@sun-asterisk/sunlint 1.3.16 → 1.3.17

package/rules/common/C041_no_sensitive_hardcode/analyzer.js

@@ -1,292 +1,182 @@
-const fs = require('fs');
-const path = require('path');
+/**
+ * C041 Main Analyzer - Do not hardcode or push sensitive information
+ * Primary: Protect sensitive application data, avoid security risks, and comply with security standards. Exposing sensitive information can lead to serious security and privacy issues.
+ * Fallback: Regex-based for all other cases
+ * Purpose: Detect hardcoded sensitive information in source code
+ * Command: node cli.js --rules=C041 --input=examples/rule-test-fixtures/rules/C041_no_sensitive_hardcode  --engine=heuristic --verbose
+ */
+
+const C041SymbolBasedAnalyzer = require('./symbol-based-analyzer');
 
 class C041Analyzer {
-  constructor() {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C041] Constructor called with options:`, !!options);
+      console.log(`🔧 [C041] Options type:`, typeof options, Object.keys(options || {}));
+    }
+
     this.ruleId = 'C041';
-    this.ruleName = 'No Hardcoded Sensitive Information';
-    this.description = 'Không hardcode hoặc push thông tin nhạy cảm vào repo';
-  }
+    this.ruleName = 'Do not hardcode or push sensitive information';
+    this.description = 'Protect sensitive application data, avoid security risks, and comply with security standards. Exposing sensitive information can lead to serious security and privacy issues.';
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+
+    // Configuration
+    this.config = {
+      useSymbolBased: true,      // Primary approach
+      fallbackToRegex: false,     // Only when symbol fails completely
+      symbolBasedOnly: false     // Can be set to true for pure mode
+    };
 
-  async analyze(files, language, options = {}) {
-    const violations = [];
-    
-    for (const filePath of files) {
-      if (options.verbose) {
-        console.log(`🔍 Running C041 analysis on ${path.basename(filePath)}`);
-      }
-      
-      try {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const fileViolations = await this.analyzeFile(filePath, content, language, options);
-        violations.push(...fileViolations);
-      } catch (error) {
-        console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+    // Initialize both analyzers
+    try {
+      this.symbolAnalyzer = new C041SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔧 [C041] Symbol analyzer created successfully`);
       }
+    } catch (error) {
+      console.error(`🔧 [C041] Error creating symbol analyzer:`, error);
     }
-    
-    return violations;
   }
 
-  async analyzeFile(filePath, content, language, config) {
-    switch (language) {
-      case 'typescript':
-      case 'javascript':
-        return this.analyzeTypeScript(filePath, content, config);
-      default:
-        return [];
+  /**
+   * Initialize with semantic engine
+   */
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+
+    // Initialize both analyzers
+    await this.symbolAnalyzer.initialize(semanticEngine);
+
+    // Ensure verbose flag is propagated
+    this.symbolAnalyzer.verbose = this.verbose;
+
+    if (this.verbose) {
+      console.log(`🔧 [C041 Hybrid] Analyzer initialized - verbose: ${this.verbose}`);
     }
   }
 
-  async analyzeTypeScript(filePath, content, config) {
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C041] analyze() method called with ${files.length} files, language: ${language}`);
+    }
+
     const violations = [];
-    const lines = content.split('\n');
 
-    lines.forEach((line, index) => {
-      const lineNumber = index + 1;
-      const trimmedLine = line.trim();
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [C041] Processing file: ${filePath}`);
+        }
+
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
 
-      // Skip comments and imports
-      if (this.isCommentOrImport(trimmedLine)) {
-        return;
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [C041] File ${filePath}: Found ${fileViolations.length} violations`);
+        }
+      } catch (error) {
+        console.warn(`❌ [C041] Analysis failed for ${filePath}:`, error.message);
       }
+    }
 
