npm - @sun-asterisk/sunlint - Versions diffs - 1.3.16 → 1.3.17 - Mend

@sun-asterisk/sunlint 1.3.16 → 1.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/rules/security/S014_tls_version_enforcement/README.md ADDED Viewed

@@ -0,0 +1,354 @@
+# S014 - Enforce TLS 1.2 or 1.3 Only
+## 📋 Overview
+**Rule ID:** S014
+**Category:** Security
+**Severity:** Error
+**Enabled:** Yes
+Ensures that only secure TLS versions (1.2 or 1.3) are used in HTTPS server configurations and client connections. Detects usage of insecure SSL/TLS versions (SSLv2, SSLv3, TLS 1.0, TLS 1.1) which have known vulnerabilities.
+---
+## 🎯 Detection Scope
+### Insecure TLS/SSL Versions ❌
+| Version     | Status      | Reason                                          |
+| ----------- | ----------- | ----------------------------------------------- |
+| **SSLv2**   | ❌ Insecure | Deprecated (RFC 6176), multiple vulnerabilities |
+| **SSLv3**   | ❌ Insecure | POODLE attack (CVE-2014-3566)                   |
+| **TLS 1.0** | ❌ Insecure | BEAST attack, deprecated by PCI DSS             |
+| **TLS 1.1** | ❌ Insecure | Weak ciphers, deprecated by major browsers      |
+### Secure TLS Versions ✅
+| Version     | Status    | Recommendation              |
+| ----------- | --------- | --------------------------- |
+| **TLS 1.2** | ✅ Secure | Minimum recommended version |
+| **TLS 1.3** | ✅ Secure | Latest, most secure version |
+---
+## 🔍 What This Rule Detects
+### 1. HTTPS Server Configuration
+```typescript
+// ❌ BAD: Using TLS 1.0
+https.createServer(
+  {
+    minVersion: "TLSv1", // Insecure!
+    cert: cert,
+    key: key,
+  },
+  app
+);
+// ✅ GOOD: Using TLS 1.2+
+https.createServer(
+  {
+    minVersion: "TLSv1.2", // Secure
+    cert: cert,
+    key: key,
+  },
+  app
+);
+```
+### 2. Secure Protocol Settings
+```typescript
+// ❌ BAD: Using SSLv3
+const options = {
+  secureProtocol: "SSLv3_method", // Insecure!
+};
+// ✅ GOOD: Using TLS 1.2
+const options = {
+  secureProtocol: "TLSv1_2_method", // Secure
+};
+```
+### 3. Client Configuration
+```typescript
+// ❌ BAD: axios with TLS 1.0
+const agent = new https.Agent({
+  minVersion: "TLSv1", // Insecure!
+});
+// ✅ GOOD: axios with TLS 1.2+
+const agent = new https.Agent({
+  minVersion: "TLSv1.2", // Secure
+});
+```
+### 4. Framework-Specific Configuration
+#### Express.js
+```typescript
+// ❌ BAD
+const server = https.createServer(
+  {
+    secureProtocol: "TLSv1_method", // Insecure!
+  },
+  app
+);
+// ✅ GOOD
+const server = https.createServer(
+  {
+    minVersion: "TLSv1.2", // Secure
+  },
+  app
+);
+```
+#### Next.js (next.config.js)
+```javascript
+// ❌ BAD
+module.exports = {
+  server: {
+    https: {
+      minVersion: "TLSv1.0", // Insecure!
+    },
+  },
+};
+// ✅ GOOD
+module.exports = {
+  server: {
+    https: {
+      minVersion: "TLSv1.2", // Secure
+    },
+  },
+};
+```
+#### NestJS
+```typescript
+// ❌ BAD
+const httpsOptions = {
+  secureProtocol: "SSLv3_method", // Insecure!
+};
+// ✅ GOOD
+const httpsOptions = {
+  minVersion: "TLSv1.2", // Secure
+};
+```
+---
+## 🚨 Security Impact
+### Critical Vulnerabilities
+| Attack         | Affected Versions | CVE           |
+| -------------- | ----------------- | ------------- |
+| **POODLE**     | SSLv3             | CVE-2014-3566 |
+| **BEAST**      | TLS 1.0           | CVE-2011-3389 |
