npm - @sun-asterisk/sunlint - Versions diffs - 1.3.16 → 1.3.17 - Mend

@sun-asterisk/sunlint 1.3.16 → 1.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/rules/security/S010_no_insecure_encryption/analyzer.js CHANGED Viewed

@@ -1,492 +1,557 @@
 /**
- * Heuristic analyzer for S010 - Must use cryptographically secure random number generators (CSPRNG)
- * Purpose: Detect usage of insecure random number generators for security purposes
- * Based on OWASP A02:2021 - Cryptographic Failures
+ * S010 Analyzer using ts-morph for accurate AST-based analysis
+ * Detects insecure random usage in REAL security contexts only
+ *
+ * TRUE SECURITY CONTEXTS:
+ * - OTP generation
+ * - Token generation (session, reset, verify, magic link)
+ * - Password/API key generation
+ * - Security code generation
+ *
+ * NON-SECURITY (should NOT flag):
+ * - Filenames with timestamps
+ * - Log IDs
+ * - Request IDs (tracing)
+ * - Expiration time calculations
  */
+const { Project, SyntaxKind } = require('ts-morph');
+const fs = require('fs');
+const path = require('path');
 class S010Analyzer {
   constructor() {
     this.ruleId = 'S010';
-    this.ruleName = 'Must use cryptographically secure random number generators (CSPRNG)';
-    this.description = 'Detect usage of insecure random number generators for security purposes';
-    // Insecure random functions that should not be used for security
-    this.insecureRandomFunctions = [
-      // JavaScript/Node.js insecure random functions
-      'Math.random',
-      'Math.floor(Math.random',
-      'Math.ceil(Math.random',
-      'Math.round(Math.random',
-      // Common insecure patterns
-      'new Date().getTime()',
-      'Date.now()',
-      'performance.now()',
-      'process.hrtime()',
-      // Insecure libraries
-      'random-js',
-      'mersenne-twister',
-      'seedrandom',
-      // Browser APIs (when used for security)
-      'window.crypto.getRandomValues', // Actually secure, but context matters
-    ];
-    // Secure random functions (CSPRNG)
-    this.secureRandomFunctions = [
-      'crypto.randomBytes',
-      'crypto.randomUUID',
-      'crypto.randomInt',
-      'crypto.webcrypto.getRandomValues',
-      'window.crypto.getRandomValues',
-      'require("crypto").randomBytes',
-      'import("crypto").randomBytes',
-      'webcrypto.getRandomValues',
-      'sodium.randombytes_buf',
-      'forge.random.getBytesSync',
-      'nanoid',
-      'uuid.v4',
-      'uuidv4',
-    ];
-    // Security-related contexts where secure random is required
-    this.securityContextKeywords = [
-      // Authentication
-      'password', 'token', 'jwt', 'session', 'auth', 'login', 'signin',
-      'activation', 'verification', 'reset', 'recovery', 'otp', 'totp',
+    this.MIN_ENTROPY_BITS = 128;
+    this.MIN_ENTROPY_BYTES = 16;
+    // TRUE security keywords - only these contexts should trigger
+    this.securityKeywords = [
+      // Authentication & Authorization
+      'otp', 'totp', 'hotp',
+      'token', 'accesstoken', 'refreshtoken', 'authtoken',
+      'session', 'sessionid', 'sessid',
-      // Cryptography
-      'encrypt', 'decrypt', 'cipher', 'hash', 'salt', 'key', 'secret',
-      'nonce', 'iv', 'seed', 'entropy', 'random', 'secure',
+      // Password & Keys
+      'password', 'passwd', 'pwd',
+      'apikey', 'secretkey', 'privatekey',
+      'secret', // Generic secret
+      'salt', 'pepper',
-      // Security tokens
-      'csrf', 'xsrf', 'api_key', 'access_token', 'refresh_token',
-      'bearer', 'authorization', 'signature', 'certificate',
+      // Verification & Reset
+      'verify', 'verification', 'verifycode',
+      'reset', 'resettoken', 'passwordreset',
+      'confirm', 'confirmation', 'confirmcode',
+      'magiclink',
-      // Identifiers
-      'id', 'uuid', 'guid', 'code', 'pin', 'challenge',
+      // Security codes
+      'securitycode', 'authcode', 'verificationcode',
+      'pincode', 'pin',
-      // File/data security
-      'upload', 'filename', 'path', 'temp', 'cache'
+      // Encryption
+      'encrypt', 'cipher', 'iv', 'nonce',
+      'hmac', 'signature',
     ];
-    // Patterns that indicate insecure random usage
-    this.insecurePatterns = [
-      // Math.random() variations
-      /Math\.random\(\)/g,
-      /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\d+\s*\)/g,
-      /Math\.ceil\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\d+\s*\)/g,
