npm - @sun-asterisk/sunlint - Versions diffs - 1.3.0 → 1.3.2 - Mend

@sun-asterisk/sunlint 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/rules/security/S027_no_hardcoded_secrets/analyzer.js CHANGED Viewed

@@ -1,436 +1,250 @@
-/**
- * Heuristic analyzer for: S027 – No Hardcoded Secrets
- * Purpose: Prevent hardcoded passwords, API keys, secrets while avoiding false positives
- * Based on user feedback: avoid flagging state variables, route names, input types
- */
+const fs = require('fs');
+const path = require('path');
-class S027Analyzer {
+class S027CategorizedAnalyzer {
   constructor() {
     this.ruleId = 'S027';
-    this.ruleName = 'No Hardcoded Secrets';
-    this.description = 'Không để lộ thông tin bảo mật trong mã nguồn và Git';
+    this.ruleName = 'No Hardcoded Secrets (Categorized)';
+    this.description = 'Phát hiện thông tin bảo mật theo categories với độ ưu tiên khác nhau';
-    // Enhanced keywords that indicate sensitive information
-    this.sensitiveKeywords = [
-      'password', 'pass', 'pwd', 'secret', 'key', 'token',
-      'apikey', 'auth', 'credential', 'seed', 'salt',
-      // Enhanced patterns from roadmap
-      'access_token', 'refresh_token', 'id_token', 'bearer',
-      'client_secret', 'client_id', 'private_key', 'public_key',
-      'encryption_key', 'signing_key', 'session_key',
-      'database_password', 'db_password', 'db_pass',
-      'aws_secret', 'aws_key', 'github_token', 'slack_token',
-      'stripe_key', 'paypal_secret', 'oauth_secret'
-    ];
-    // Patterns that should NOT be flagged (based on user feedback)
-    this.allowedPatterns = [
-      // State variables and flags
-      /^(is|has|enable|show|display|visible|field|strength|valid)/i,
-      /^_(is|has|enable|show|display)/i,
-      // Route/path patterns
-      /\/(setup|forgot|reset|change|update)-?password/i,
-      /password\//i,
-      // Input type configurations
-      /type\s*[=:]\s*['"`]password['"`]/i,
-      /inputtype\s*[=:]\s*['"`]password['"`]/i,
-      // Function names and method calls
-      /^(validate|check|verify|calculate|generate|get|fetch|create)/i,
-      // Component/config properties
-      /^(token|auth|key)type$/i,
-      /enabled?$/i,
-    ];
-    // Patterns that indicate environment variables or dynamic values
-    this.dynamicPatterns = [
-      /process\.env\./i,
-      /getenv\s*\(/i,
-      /config\.get\s*\(/i,
-      /\(\)/i,  // Function calls
-      /await\s+/i,
-      /\.then\s*\(/i,
-    ];
+    // Load categories config
+    this.config = this.loadConfig();
+    this.categories = this.config.categories;
+    this.globalExcludePatterns = this.config.global_exclude_patterns.map(p => new RegExp(p, 'i'));
+    this.minLength = this.config.min_length || 8;
+    this.maxLength = this.config.max_length || 1000;
-    // Enhanced secret patterns based on roadmap
-    this.secretPatterns = [
-      // API Keys - Enhanced patterns
-      /(?:api[_-]?key|apikey)['":\s=]+['"]+([a-zA-Z0-9]{20,})['"]+/i,
-      /['"]+[A-Za-z0-9+\/]{40,}={0,2}['"]+/, // Base64 encoded
-      // JWT Tokens
-      /eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*/,
-      // AWS Credentials
-      /AKIA[0-9A-Z]{16}/,
-      /['"]+[A-Za-z0-9\/+=]{40}['"]+/, // AWS Secret Key
-      // Database URLs with credentials
-      /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/,
-      // Private Keys
-      /-----BEGIN [A-Z ]+PRIVATE KEY-----/,
-      // GitHub Tokens
-      /gh[pousr]_[A-Za-z0-9_]{36}/,
-      // Slack Tokens
-      /xox[baprs]-[A-Za-z0-9-]+/,
-      // Bearer tokens
-      /^bearer\s+[a-zA-Z0-9+/=]{10,}$/i,
-      // Long alphanumeric strings that look like tokens/keys
-      /^[a-zA-Z0-9+/=]{20,}$/,
-      // API key prefixes
-      /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i,
-      // Common weak passwords (more flexible)
-      /^(admin|password|123|root|test|user|pass|secret|key|token)\d*$/i,
-      // Mixed alphanumeric secrets (6+ chars with both letters and numbers)
-      /^[a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*[0-9][a-zA-Z0-9]*$|^[a-zA-Z0-9]*[0-9][a-zA-Z0-9]*[a-zA-Z][a-zA-Z0-9]*$/,
-      // Secret-like strings with hyphens/underscores
-      /^[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+$/,
-      /^[a-zA-Z0-9]+_[a-zA-Z0-9]+_[a-zA-Z0-9]+$/,
-      // Generic password patterns
-      /^.{8,}[a-zA-Z0-9@#$%^&*()!]+$/,  // Complex passwords 8+ chars
-      // Tokens with specific formats