-      // Find potential hardcoded sensitive values
-      const sensitiveMatches = this.findSensitiveHardcode(trimmedLine, line);
-      
-      sensitiveMatches.forEach(match => {
-        violations.push({
-          ruleId: this.ruleId,
-          file: filePath,
-          line: lineNumber,
-          column: match.column,
-          message: match.message,
-          severity: 'error',
-          code: trimmedLine,
-          type: match.type,
-          confidence: match.confidence,
-          suggestion: match.suggestion
-        });
-      });
-    });
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C041] Total violations found: ${violations.length}`);
+    }
 
     return violations;
   }
 
-  isCommentOrImport(line) {
-    const trimmed = line.trim();
-    return trimmed.startsWith('//') || 
-           trimmed.startsWith('/*') || 
-           trimmed.startsWith('*') ||
-           trimmed.startsWith('import ') ||
-           trimmed.startsWith('export ');
-  }
-
-  findSensitiveHardcode(line, originalLine) {
-    const matches = [];
-    
-    // Skip template literals with variables - they are dynamic, not hardcoded
-    if (line.includes('${') || line.includes('`')) {
-      return matches;
-    }
-    
-    // Skip if line is clearly configuration, type definition, or UI-related
-    if (this.isConfigOrUIContext(line)) {
-      return matches;
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [C041] analyzeFile() called for: ${filePath}`);
     }
-    
-    // Look for suspicious patterns with better context awareness
-    const patterns = [
-      {
-        name: 'suspicious_password_variable',
-        regex: /(const|let|var)\s+\w*[Pp]ass[Ww]ord\w*\s*=\s*['"`]([^'"`]{4,})['"`]/g,
-        severity: 'error',
-        message: 'Potential hardcoded password in variable assignment',
-        suggestion: 'Move sensitive values to environment variables or secure config files'
-      },
-      {
-        name: 'suspicious_secret_variable',
-        regex: /(const|let|var)\s+\w*[Ss]ecret\w*\s*=\s*['"`]([^'"`]{6,})['"`]/g,
-        severity: 'error',
-        message: 'Potential hardcoded secret in variable assignment',
-        suggestion: 'Use environment variables for secrets'
-      },
-      {
-        name: 'suspicious_short_password',
-        regex: /(const|let|var)\s+(?!use)\w*([Pp]ass|[Dd]b[Pp]ass|[Aa]dmin)(?!word[A-Z])\w*\s*=\s*['"`]([^'"`]{4,})['"`]/g,
-        severity: 'error',
-        message: 'Potential hardcoded password or admin credential',
-        suggestion: 'Use environment variables for credentials'
-      },
-      {
-        name: 'api_key',
-        regex: /(const|let|var)\s+\w*[Aa]pi[Kk]ey\w*\s*=\s*['"`]([^'"`]{10,})['"`]/g,
-        severity: 'error',
-        message: 'Potential hardcoded API key detected',
-        suggestion: 'Use environment variables for API keys'
-      },
-      {
-        name: 'auth_token',
-        regex: /(const|let|var)\s+\w*[Tt]oken\w*\s*=\s*['"`]([^'"`]{16,})['"`]/g,
-        severity: 'error', 
-        message: 'Potential hardcoded authentication token detected',
-        suggestion: 'Store tokens in secure storage, not in source code'
-      },
-      {
-        name: 'database_url',
-        regex: /['"`](mongodb|mysql|postgres|redis):\/\/[^'"`]+['"`]/gi,
-        severity: 'error',
-        message: 'Hardcoded database connection string detected',
-        suggestion: 'Use environment variables for database connections'
-      },
-      {
-        name: 'suspicious_url',
-        regex: /['"`]https?:\/\/(?!localhost|127\.0\.0\.1|example\.com|test\.com|www\.w3\.org|www\.google\.com|googleapis\.com)[^'"`]{20,}['"`]/gi,
-        severity: 'warning',
-        message: 'Hardcoded external URL detected (consider configuration)',
-        suggestion: 'Consider moving URLs to configuration files'
-      }
-    ];
 