-      /Math\.round\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\d+\s*\)/g,
-      // Date-based random (only when used for randomness, not timestamps)
-      /new\s+Date\(\)\.getTime\(\)/g,
-      /Date\.now\(\)/g,
-      /performance\.now\(\)/g,
-      // String-based insecure random
-      /Math\.random\(\)\.toString\(\d*\)\.substring\(\d+\)/g,
-      /Math\.random\(\)\.toString\(\d*\)\.slice\(\d+\)/g,
-      // Simple increment patterns (only in security contexts)
-      /\+\+\s*\w+|--\s*\w+|\w+\s*\+\+|\w+\s*--/g,
+    // EXCLUDE - these are NOT security contexts
+    this.nonSecurityKeywords = [
+      'filename', 'file', 'path', 'filepath',
+      'log', 'logging', 'trace', 'debug',
+      'request', 'requestid', 'traceid', 'correlationid',
+      'uuid', 'guid', // UUIDs are OK if properly generated
+      'timestamp', 'time', 'date',
+      'expire', 'expiration', 'ttl', 'timeout',
+      'zip', 'archive', 'backup',
+      'customer', 'user', 'temp', 'tmp',
     ];
-    // Patterns that should be excluded (safe contexts)
-    this.safePatterns = [
-      // Comments and documentation
-      /\/\/|\/\*|\*\/|@param|@return|@example/,
-      // Type definitions and interfaces
-      /interface|type|enum|class.*\{/i,
-      // Import/export statements
-      /import|export|require|module\.exports/i,
-      // Test files and demo code
-      /test|spec|demo|example|mock|fixture/i,
-      // Non-security contexts
-      /animation|ui|display|visual|game|chart|graph|color|theme/i,
-      // Configuration and constants
-      /const\s+\w+\s*=|enum\s+\w+|type\s+\w+/i,
-      // Safe usage patterns - UI/Animation/Game contexts
-      /Math\.random\(\).*(?:animation|ui|display|game|demo|test|chart|color|hue)/i,
-      /(?:animation|ui|display|game|demo|test|chart|color|hue).*Math\.random\(\)/i,
-      // Safe class/function contexts
-      /class\s+(?:UI|Game|Chart|Mock|Demo|Animation)/i,
-      /function\s+(?:get|generate|create).*(?:Color|Animation|Chart|Game|Mock|Demo)/i,
-      // Safe variable names
-      /(?:const|let|var)\s+(?:color|hue|delay|position|chart|game|mock|demo|animation)/i,
+    // Security function names - if variable is inside these functions, it's security context
+    this.securityFunctionNames = [
+      'generateotp', 'createotp', 'sendotp',
+      'generatetoken', 'createtoken', 'issuetoken',
+      'generatesession', 'createsession',
+      'generateapikey', 'createapikey',
+      'generatepassword', 'resetpassword', 'changepassword',
+      'generateverificationcode', 'createverificationcode',
+      'generatemagiclink', 'createmagiclink',
+      'generateresettoken', 'createresettoken',
+      'generatesecret', 'createsecret',
+      'encrypt', 'hash', 'sign',
     ];
-    // Function patterns that indicate security context
-    this.securityFunctionPatterns = [
-      /generate.*(?:token|key|id|code|password|salt|nonce|iv)/i,
-      /create.*(?:token|key|id|code|password|salt|nonce|iv)/i,
-      /make.*(?:token|key|id|code|password|salt|nonce|iv)/i,
-      /random.*(?:token|key|id|code|password|salt|nonce|iv)/i,
-      /(?:token|key|id|code|password|salt|nonce|iv).*generator/i,
-    ];
+    // Insecure patterns
+    this.insecurePatterns = {
+      mathRandom: ['Math.random'],
+      dateNow: ['Date.now', 'getTime'],
+      pythonRandom: ['random.random', 'random.randint', 'random.choice'],
+      javaRandom: ['new Random', 'Random.next'],
+      phpRandom: ['rand', 'mt_rand', 'uniqid'],
+    };
   }
   async analyze(files, language, options = {}) {
     const violations = [];
     for (const filePath of files) {
-      // Skip test files, build directories, and node_modules
-      if (this.shouldSkipFile(filePath)) {
-        continue;
-      }
       try {
-        const content = require('fs').readFileSync(filePath, 'utf8');
-        const fileViolations = this.analyzeFile(content, filePath, options);
+        const fileViolations = await this.analyzeFile(filePath);
         violations.push(...fileViolations);
       } catch (error) {
         if (options.verbose) {
-          console.warn(`⚠️ Failed to analyze ${filePath}: ${error.message}`);
+          console.error(`Error analyzing ${filePath}:`, error.message);
         }
       }
     }
     return violations;
   }
-  shouldSkipFile(filePath) {
-    const skipPatterns = [
-      'test/', 'tests/', '__tests__/', '.test.', '.spec.',
-      'node_modules/', 'build/', 'dist/', '.next/', 'coverage/',
-      'vendor/', 'mocks/', '.mock.'