+| **CRIME**      | TLS 1.0/1.1       | CVE-2012-4929 |
+| **BREACH**     | TLS 1.0/1.1       | CVE-2013-3587 |
+| **Heartbleed** | TLS 1.0/1.1       | CVE-2014-0160 |
+### Compliance Requirements
+- ✅ **PCI DSS 3.2+:** Requires TLS 1.2+ (TLS 1.0/1.1 banned)
+- ✅ **NIST SP 800-52:** Recommends TLS 1.2+ only
+- ✅ **HIPAA:** Requires strong encryption (TLS 1.2+)
+- ✅ **GDPR:** Requires appropriate security measures
+---
+## 📝 Examples
+### Server Configuration
+#### ❌ Violations
+```typescript
+// Violation 1: SSLv3
+const server = https.createServer(
+  {
+    secureProtocol: "SSLv3_method",
+  },
+  app
+);
+// Violation 2: TLS 1.0
+const options = {
+  minVersion: "TLSv1",
+};
+// Violation 3: TLS 1.1
+https.createServer(
+  {
+    maxVersion: "TLSv1.1",
+  },
+  app
+);
+// Violation 4: String version
+const config = {
+  protocol: "TLSv1.0",
+};
+```
+#### ✅ Compliant Code
+```typescript
+// Good: TLS 1.2
+const server = https.createServer(
+  {
+    minVersion: "TLSv1.2",
+    maxVersion: "TLSv1.3",
+  },
+  app
+);
+// Good: TLS 1.3
+const options = {
+  secureProtocol: "TLSv1_3_method",
+};
+// Good: Modern defaults
+https.createServer(
+  {
+    minVersion: "TLSv1.2",
+  },
+  app
+);
+```
+### Client Configuration
+#### ❌ Violations
+```typescript
+// Violation: axios with TLS 1.0
+const httpsAgent = new https.Agent({
+  minVersion: "TLSv1",
+});
+axios.get("https://api.example.com", {
+  httpsAgent,
+});
+// Violation: fetch with insecure agent
+const agent = new https.Agent({
+  secureProtocol: "TLSv1_method",
+});
+```
+#### ✅ Compliant Code
+```typescript
+// Good: axios with TLS 1.2+
+const httpsAgent = new https.Agent({
+  minVersion: "TLSv1.2",
+});
+axios.get("https://api.example.com", {
+  httpsAgent,
+});
+// Good: Modern TLS
+const agent = new https.Agent({
+  minVersion: "TLSv1.2",
+  maxVersion: "TLSv1.3",
+});
+```
+---
+## 🔧 How to Fix
+### 1. Update Server Configuration
+```typescript
+// Before
+const server = https.createServer(
+  {
+    minVersion: "TLSv1", // ❌
+  },
+  app
+);
+// After
+const server = https.createServer(
+  {
+    minVersion: "TLSv1.2", // ✅
+  },
+  app
+);
+```
+### 2. Update Client Agents
+```typescript
+// Before
+const agent = new https.Agent({
+  secureProtocol: "TLSv1_method", // ❌
+});
+// After
+const agent = new https.Agent({
+  minVersion: "TLSv1.2", // ✅
+});
+```
+### 3. Framework Configuration
+```typescript
+// Before
+const httpsOptions = {
+  secureProtocol: "SSLv3_method", // ❌
+};
+// After
+const httpsOptions = {
+  minVersion: "TLSv1.2", // ✅
+  maxVersion: "TLSv1.3",
+};
+```
+---
+## ⚙️ Configuration
+### Pattern Detection
+- `minVersion: 'TLSv1'` - Detects minimum version settings
+- `maxVersion: 'TLSv1.1'` - Detects maximum version restrictions
+- `secureProtocol: 'SSLv3_method'` - Detects protocol methods
+- `protocol: 'TLSv1.0'` - Detects string protocols
+### Supported Frameworks
+- Express.js
+- Next.js
+- NestJS
+- Nuxt.js
+- Fastify
+- Koa
+---
+## 📚 References
+- [RFC 8996 - Deprecating TLS 1.0 and 1.1](https://datatracker.ietf.org/doc/html/rfc8996)
+- [PCI DSS Requirements](https://www.pcisecuritystandards.org/)
+- [NIST SP 800-52 Rev. 2](https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final)
+- [OWASP Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
+---
+**Created:** October 10, 2025
+**Version:** 1.0.0
+**Status:** Active

