rules/security/S009_no_insecure_encryption/README.md ADDED Viewed

@@ -0,0 +1,158 @@
+# S009 - No Insecure Encryption Modes, Padding, or Cryptographic Algorithms
+## Overview
+This rule detects the usage of insecure cryptographic algorithms, cipher modes, and padding schemes that are vulnerable to various attacks and should not be used in production code.
+## Rule Details
+**Rule ID**: S009
+**Category**: Security
+**Severity**: Error
+**Engine**: Heuristic
+**OWASP**: A02:2021 - Cryptographic Failures
+**CWE**: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
+## Detected Vulnerabilities
+### Insecure Symmetric Encryption Algorithms
+- **DES** (Data Encryption Standard) - 56-bit key, easily broken
+- **3DES/TripleDES** - Deprecated, vulnerable to Sweet32 attack
+- **RC2** - Weak key schedule, vulnerable to related-key attacks
+- **RC4** - Stream cipher with biases, deprecated
+- **Blowfish** - Small block size, vulnerable to birthday attacks
+### Insecure Cipher Modes
+- **ECB** (Electronic Codebook) - Reveals patterns in plaintext
+- **No encryption mode specified** - May default to insecure modes
+### Insecure Hash Algorithms
+- **MD2, MD4, MD5** - Vulnerable to collision attacks
+- **SHA1** - Deprecated, collision attacks demonstrated
+- **RIPEMD-128/160** - Weaker alternatives to SHA family
+### Insecure Padding Schemes
+- **PKCS#1 v1.5** - Vulnerable to padding oracle attacks
+- **No padding** - Can lead to information leakage
+### Insecure Key Derivation Functions
+- **PBKDF1** - Limited output length, weak
+- **Simple hash-based KDFs** - Vulnerable to dictionary attacks
+## Examples
+### ❌ Violations
+```typescript
+// Node.js crypto module violations
+const cipher = crypto.createCipher('des', key);
+const hash = crypto.createHash('md5');
+const decipher = crypto.createDecipher('rc4', key);
+// CryptoJS violations
+const encrypted = CryptoJS.DES.encrypt(data, key);
+const hash = CryptoJS.MD5(data);
+const encrypted = CryptoJS.mode.ECB;
+// Java violations
+Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
+MessageDigest md = MessageDigest.getInstance("MD5");
+// .NET violations
+var des = new DESCryptoServiceProvider();
+var md5 = MD5.Create();
+// Configuration violations
+const config = {
+  algorithm: 'des',
+  hash: 'md5',
+  cipher: 'rc4'
+};
+```
+### ✅ Secure Alternatives
+```typescript
+// Secure Node.js crypto usage
+const cipher = crypto.createCipher('aes-256-gcm', key);
+const hash = crypto.createHash('sha256');
+const decipher = crypto.createDecipher('aes-256-cbc', key);
+// Secure CryptoJS usage
+const encrypted = CryptoJS.AES.encrypt(data, key);
+const hash = CryptoJS.SHA256(data);
+const encrypted = CryptoJS.mode.GCM;
+// Secure Java usage
+Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+MessageDigest md = MessageDigest.getInstance("SHA-256");
+// Secure .NET usage
+var aes = new AesCryptoServiceProvider();
+var sha256 = SHA256.Create();
+// Secure configuration
+const config = {
+  algorithm: 'aes-256-gcm',
+  hash: 'sha256',
+  cipher: 'aes-256-cbc'
+};
+```
+## Supported Languages
+- **JavaScript/TypeScript** - Node.js crypto, CryptoJS
+- **Java** - javax.crypto, java.security
+- **C#/.NET** - System.Security.Cryptography
+- **Python** - cryptography, hashlib
+- **Go** - crypto packages
+- **Configuration files** - JSON, YAML, XML
+## Detection Patterns
+The rule uses heuristic analysis to detect:
+1. **Direct API calls** with insecure algorithms
+2. **Configuration settings** specifying weak crypto
+3. **String literals** containing algorithm names
+4. **Variable assignments** with insecure values
+5. **Method chaining** with crypto operations
+## False Positive Prevention
+The rule excludes:
+- **Comments and documentation**
+- **Import/export statements**
+- **Test files and mock data**
+- **Educational/example code**
+- **Variable names** (not actual usage)
+- **Safe algorithm mentions** in secure contexts
+## Remediation
+### For Symmetric Encryption
+- Use **AES-256** with secure modes (GCM, CBC)
+- Ensure proper **initialization vectors** (IVs)
+- Use **authenticated encryption** when possible
+### For Hashing
+- Use **SHA-256** or stronger (SHA-384, SHA-512)
+- For passwords, use **bcrypt**, **scrypt**, or **Argon2**
+- Avoid hashing for integrity without HMAC
+### For Asymmetric Encryption
+- Use **RSA-2048** or stronger, or **ECC P-256+**
+- Use **OAEP padding** for RSA encryption
+- Use **PSS padding** for RSA signatures
+### For Key Derivation
+- Use **PBKDF2** with high iteration counts (100,000+)
+- Consider **scrypt** or **Argon2** for better security
+- Use proper **salt** values
+## References
+- [OWASP Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)
+- [NIST Cryptographic Standards](https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines)
+- [RFC 8018 - PKCS #5: Password-Based Cryptography Specification](https://tools.ietf.org/html/rfc8018)