-      // Removed 'fixtures/' to allow testing
-    ];
-    return skipPatterns.some(pattern => filePath.includes(pattern));
-  }
-  analyzeFile(content, filePath, options = {}) {
+  async analyzeFile(filePath) {
     const violations = [];
-    const lines = content.split('\n');
+    const ext = path.extname(filePath);
-    lines.forEach((line, index) => {
-      const lineNumber = index + 1;
-      const trimmedLine = line.trim();
-      // Skip comments, imports, and empty lines
-      if (this.shouldSkipLine(trimmedLine)) {
-        return;
-      }
-      // Check for insecure random usage in security context
-      const violation = this.checkForInsecureRandom(line, lineNumber, filePath, content);
-      if (violation) {
-        violations.push(violation);
-      }
+    // Only analyze JS/TS files with ts-morph
+    if (!['.js', '.jsx', '.ts', '.tsx'].includes(ext)) {
+      return violations;
+    }
+    const project = new Project();
+    const sourceFile = project.addSourceFileAtPath(filePath);
+    // Build function definition map for tracing
+    this.functionMap = this.buildFunctionMap(sourceFile);
+    // Find ALL variable declarations (including nested ones inside functions)
+    const allVarDecls = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+    allVarDecls.forEach(varDecl => {
+      const violation = this.checkVariableDeclaration(varDecl, filePath, sourceFile);
+      if (violation) violations.push(violation);
+    });
+    // Find all call expressions (function calls)
+    sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression).forEach(call => {
+      const violation = this.checkCallExpression(call, filePath);
+      if (violation) violations.push(violation);
     });
     return violations;
   }
-  shouldSkipLine(line) {
-    // Skip comments, imports, and other non-code lines
-    return (
-      line.length === 0 ||
-      line.startsWith('//') ||
-      line.startsWith('/*') ||
-      line.startsWith('*') ||
-      line.startsWith('import ') ||
-      line.startsWith('export ') ||
-      line.startsWith('require(') ||
-      line.includes('module.exports')
-    );
-  }
-  checkForInsecureRandom(line, lineNumber, filePath, fullContent) {
-    const lowerLine = line.toLowerCase();
+  /**
+   * Build a map of function definitions to trace helper functions
+   * Includes imported functions from other files
+   */
+  buildFunctionMap(sourceFile) {
+    const functionMap = new Map();
+    // Get all function declarations in current file
+    sourceFile.getFunctions().forEach(func => {
+      const name = func.getName();
+      if (name) {
+        functionMap.set(name.toLowerCase(), func);
+      }
+    });
-    // First check if line contains safe patterns (early exit)
-    if (this.containsSafePattern(line)) {
-      return null;
-    }
+    // Get arrow functions assigned to variables
+    sourceFile.getVariableDeclarations().forEach(varDecl => {
+      const initializer = varDecl.getInitializer();
+      if (initializer &&
+          (initializer.getKind() === SyntaxKind.ArrowFunction ||
+           initializer.getKind() === SyntaxKind.FunctionExpression)) {
+        const name = varDecl.getName();
+        if (name) {
+          functionMap.set(name.toLowerCase(), initializer);
+        }
+      }
+    });
-    // Check for insecure random patterns
-    for (const pattern of this.insecurePatterns) {
-      const matches = [...line.matchAll(pattern)];
+    // Resolve imported functions from other files
+    this.resolveImportedFunctions(sourceFile, functionMap);
+    return functionMap;
+  }
+  /**
+   * Resolve imported functions from require() or import statements
+   */
+  resolveImportedFunctions(sourceFile, functionMap) {
+    const filePath = sourceFile.getFilePath();
+    const fileDir = path.dirname(filePath);
+    // Find all require/import statements
+    sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression).forEach(callExpr => {
+      const expr = callExpr.getExpression();
-      for (const match of matches) {
-        // Special handling for Date.now() - check if it's legitimate timestamp usage
-        if (match[0].includes('Date.now()') && this.isLegitimateTimestampUsage(line)) {
-          continue; // Skip this match
-        }
-        // Check if this usage is in a security context
-        if (this.isInSecurityContext(line, fullContent, lineNumber)) {
-          const column = match.index + 1;
+      // Check if it's require('...')