-    // Additional context-aware checks
-    patterns.forEach(pattern => {
-      let match;
-      while ((match = pattern.regex.exec(line)) !== null) {
-        // Skip false positives
-        if (this.isFalsePositive(line, match[0], pattern.name)) {
-          continue;
+    // 1. Try Symbol-based analysis first (primary)
+    if (this.config.useSymbolBased &&
+        this.semanticEngine?.project &&
+        this.semanticEngine?.initialized) {
+      try {
+        if (process.env.SUNLINT_DEBUG) {
+          console.log(`🔧 [C041] Trying symbol-based analysis...`);
         }
-
-        matches.push({
-          type: pattern.name,
-          column: match.index + 1,
-          message: pattern.message,
-          confidence: this.calculateConfidence(line, match[0], pattern.name),
-          suggestion: pattern.suggestion
-        });
+        const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+        if (sourceFile) {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`🔧 [C041] Source file found, analyzing with symbol-based...`);
+          }
+          const violations = await this.symbolAnalyzer.analyzeFileWithSymbols(filePath, { ...options, verbose: options.verbose });
+
+          // Mark violations with analysis strategy
+          violations.forEach(v => v.analysisStrategy = 'symbol-based');
+
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`✅ [C041] Symbol-based analysis: ${violations.length} violations`);
+          }
+          return violations; // Return even if 0 violations - symbol analysis completed successfully
+        } else {
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(`⚠️ [C041] Source file not found in project`);
+          }
+        }
+      } catch (error) {
+        console.warn(`⚠️ [C041] Symbol analysis failed: ${error.message}`);
+        // Continue to fallback
       }
-    });
-
-    return matches;
-  }
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [C041] Symbol analysis conditions check:`);
+        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(`  - semanticEngine.project: ${!!this.semanticEngine?.project}`);
+        console.log(`  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`);
+        console.log(`🔄 [C041] Symbol analysis unavailable, using regex fallback`);
+      }
+    }
 
-  isConfigOrUIContext(line) {
-    const lowerLine = line.toLowerCase();
-    
-    // UI/Component contexts - likely false positives
-    const uiContexts = [
-      'inputtype', 'type:', 'type =', 'type:', 'inputtype=',
-      'routes =', 'route:', 'path:', 'routes:', 
-      'import {', 'export {', 'from ', 'import ',
-      'interface', 'type ', 'enum ',
-      'props:', 'defaultprops',
-      'schema', 'validator',
-      'hook', 'use', 'const use', 'import.*use',
-      // React/UI specific
-      'textinput', 'input ', 'field ', 'form',
-      'component', 'page', 'screen', 'modal',
-      // Route/navigation specific  
-      'navigation', 'route', 'path', 'url:', 'route:',
-      'setuppassword', 'resetpassword', 'forgotpassword',
-      'changepassword', 'confirmpassword'
-    ];
-    
-    return uiContexts.some(context => lowerLine.includes(context));
+    if (options?.verbose) {
+      console.log(`🔧 [C041] No analysis methods succeeded, returning empty`);
+    }
+    return [];
   }
 
-  isFalsePositive(line, matchedText, patternName) {
-    const lowerLine = line.toLowerCase();
-    const lowerMatch = matchedText.toLowerCase();
+  async analyzeFileBasic(filePath, options = {}) {
+    console.log(`🔧 [C041] analyzeFileBasic() called for: ${filePath}`);
+    console.log(`🔧 [C041] semanticEngine exists: ${!!this.semanticEngine}`);
+    console.log(`🔧 [C041] symbolAnalyzer exists: ${!!this.symbolAnalyzer}`);
 
-    // Global false positive indicators
-    const globalFalsePositives = [
-      'test', 'mock', 'example', 'demo', 'sample', 'placeholder', 'dummy', 'fake',
-      'xmlns', 'namespace', 'schema', 'w3.org', 'google.com', 'googleapis.com',
-      'error', 'message', 'missing', 'invalid', 'failed'
-    ];
+    try {
+      // Try symbol-based analysis first
+      if (this.semanticEngine?.isSymbolEngineReady?.() &&
+          this.semanticEngine.project) {
 