-      /^[a-f0-9]{32,}$/i,  // Hex tokens
-      /^[A-Z0-9]{16,}$/,   // Uppercase alphanumeric
-    ];
+    // Compile patterns for performance
+    this.compilePatterns();
   }
+  loadConfig() {
+    const configPath = path.join(__dirname, 'categories.json');
+    try {
+      const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+      return config.S027;
+    } catch (error) {
+      console.error('Failed to load S027 categories config:', error.message);
+      return { categories: [], global_exclude_patterns: [] };
+    }
+  }
+  compilePatterns() {
+    this.categories.forEach(category => {
+      category.compiledPatterns = category.patterns.map(p => ({
+        regex: new RegExp(p, 'gm'),
+        original: p
+      }));
+      if (category.exclude_patterns) {
+        category.compiledExcludePatterns = category.exclude_patterns.map(p => new RegExp(p, 'i'));
+      }
+    });
+  }
   async analyze(files, language, options = {}) {
     const violations = [];
+    this.currentFilePath = '';
     for (const filePath of files) {
-      // Skip build directories, test files, and node_modules to reduce false positives
-      if (filePath.includes('build/') || filePath.includes('dist/') ||
-          filePath.includes('node_modules/') || filePath.includes('.next/') ||
-          filePath.includes('vendor/') || filePath.includes('coverage/') ||
-          filePath.includes('.test.') || filePath.includes('.spec.') ||
-          filePath.includes('test/') || filePath.includes('tests/') ||
-          filePath.includes('__tests__/') || filePath.includes('.mock.') ||
-          filePath.includes('mocks/') || filePath.includes('fixtures/')) {
+      // Skip build/dist/node_modules
+      if (this.shouldSkipFile(filePath)) {
         continue;
       }
+      this.currentFilePath = filePath;
       try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
+        const content = fs.readFileSync(filePath, 'utf8');
         const fileViolations = this.analyzeFile(content, filePath);
         violations.push(...fileViolations);
       } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+        if (options.verbose) {
+          console.error(`Error analyzing ${filePath}:`, error.message);
+        }
       }
     }
     return violations;
   }
-  analyzeFile(content, filePath) {
-    const violations = [];
-    const lines = content.split('\n');
-    // Find variable declarations and assignments with sensitive names
-    const assignments = this.findSensitiveAssignments(lines);
-    // Find hardcoded secrets in string literals (new enhancement)
-    const stringSecrets = this.findSecretsInStrings(lines);
-    assignments.forEach(assignment => {
-      if (this.isHardcodedSecret(assignment)) {
-        violations.push({
-          file: filePath,
-          line: assignment.line,
-          column: assignment.column,
-          message: `Avoid hardcoding sensitive information such as '${assignment.variableName}'. Use secure storage instead.`,
-          severity: 'warning',
-          ruleId: this.ruleId,
-          type: 'hardcoded_secret',
-          variableName: assignment.variableName,
-          value: assignment.value
-        });
-      }
-    });
-    stringSecrets.forEach(secret => {
-      violations.push({
-        file: filePath,
-        line: secret.line,
-        column: secret.column,
-        message: `Potential hardcoded secret detected: '${secret.pattern}'. Use secure storage instead.`,
-        severity: 'warning',
-        ruleId: this.ruleId,
-        type: 'hardcoded_string_secret',
-        pattern: secret.pattern,
-        value: secret.value
-      });
-    });
+  shouldSkipFile(filePath) {
+    const skipPatterns = [
+      'build/', 'dist/', 'node_modules/', '.git/',
+      'coverage/', '.next/', '.cache/', 'tmp/',
+      '.lock', '.log', '.min.js', '.bundle.js'
+    ];
-    return violations;
+    return skipPatterns.some(pattern => filePath.includes(pattern));
   }
-  findSensitiveAssignments(lines) {
-    const assignments = [];
-    const processedLines = new Set(); // Avoid duplicates
+  analyzeFile(content, filePath) {
+    const violations = [];
+    // Handle different line endings (Windows \r\n, Unix \n, Mac \r)
+    const lines = content.split(/\r?\n/);
+    // Check if this is a test file for context
+    const isTestFile = this.isTestFile(filePath);
     lines.forEach((line, index) => {
+      const lineNumber = index + 1;
       const trimmedLine = line.trim();