+      if (expr.getText() === 'require') {
+        const args = callExpr.getArguments();
+        if (args.length > 0) {
+          const importPath = args[0].getText().replace(/['"]/g, '');
-          return {
-            ruleId: this.ruleId,
-            severity: 'error',
-            message: 'Must use cryptographically secure random number generators (CSPRNG) for security purposes. Math.random() and similar functions are not secure.',
-            line: lineNumber,
-            column: column,
-            filePath: filePath,
-            type: 'insecure_random_usage',
-            details: this.getSecureAlternatives(match[0]),
-            insecureFunction: match[0]
-          };
+          // Only resolve relative imports
+          if (importPath.startsWith('./') || importPath.startsWith('../')) {
+            try {
+              const resolvedPath = this.resolveImportPath(importPath, fileDir);
+              if (fs.existsSync(resolvedPath)) {
+                const importedFunctions = this.extractFunctionsFromFile(resolvedPath);
+                // Get imported names
+                const parent = callExpr.getParent();
+                if (parent.getKind() === SyntaxKind.VariableDeclaration) {
+                  const varName = parent.getFirstChildByKind(SyntaxKind.Identifier)?.getText();
+                  if (varName && importedFunctions.has(varName.toLowerCase())) {
+                    functionMap.set(varName.toLowerCase(), importedFunctions.get(varName.toLowerCase()));
+                  }
+                  // Handle destructuring: const { randomString } = require(...)
+                  const bindingPattern = parent.getFirstChildByKind(SyntaxKind.ObjectBindingPattern);
+                  if (bindingPattern) {
+                    bindingPattern.getElements().forEach(element => {
+                      const name = element.getName();
+                      if (name && importedFunctions.has(name.toLowerCase())) {
+                        functionMap.set(name.toLowerCase(), importedFunctions.get(name.toLowerCase()));
+                      }
+                    });
+                  }
+                }
+              }
+            } catch (error) {
+              // Silently skip import resolution errors
+            }
+          }
         }
       }
+    });
+  }
+  /**
+   * Resolve import path to absolute file path
+   */
+  resolveImportPath(importPath, baseDir) {
+    let resolved = path.resolve(baseDir, importPath);
+    // Try with .js extension
+    if (!fs.existsSync(resolved)) {
+      resolved = resolved + '.js';
     }
-    // Check for insecure function calls
-    const insecureFunctionViolation = this.checkInsecureFunctionCall(line, lineNumber, filePath, fullContent);
-    if (insecureFunctionViolation) {
-      return insecureFunctionViolation;
+    // Try with .ts extension
+    if (!fs.existsSync(resolved)) {
+      resolved = resolved.replace(/\.js$/, '.ts');
     }
-    return null;
-  }
-  containsSafePattern(line) {
-    return this.safePatterns.some(pattern => pattern.test(line));
+    return resolved;
   }
-  isInSecurityContext(line, fullContent, lineNumber) {
-    const lowerLine = line.toLowerCase();
-    const lowerContent = fullContent.toLowerCase();
-    // First check if this is explicitly a non-security context
-    if (this.isNonSecurityContext(line, fullContent, lineNumber)) {
-      return false;
-    }
-    // Check if line contains security keywords
-    const hasSecurityKeyword = this.securityContextKeywords.some(keyword =>
-      lowerLine.includes(keyword)
-    );
-    if (hasSecurityKeyword) {
-      return true;
+  /**
+   * Extract function definitions from an external file
+   */
+  extractFunctionsFromFile(filePath) {
+    const functionMap = new Map();
+    try {
+      const project = new Project();
+      const sourceFile = project.addSourceFileAtPath(filePath);
+      // Get exported functions
+      sourceFile.getFunctions().forEach(func => {
+        const name = func.getName();
+        if (name) {
+          functionMap.set(name.toLowerCase(), func);
+        }
+      });
+      // Get exported arrow functions
+      sourceFile.getVariableDeclarations().forEach(varDecl => {
+        const initializer = varDecl.getInitializer();
+        if (initializer &&
+            (initializer.getKind() === SyntaxKind.ArrowFunction ||
+             initializer.getKind() === SyntaxKind.FunctionExpression)) {