package/rules/security/S014_tls_version_enforcement/analyzer.js ADDED Viewed

@@ -0,0 +1,118 @@
+/**
+ * S014 - Enforce TLS 1.2 or 1.3 Only
+ *
+ * Main analyzer using symbol-based analysis to detect insecure TLS/SSL version usage.
+ */
+// Command: node cli.js --rule=S014 --input=examples/rule-test-fixtures/rules/S014_tls_version_enforcement --engine=heuristic
+const S014SymbolBasedAnalyzer = require("./symbol-based-analyzer");
+class S014Analyzer {
+  constructor(options = {}) {
+    this.ruleId = "S014";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    try {
+      this.symbolAnalyzer = new S014SymbolBasedAnalyzer(this.semanticEngine);
+    } catch (e) {
+      console.warn(`⚠ [S014] Failed to create symbol analyzer: ${e.message}`);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (this.symbolAnalyzer && this.symbolAnalyzer.initialize) {
+      await this.symbolAnalyzer.initialize(semanticEngine);
+    }
+  }
+  analyzeSingle(filePath, options = {}) {
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        const vs = await this.analyzeFile(filePath, options);
+        violations.push(...vs);
+      } catch (e) {
+        console.warn(`⚠ [S014] Error analyzing ${filePath}: ${e.message}`);
+      }
+    }
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    const violationMap = new Map();
+    if (!this.symbolAnalyzer) {
+      return [];
+    }
+    try {
+      let sourceFile = null;
+      if (this.semanticEngine?.project) {
+        sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+      }
+      if (!sourceFile) {
+        // Create temporary ts-morph source file
+        const fs = require("fs");
+        const path = require("path");
+        const { Project } = require("ts-morph");
+        if (!fs.existsSync(filePath)) {
+          throw new Error(`File not found: ${filePath}`);
+        }
+        const content = fs.readFileSync(filePath, "utf8");
+        const tmp = new Project({
+          useInMemoryFileSystem: true,
+          compilerOptions: { allowJs: true },
+        });
+        sourceFile = tmp.createSourceFile(path.basename(filePath), content);
+      }
+      if (sourceFile) {
+        const symbolViolations = await this.symbolAnalyzer.analyze(
+          sourceFile,
+          filePath
+        );
+        symbolViolations.forEach((v) => {
+          // Use only line number as key to deduplicate multiple detections on same line
+          const key = `${v.line}`;
+          if (!violationMap.has(key)) {
+            violationMap.set(key, v);
+          } else {
+            // Keep the more specific message if available
+            const existing = violationMap.get(key);
+            if (v.message.length > existing.message.length) {
+              violationMap.set(key, v);
+            }
+          }
+        });
+      }
+    } catch (err) {
+      if (this.verbose) {
+        console.warn(
+          `⚠ [S014] Symbol analysis failed for ${filePath}:`,
+          err.message
+        );
+      }
+    }
+    return Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+  }
+  async cleanup() {
+    if (this.symbolAnalyzer) {
+      await this.symbolAnalyzer.cleanup?.();
+    }
+  }
+}
+module.exports = S014Analyzer;