-      const lineKey = `${index}:${trimmedLine}`;
-      // Skip comments, imports, and already processed lines
-      if (this.isCommentOrImport(trimmedLine) || processedLines.has(lineKey)) {
+      // Skip comments and imports
+      if (this.isCommentOrImport(trimmedLine)) {
         return;
       }
-      // Look for variable declarations: const/let/var name = "value"
-      const declMatch = trimmedLine.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-      if (declMatch) {
-        const [, variableName, valueExpr] = declMatch;
-        if (this.hasSensitiveKeyword(variableName)) {
-          assignments.push({
-            line: index + 1,
-            column: line.indexOf(variableName) + 1,
-            variableName,
-            valueExpr: valueExpr.trim(),
-            value: this.extractStringValue(valueExpr),
-            type: 'declaration',
-            originalLine: line
-          });
-          processedLines.add(lineKey);
-        }
-      }
-      // Look for assignments: name = "value" (but not in declarations)
-      else {
-        const assignMatch = trimmedLine.match(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=\s*(['"`][^'"`]*['"`]|[^;,\n]+)/);
-        if (assignMatch && !trimmedLine.match(/(?:const|let|var)\s/)) {
-          const [, variableName, valueExpr] = assignMatch;
-          if (this.hasSensitiveKeyword(variableName)) {
-            assignments.push({
-              line: index + 1,
-              column: line.indexOf(variableName) + 1,
-              variableName,
-              valueExpr: valueExpr.trim(),
-              value: this.extractStringValue(valueExpr),
-              type: 'assignment',
-              originalLine: line
-            });
-            processedLines.add(lineKey);
-          }
-        }
-      }
-    });
-    return assignments;
-  }
-  findSecretsInStrings(lines) {
-    const secrets = [];
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      // Skip comments, imports, and test files
-      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(line)) {
+      // Check global exclude patterns first
+      if (this.matchesGlobalExcludes(line)) {
         return;
       }
-      // Extract all string literals from the line
-      const stringLiterals = this.extractStringLiterals(line);
-      stringLiterals.forEach(literal => {
-        // Check if string looks like a secret pattern
-        const secretPattern = this.detectSecretPattern(literal.value);
-        if (secretPattern) {
-          secrets.push({
-            line: index + 1,
-            column: literal.column,
-            pattern: secretPattern,
-            value: literal.value,
-            originalLine: line
-          });
-        }
+      // Check each category
+      this.categories.forEach(category => {
+        const categoryViolations = this.checkCategory(
+          category, line, lineNumber, filePath, isTestFile
+        );
+        violations.push(...categoryViolations);
       });
     });
-    return secrets;
+    return violations;
   }
-  extractStringLiterals(line) {
-    const literals = [];
-    const stringRegex = /(['"`])([^'"`]*)\1/g;
-    let match;
-    while ((match = stringRegex.exec(line)) !== null) {
-      const value = match[2];
-      if (value.length >= 6) { // Only check strings with reasonable length
-        literals.push({
-          value: value,
-          column: match.index + 1
-        });
-      }
-    }
+  isTestFile(filePath) {
+    const testPatterns = [
+      /\.(test|spec)\./i,
+      /__tests__/i,
+      /\/tests?\//i,
+      /\/spec\//i,
+      /setupTests/i,
+      /testSetup/i,
+      /test[-_]/i,  // Matches test- or test_
+      /^.*\/test[^\/]*\.js$/i  // Matches files starting with test
+    ];
-    return literals;
+    return testPatterns.some(pattern => pattern.test(filePath));
   }
-  detectSecretPattern(value) {
-    // Enhanced secret detection patterns
-    const advancedPatterns = [
-      { name: 'JWT Token', pattern: /^eyJ[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*$/ },
-      { name: 'AWS Access Key', pattern: /^AKIA[0-9A-Z]{16}$/ },
-      { name: 'GitHub Token', pattern: /^gh[pousr]_[A-Za-z0-9_]{36}$/ },
-      { name: 'Slack Token', pattern: /^xox[baprs]-[A-Za-z0-9-]+$/ },
-      { name: 'Base64 Encoded', pattern: /^[A-Za-z0-9+\/]{40,}={0,2}$/ },
-      { name: 'Private Key', pattern: /-----BEGIN [A-Z ]+PRIVATE KEY-----/ },