+          const name = varDecl.getName();
+          if (name) {
+            functionMap.set(name.toLowerCase(), initializer);
+          }
+        }
+      });
+    } catch (error) {
+      // Silently skip errors
     }
-    // Check function context (look at function name)
-    const functionContext = this.getFunctionContext(fullContent, lineNumber);
-    if (functionContext && this.isSecurityFunction(functionContext)) {
-      return true;
-    }
+    return functionMap;
+  }
+  /**
+   * Check if a function contains insecure random usage
+   */
+  functionContainsInsecureRandom(funcNode) {
+    if (!funcNode) return false;
+    const funcText = funcNode.getText();
+    return this.hasInsecureRandomUsage(funcText);
+  }
+  checkVariableDeclaration(varDecl, filePath, sourceFile) {
+    const varName = varDecl.getName().toLowerCase();
+    const initializer = varDecl.getInitializer();
-    // Check variable context
-    const variableContext = this.getVariableContext(line);
-    if (variableContext && this.isSecurityVariable(variableContext)) {
-      return true;
-    }
+    if (!initializer) return null;
-    // Check surrounding lines for context
-    const contextLines = this.getSurroundingLines(fullContent, lineNumber, 3);
-    const contextHasSecurityKeywords = this.securityContextKeywords.some(keyword =>
-      contextLines.some(contextLine => contextLine.toLowerCase().includes(keyword))
-    );
+    const lineNum = varDecl.getStartLineNumber();
-    return contextHasSecurityKeywords;
-  }
-  isNonSecurityContext(line, fullContent, lineNumber) {
-    const lowerLine = line.toLowerCase();
-    // Check for UI/Game/Animation contexts
-    const nonSecurityKeywords = [
-      'animation', 'ui', 'display', 'visual', 'game', 'chart', 'graph',
-      'color', 'theme', 'hue', 'rgb', 'hsl', 'position', 'coordinate',
-      'mock', 'demo', 'test', 'example', 'sample', 'fixture'
-    ];
+    // Check if variable name indicates security context
+    const isSecurityVar = this.isSecurityVariableName(varName);
+    const isNonSecurityVar = this.isNonSecurityVariableName(varName);
-    if (nonSecurityKeywords.some(keyword => lowerLine.includes(keyword))) {
-      return true;
+    // If explicitly non-security, skip
+    if (isNonSecurityVar) {
+      return null;
     }
-    // Check class context
-    const classContext = this.getClassContext(fullContent, lineNumber);
-    if (classContext) {
-      const lowerClassName = classContext.toLowerCase();
-      if (nonSecurityKeywords.some(keyword => lowerClassName.includes(keyword))) {
-        return true;
-      }
-    }
+    // Check if initializer uses insecure random directly
+    let hasInsecureRandom = this.hasInsecureRandomUsage(initializer.getText());
+    let traceInfo = null;
-    // Check function context
-    const functionContext = this.getFunctionContext(fullContent, lineNumber);
-    if (functionContext) {
-      const lowerFunctionName = functionContext.toLowerCase();
-      if (nonSecurityKeywords.some(keyword => lowerFunctionName.includes(keyword))) {
-        return true;
+    // If no direct insecure random but security context, trace function calls
+    if (!hasInsecureRandom && isSecurityVar && initializer.getKind() === SyntaxKind.CallExpression) {
+      const callExpr = initializer;
+      const functionName = callExpr.getExpression().getText();
+      // Check if this function contains insecure random
+      const funcDef = this.functionMap?.get(functionName.toLowerCase());
+      if (funcDef && this.functionContainsInsecureRandom(funcDef)) {
+        hasInsecureRandom = true;
+        traceInfo = {
+          helperFunction: functionName,
+          message: `calls helper function "${functionName}()" which uses insecure random`
+        };
       }
     }
-    return false;
-  }
-  getClassContext(content, lineNumber) {
-    const lines = content.split('\n');
-    // Look backwards for class declaration
-    for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 20); i--) {
-      const line = lines[i];
-      const classMatch = line.match(/class\s+(\w+)/);
-      if (classMatch) {
-        return classMatch[1];
-      }
-    }
+    if (!hasInsecureRandom) return null;
-    return null;
-  }
-  checkInsecureFunctionCall(line, lineNumber, filePath, fullContent) {
-    // Look for specific insecure function patterns
-    const mathRandomMatch = line.match(/(Math\.random\(\))/);