-    // Check if the line contains any global false positive indicators
-    const hasGlobalFalsePositive = globalFalsePositives.some(pattern => 
-      lowerLine.includes(pattern) || lowerMatch.includes(pattern)
-    );
-
-    if (hasGlobalFalsePositive) {
-      return true;
-    }
-
-    // Common false positive patterns
-    const falsePositivePatterns = {
-      'suspicious_password_variable': [
-        'inputtype', 'type:', 'type =', 'activation', 'forgot_password', 'reset_password',
-        'setup_password', 'route', 'path', 'hook', 'use', 'change', 'confirm',
-        'validation', 'component', 'page', 'screen', 'textinput', 'input',
-        'trigger', 'useeffect', 'password.*trigger', 'renewpassword'
-      ],
-      'suspicious_short_password': [
-        'inputtype', 'type:', 'type =', 'activation', 'forgot_password', 'reset_password',
-        'setup_password', 'route', 'path', 'hook', 'use', 'change', 'confirm',
-        'validation', 'component', 'page', 'screen', 'textinput'
-      ],
-      'suspicious_secret_variable': [
-        'component', 'props', 'state', 'hook', 'use'
-      ],
-      'suspicious_url': [
-        'localhost', '127.0.0.1', 'example.com', 'test.com', 'placeholder',
-        'mock', 'w3.org', 'google.com', 'recaptcha', 'googleapis.com'
-      ],
-      'api_key': [
-        'test-', 'mock-', 'example-', 'demo-', 'missing', 'error', 'message'
-      ]
-    };
-
-    const patterns = falsePositivePatterns[patternName] || [];
-    
-    // Check if line contains any pattern-specific false positive indicators
-    const hasPatternFalsePositive = patterns.some(pattern => 
-      lowerLine.includes(pattern) || lowerMatch.includes(pattern)
-    );
+        if (this.verbose) {
+          console.log(`🔍 [C041] Using symbol-based analysis for ${filePath}`);
+        }
 
-    // Special handling for password-related patterns
-    if (patternName === 'hardcoded_password') {
-      // Allow if it's clearly UI/component related
-      if (lowerLine.includes('input') || 
-          lowerLine.includes('field') || 
-          lowerLine.includes('form') ||
-          lowerLine.includes('component') ||
-          lowerLine.includes('type') ||
-          lowerLine.includes('route') ||
-          lowerLine.includes('path') ||
-          lowerMatch.includes('activation') ||
-          lowerMatch.includes('forgot_password') ||
-          lowerMatch.includes('reset_password') ||
-          lowerMatch.includes('setup_password')) {
-        return true;
+        const violations = await this.symbolAnalyzer.analyzeFileBasic(filePath, options);
+        return violations;
+      }
+    } catch (error) {
+      if (this.verbose) {
+        console.warn(`⚠️ [C041] Symbol analysis failed: ${error.message}`);
       }
     }
-
-    return hasPatternFalsePositive;
   }
 
-  calculateConfidence(line, match, patternName) {
-    let confidence = 0.8; // Base confidence
-    
-    // Reduce confidence for potential false positives
-    const lowerLine = line.toLowerCase();
-    
-    if (lowerLine.includes('test') || lowerLine.includes('mock') || lowerLine.includes('example')) {
-      confidence -= 0.3;
-    }
-
-    if (lowerLine.includes('const') || lowerLine.includes('let') || lowerLine.includes('var')) {
-      confidence += 0.1; // Variable assignments more likely to be hardcode
-    }
-
-    if (lowerLine.includes('type') || lowerLine.includes('component') || lowerLine.includes('props')) {
-      confidence -= 0.2; // UI-related less likely to be sensitive
-    }
+  /**
+   * Methods for compatibility with different engine invocation patterns
+   */
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
 
-    return Math.max(0.3, Math.min(1.0, confidence));
+  async analyzeWithSemantics(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
   }
 }
 
-module.exports = new C041Analyzer();
+module.exports = C041Analyzer;

package/rules/common/C041_no_sensitive_hardcode/config.json

@@ -0,0 +1,50 @@
+{
+  "id": "C041",
+  "name": "C041_do_not_hardcode_or_push_sensitive_information",
+  "category": "architecture",
+  "description": "C041 - Do not hardcode or push sensitive information (token, API key, secret, URL) into the repo",
+  "severity": "warning",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": [
+      "**/*.js",
+      "**/*.ts",
+      "**/*.jsx",
+      "**/*.tsx"
+    ],
+    "exclude": [
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/*.mock.*",
+      "**/test/**",
+      "**/tests/**",
+      "**/spec/**"
+    ]
+  },
+  "options": {
+    "strictMode": false,
+    "allowedDbMethods": [],
+    "repositoryPatterns": [
+      "*Repository*",
+      "*Repo*",
+      "*DAO*",
+      "*Store*"
+    ],
+    "servicePatterns": [
+      "*Service*",
+      "*UseCase*",
+      "*Handler*",
+      "*Manager*"
+    ],
+    "complexityThreshold": {
+      "methodLength": 200,
+      "cyclomaticComplexity": 5,
+      "nestedDepth": 3
+    }
+  }
+}