-      { name: 'Database URL', pattern: /(mongodb|mysql|postgres|redis):\/\/[^\/\s'"]+:[^\/\s'"]+@[^\/\s'"]+/ },
-      { name: 'Long Hex Token', pattern: /^[a-f0-9]{32,}$/i },
-      { name: 'API Key Format', pattern: /^(sk|pk|api|key|token)[-_][a-zA-Z0-9]{10,}$/i },
-      // Removed overly aggressive Complex Password pattern
-    ];
-    for (const {name, pattern} of advancedPatterns) {
-      if (pattern.test(value)) {
-        return name;
-      }
-    }
-    return null;
+  isCommentOrImport(line) {
+    return line.startsWith('//') || line.startsWith('/*') ||
+           line.startsWith('import') || line.startsWith('export') ||
+           line.startsWith('*') || line.startsWith('<');
   }
-  isTestFile(line) {
-    const testIndicators = ['.spec.', '.test.', '__tests__', 'describe(', 'it(', 'test(', 'expect(', 'jest.', 'mock'];
-    return testIndicators.some(indicator => line.includes(indicator));
+  matchesGlobalExcludes(line) {
+    return this.globalExcludePatterns.some(pattern => pattern.test(line));
   }
-  findSecretsInStrings(lines) {
-    const secrets = [];
+  checkCategory(category, line, lineNumber, filePath, isTestFile) {
+    const violations = [];
-    lines.forEach((line, index) => {
-      const trimmedLine = line.trim();
-      // Skip comments, imports, and test files
-      if (this.isCommentOrImport(trimmedLine) || this.isTestFile(trimmedLine)) {
-        return;
-      }
+    category.compiledPatterns.forEach(({ regex, original }) => {
+      let match;
-      // Extract all string literals from the line
-      const stringLiterals = this.extractStringLiterals(line);
+      // Reset regex lastIndex for global patterns
+      regex.lastIndex = 0;
-      stringLiterals.forEach(literal => {
-        // Check if string looks like a secret pattern
-        const secretPattern = this.detectSecretPattern(literal.value);
-        if (secretPattern) {
-          secrets.push({
-            line: index + 1,
-            column: literal.column,
-            pattern: secretPattern,
-            value: literal.value,
-            originalLine: line
-          });
+      while ((match = regex.exec(line)) !== null) {
+        const matchedText = match[0];
+        const column = match.index + 1;
+        // Check length constraints
+        if (matchedText.length < this.minLength || matchedText.length > this.maxLength) {
+          continue;
         }
-      });
+        // Check category-specific excludes
+        if (category.compiledExcludePatterns &&
+            category.compiledExcludePatterns.some(pattern => pattern.test(matchedText))) {
+          continue;
+        }
+        // Be more lenient in test files for lower severity categories
+        // But still report critical/high severity issues even in test files
+        if (isTestFile && category.severity === 'low') {
+          continue;
+        }
+        violations.push({
+          file: filePath,
+          line: lineNumber,
+          column: column,
+          message: `[${category.name}] Potential ${category.severity} security risk: '${matchedText}'. ${category.description}`,
+          severity: this.mapSeverity(category.severity),
+          ruleId: this.ruleId,
+          category: category.name,
+          categoryDescription: category.description,
+          matchedPattern: original,
+          matchedText: matchedText
+        });
+      }
     });
-    return secrets;
-  }
-  hasSensitiveKeyword(variableName) {
-    const lowerName = variableName.toLowerCase();
-    return this.sensitiveKeywords.some(keyword => lowerName.includes(keyword));
-  }
-  isCommentOrImport(line) {
-    return line.startsWith('//') || line.startsWith('/*') ||
-           line.startsWith('import') || line.startsWith('export') ||
-           line.startsWith('*') || line.startsWith('<');
+    return violations;
   }
-  extractStringValue(valueExpr) {
-    // Extract string literal value
-    const stringMatch = valueExpr.match(/^(['"`])([^'"`]*)\1$/);
-    if (stringMatch) {
-      return stringMatch[2];
-    }
-    return null;
+  mapSeverity(categorySeverity) {
+    const severityMap = {
+      'critical': 'error',
+      'high': 'warning',
+      'medium': 'warning',
+      'low': 'info'
+    };
+    return severityMap[categorySeverity] || 'warning';
   }
-  isHardcodedSecret(assignment) {
-    const { variableName, value, valueExpr, originalLine } = assignment;
-    // 1. Skip if it looks like an allowed pattern (state variables, routes, etc.)