-    if (mathRandomMatch && this.isInSecurityContext(line, fullContent, lineNumber)) {
+    // Check if inside security function context (even if variable name is generic)
+    const isInSecurityFunction = this.isInSecurityFunctionContext(varDecl);
+    if (hasInsecureRandom && (isSecurityVar || isInSecurityFunction)) {
+      let reason;
+      if (traceInfo) {
+        // Traced through helper function
+        reason = `Variable "${varDecl.getName()}" ${traceInfo.message}`;
+      } else if (isSecurityVar) {
+        reason = `Variable "${varDecl.getName()}" uses insecure random for security purpose.`;
+      } else {
+        reason = `Variable "${varDecl.getName()}" inside security function uses insecure random.`;
+      }
       return {
         ruleId: this.ruleId,
         severity: 'error',
-        message: 'Math.random() is not cryptographically secure. Use crypto.randomBytes() or crypto.randomInt() for security purposes.',
-        line: lineNumber,
-        column: mathRandomMatch.index + 1,
+        message: `${reason} Use crypto.randomBytes() or crypto.randomUUID().`,
+        line: varDecl.getStartLineNumber(),
+        column: varDecl.getStart(),
         filePath: filePath,
-        type: 'math_random_insecure',
-        details: 'Consider using: crypto.randomBytes(), crypto.randomInt(), crypto.randomUUID(), or nanoid() for secure random generation.',
-        insecureFunction: mathRandomMatch[1]
+        context: varName,
+        ...(traceInfo && { helperFunction: traceInfo.helperFunction })
       };
     }
-    // Check for Date-based random, but exclude legitimate timestamp usage
-    const dateRandomMatch = line.match(/(Date\.now\(\)|new\s+Date\(\)\.getTime\(\))/);
-    if (dateRandomMatch && this.isInSecurityContext(line, fullContent, lineNumber)) {
-      // Check if this is legitimate timestamp usage (JWT iat/exp, logging, etc.)
-      if (this.isLegitimateTimestampUsage(line)) {
-        return null;
+    return null;
+  }
+  checkCallExpression(call, filePath) {
+    const callText = call.getText();
+    // Check if it's Math.random() or Date.now()
+    if (!this.hasInsecureRandomUsage(callText)) {
+      return null;
+    }
+    // Get the context where this call is used
+    const parent = call.getParent();
+    const grandParent = parent?.getParent();
+    // Check property assignment: { token: Math.random() }
+    if (parent.getKind() === SyntaxKind.PropertyAssignment) {
+      const propName = parent.getChildAtIndex(0).getText().toLowerCase();
+      if (this.isSecurityVariableName(propName) && !this.isNonSecurityVariableName(propName)) {
+        return {
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: `Property "${propName}" uses insecure random for security purpose.`,
+          line: call.getStartLineNumber(),
+          column: call.getStart(),
+          filePath: filePath,
+          context: propName,
+        };
       }
+    }
+    // Check variable declaration
+    if (grandParent?.getKind() === SyntaxKind.VariableDeclaration) {
+      const varName = grandParent.getChildAtIndex(0).getText().toLowerCase();
-      return {
-        ruleId: this.ruleId,
-        severity: 'warning',
-        message: 'Using timestamp for random generation is predictable and insecure.',
-        line: lineNumber,
-        column: dateRandomMatch.index + 1,
-        filePath: filePath,
-        type: 'timestamp_random_insecure',
-        details: 'Consider using crypto.randomBytes() or crypto.randomUUID() for secure random generation.',
-        insecureFunction: dateRandomMatch[1]
-      };
+      if (this.isSecurityVariableName(varName) && !this.isNonSecurityVariableName(varName)) {
+        return {
+          ruleId: this.ruleId,
+          severity: 'error',
+          message: `Variable "${varName}" uses insecure random for security purpose.`,
+          line: call.getStartLineNumber(),
+          column: call.getStart(),
+          filePath: filePath,
+          context: varName,
+        };
+      }
     }
     return null;
   }
-  isLegitimateTimestampUsage(line) {
-    // Check for legitimate timestamp usage patterns
-    const legitimatePatterns = [
-      // JWT timestamp fields - more flexible matching
-      /\b(?:iat|exp|nbf)\s*:\s*Math\.floor\s*\(\s*Date\.now\(\)\s*\/\s*1000\s*\)/,
-      /Math\.floor\s*\(\s*Date\.now\(\)\s*\/\s*1000\s*\).*(?:iat|exp|nbf)/i,
-      // JWT timestamp with arithmetic
-      /Math\.floor\s*\(\s*Date\.now\(\)\s*\/\s*1000\s*\)\s*[\+\-]\s*\d+/,
-      // Logging timestamps
-      /timestamp\s*:\s*Date\.now\(\)/i,
-      /createdAt\s*:\s*new\s+Date\(\)/i,
-      /updatedAt\s*:\s*new\s+Date\(\)/i,
-      // Expiration times
-      /expiresAt\s*:\s*new\s+Date\s*\(\s*Date\.now\(\)/i,
-      /expiry\s*:\s*Date\.now\(\)/i,
-      // Performance measurement
-      /performance\.now\(\)/,
+  isSecurityVariableName(name) {
+    const normalized = name.toLowerCase().replace(/[_\-]/g, '');
+    return this.securityKeywords.some(keyword =>
+      normalized.includes(keyword.toLowerCase())
+    );
+  }
+  isNonSecurityVariableName(name) {
+    const normalized = name.toLowerCase().replace(/[_\-]/g, '');
+    return this.nonSecurityKeywords.some(keyword =>
+      normalized.includes(keyword.toLowerCase())
+    );
+  }
+  isInSecurityFunctionContext(node) {
+    // Walk up the AST to find parent function
+    let current = node.getParent();
+    while (current) {
+      const kind = current.getKind();
-      // Date arithmetic (not for randomness)
-      /Date\.now\(\)\s*[\+\-]\s*\d+/,
-      /new\s+Date\s*\(\s*Date\.now\(\)\s*[\+\-]/,
+      // Check if it's a function declaration or arrow function
+      if (kind === SyntaxKind.FunctionDeclaration ||
+          kind === SyntaxKind.ArrowFunction ||
+          kind === SyntaxKind.FunctionExpression) {
+        // Get function name
+        let funcName = '';
+        if (kind === SyntaxKind.FunctionDeclaration) {
+          const nameNode = current.getNameNode();
+          funcName = nameNode ? nameNode.getText() : '';
+        } else {
+          // For arrow functions, check if assigned to a variable
+          const parent = current.getParent();
+          if (parent && parent.getKind() === SyntaxKind.VariableDeclaration) {
+            const nameNode = parent.getNameNode();
+            funcName = nameNode ? nameNode.getText() : '';
+          }
+        }
+        if (funcName) {
+          const normalizedFuncName = funcName.toLowerCase().replace(/[_\-]/g, '');
+          // Check if function name matches security patterns
+          const isSecurityFunc = this.securityFunctionNames.some(keyword =>
+            normalizedFuncName.includes(keyword)
+          );
+          if (isSecurityFunc) {
+            return true;
+          }
+        }
+      }
-      // JWT context - check for jwt, token, payload keywords nearby
-      /(?:jwt|token|payload).*Date\.now\(\)/i,
-      /Date\.now\(\).*(?:jwt|token|payload)/i,
-    ];
+      current = current.getParent();
+    }
-    return legitimatePatterns.some(pattern => pattern.test(line));
+    return false;
   }
-  getFunctionContext(content, lineNumber) {
-    const lines = content.split('\n');
-    // Look backwards for function declaration
-    for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 10); i--) {
-      const line = lines[i];
-      const functionMatch = line.match(/(?:function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s+)?\w*\s*(?:function\s*)?|\s*(\w+)\s*[:=]\s*(?:async\s+)?(?:function|\w*\s*=>))/);
-      if (functionMatch) {
-        return functionMatch[1] || functionMatch[2] || functionMatch[3];
-      }
+  hasInsecureRandomUsage(text) {
+    // Check for Math.random()
+    if (/Math\.random\s*\(/.test(text)) {
+      return true;
     }
-    return null;
-  }
-  isSecurityFunction(functionName) {
-    if (!functionName) return false;
+    // Check for Date.now() or getTime() when used for randomness (not timestamp)
+    // Only flag if used with toString(36) or similar encoding
+    if (/Date\.now\s*\(\).*\.toString\s*\(/.test(text)) {
+      return true;
+    }
-    const lowerFunctionName = functionName.toLowerCase();
-    return this.securityFunctionPatterns.some(pattern => pattern.test(lowerFunctionName)) ||
-           this.securityContextKeywords.some(keyword => lowerFunctionName.includes(keyword));
-  }
-  getVariableContext(line) {
-    // Extract variable name from assignment
-    const assignmentMatch = line.match(/(?:const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*=/);
-    if (assignmentMatch) {
-      return assignmentMatch[1];
+    if (/getTime\s*\(\).*\.toString\s*\(/.test(text)) {
+      return true;
     }
-    // Extract property assignment
-    const propertyMatch = line.match(/(\w+)\s*[:=]/);
-    if (propertyMatch) {
-      return propertyMatch[1];
+    // Check for timestamp-based patterns with encoding
+    // Pattern: btoa(+new Date), btoa(Date.now()), etc.