-    if (this.isAllowedPattern(variableName, originalLine)) {
-      return false;
-    }
-    // 2. Skip if value comes from environment or dynamic source
-    if (this.isDynamicValue(valueExpr)) {
-      return false;
-    }
+  // Method for getting category statistics
+  getCategoryStats(violations) {
+    const stats = {};
+    violations.forEach(violation => {
+      const category = violation.category;
+      if (!stats[category]) {
+        stats[category] = {
+          count: 0,
+          severity: violation.severity,
+          files: new Set()
+        };
+      }
+      stats[category].count++;
+      stats[category].files.add(violation.file);
+    });
-    // 3. Skip if no string value (e.g., boolean, function call)
-    if (!value) {
-      return false;
-    }
+    // Convert Set to array for JSON serialization
+    Object.keys(stats).forEach(category => {
+      stats[category].files = Array.from(stats[category].files);
+      stats[category].fileCount = stats[category].files.length;
+    });
-    // 4. Check if the value looks like a hardcoded secret
-    return this.looksLikeSecret(value);
+    return stats;
   }
-  isAllowedPattern(variableName, originalLine) {
-    const lowerName = variableName.toLowerCase();
-    const lowerLine = originalLine.toLowerCase();
-    // Check against allowed patterns
-    if (this.allowedPatterns.some(pattern => pattern.test(lowerName) || pattern.test(lowerLine))) {
-      return true;
-    }
-    // Remove comments before checking for paths to avoid false matches on "//"
-    const codeOnlyLine = lowerLine.replace(/\/\/.*$/, '').replace(/\/\*.*?\*\//g, '');
-    // Special case: route objects and paths (but not comments with //)
-    if (codeOnlyLine.includes('route') || codeOnlyLine.includes('path') ||
-        (codeOnlyLine.includes('/') && !lowerLine.includes('//'))) {
-      return true;
-    }
-    // Special case: React/component props
-    if (codeOnlyLine.includes('<') || codeOnlyLine.includes('inputtype') || codeOnlyLine.includes('type=')) {
-      return true;
+  // Method for filtering by category
+  filterByCategory(violations, categoryNames) {
+    if (!categoryNames || categoryNames.length === 0) {
+      return violations;
     }
-    return false;
-  }
-  isDynamicValue(valueExpr) {
-    return this.dynamicPatterns.some(pattern => pattern.test(valueExpr));
+    return violations.filter(violation =>
+      categoryNames.includes(violation.category)
+    );
   }
-  looksLikeSecret(value) {
-    // Skip very short values (likely not secrets)
-    if (value.length < 6) {
-      return false;
-    }
+  // Method for filtering by severity
+  filterBySeverity(violations, minSeverity = 'info') {
+    const severityOrder = ['info', 'warning', 'error'];
+    const minIndex = severityOrder.indexOf(minSeverity);
-    // Skip common non-secret values
-    const commonValues = ['password', 'bearer', 'basic', 'token', 'key', 'secret', 'admin', 'user'];
-    if (commonValues.includes(value.toLowerCase())) {
-      return false;
-    }
+    if (minIndex === -1) return violations;
-    // Check against secret patterns
-    return this.secretPatterns.some(pattern => pattern.test(value));
+    return violations.filter(violation => {
+      const violationIndex = severityOrder.indexOf(violation.severity);
+      return violationIndex >= minIndex;
+    });
   }
 }
-module.exports = S027Analyzer;
+module.exports = S027CategorizedAnalyzer;