+    if (/btoa\s*\(\s*\+\s*new\s+Date/.test(text)) {
+      return true;
     }
-    return null;
-  }
-  isSecurityVariable(variableName) {
-    if (!variableName) return false;
+    if (/btoa\s*\(\s*Date\.now/.test(text)) {
+      return true;
+    }
-    const lowerVariableName = variableName.toLowerCase();
-    return this.securityContextKeywords.some(keyword => lowerVariableName.includes(keyword));
-  }
-  getSurroundingLines(content, lineNumber, range) {
-    const lines = content.split('\n');
-    const start = Math.max(0, lineNumber - range - 1);
-    const end = Math.min(lines.length, lineNumber + range);
+    // Check for +new Date (unary plus operator on Date)
+    // This converts Date to timestamp, similar to Date.now()
+    if (/\+\s*new\s+Date.*\.(?:toString|slice|substr|substring)/.test(text)) {
+      return true;
+    }
-    return lines.slice(start, end);
+    // Check for new Date().getTime() with encoding
+    if (/new\s+Date\s*\(\s*\)\.getTime\s*\(\).*\.toString/.test(text)) {
+      return true;
+    }
+    // Check for Buffer.from() with timestamp or Math.random
+    // Pattern: Buffer.from(String(Date.now())).toString('base64')
+    if (/Buffer\.from\s*\(.*(?:Date\.now|getTime|\+\s*new\s+Date|Math\.random).*\)\.toString\s*\(/.test(text)) {
+      return true;
+    }
+    // Check for btoa() with Math.random
+    if (/btoa\s*\(.*Math\.random/.test(text)) {
+      return true;
+    }
+    // Check for performance.now() - High-resolution timestamp (also predictable)
+    if (/performance\.now\s*\(\)/.test(text)) {
+      return true;
+    }
+    // Check for process.pid (low entropy - predictable process ID)
+    if (/process\.pid\b/.test(text)) {
+      return true;
+    }
+    // Check for process.hrtime() - High-resolution time (timestamp-based)
+    if (/process\.hrtime(?:\.bigint)?\s*\(/.test(text)) {
+      return true;
+    }
+    return false;
   }
-  getSecureAlternatives(insecureFunction) {
+  getSecureAlternatives(language = 'javascript') {
     const alternatives = {
-      'Math.random()': 'crypto.randomBytes(), crypto.randomInt(), or crypto.randomUUID()',
-      'Date.now()': 'crypto.randomBytes() or crypto.randomUUID()',
-      'new Date().getTime()': 'crypto.randomBytes() or crypto.randomUUID()',
-      'performance.now()': 'crypto.randomBytes() or crypto.randomUUID()'
+      javascript: [
+        'crypto.randomBytes(16).toString("hex")',
+        'crypto.randomUUID()',
+        'crypto.randomInt(100000, 999999) // for OTP',
+      ],
+      python: [
+        'secrets.token_hex(16)',
+        'secrets.token_urlsafe(16)',
+        'secrets.randbelow(900000) + 100000 # for OTP',
+      ],
     };
-    return alternatives[insecureFunction] || 'Use crypto.randomBytes(), crypto.randomInt(), or crypto.randomUUID() for secure random generation.';
-  }
-  findPatternColumn(line, pattern) {
-    const match = pattern.exec(line);
-    return match ? match.index + 1 : 1;
+    return alternatives[language] || alternatives.javascript;
   }
 }