package/rules/security/S014_tls_version_enforcement/config.json ADDED Viewed

@@ -0,0 +1,56 @@
+{
+  "id": "S014",
+  "name": "Enforce TLS 1.2 or 1.3 only",
+  "category": "security",
+  "description": "S014 - Ensure only TLS 1.2 or TLS 1.3 protocols are used. Detects usage of insecure TLS/SSL versions (SSL v2/v3, TLS 1.0, TLS 1.1) in HTTPS server configurations, client requests, and framework settings.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 1,
+    "timeout": 4000
+  },
+  "validation": {
+    "insecureVersions": [
+      "SSLv2",
+      "SSLv3",
+      "TLSv1",
+      "TLSv1.0",
+      "TLSv1_method",
+      "TLSv1.1",
+      "TLSv1_1_method"
+    ],
+    "secureVersions": [
+      "TLSv1.2",
+      "TLSv1_2_method",
+      "TLSv1.3",
+      "TLSv1_3_method"
+    ],
+    "configKeys": [
+      "minVersion",
+      "maxVersion",
+      "secureProtocol",
+      "secureOptions",
+      "protocol"
+    ],
+    "frameworks": ["express", "nextjs", "nuxtjs", "nestjs", "fastify", "koa"]
+  }
+}

package/rules/security/S014_tls_version_enforcement/symbol-based-analyzer.js ADDED Viewed

@@ -0,0 +1,194 @@
+/**
+ * S014 Symbol-Based Analyzer - Enforce TLS 1.2 or 1.3 only
+ *
+ * Uses AST analysis via ts-morph to detect insecure TLS/SSL versions
+ * in server configurations, client agents, and framework settings.
+ */
+class S014SymbolBasedAnalyzer {
+  constructor(semanticEngine) {
+    this.ruleId = "S014";
+    this.semanticEngine = semanticEngine;
+    // Insecure TLS/SSL versions to detect
+    this.insecureVersions = [
+      /SSLv2/i,
+      /SSLv3/i,
+      /TLSv1(?!\.2|\.3|_2|_3)/i, // TLS 1.0 (but not 1.2 or 1.3)
+      /TLSv1\.0/i,
+      /TLSv1_method/i,
+      /TLSv1\.1/i,
+      /TLSv1_1_method/i,
+    ];
+    // Configuration keys that specify TLS version
+    this.versionKeys = [
+      "minVersion",
+      "maxVersion",
+      "secureProtocol",
+      "protocol",
+      "tlsVersion",
+      "sslVersion",
+    ];
+  }
+  async initialize() {}
+  analyze(sourceFile, filePath) {
+    const violations = [];
+    try {
+      const { SyntaxKind } = require("ts-morph");
+      // Check all object literal expressions for TLS version configs
+      const objLits = sourceFile.getDescendantsOfKind(
+        SyntaxKind.ObjectLiteralExpression
+      );
+      for (const obj of objLits) {
+        try {
+          const properties = obj.getProperties();
+          for (const prop of properties) {
+            if (prop.getKind() !== SyntaxKind.PropertyAssignment) continue;
+            const propAssignment = prop;
+            const propName = propAssignment.getName();
+            // Check if this is a TLS version configuration key
+            if (this.versionKeys.includes(propName)) {
+              const initializer = propAssignment.getInitializer();
+              if (!initializer) continue;
+              let value = "";
+              const kind = initializer.getKind();
+              if (kind === SyntaxKind.StringLiteral) {
+                value = initializer.getLiteralValue();
+              } else if (kind === SyntaxKind.NoSubstitutionTemplateLiteral) {
+                value = initializer.getLiteralText().slice(1, -1); // Remove backticks
+              } else if (kind === SyntaxKind.TemplateExpression) {
+                // Template literal with expressions: `TLSv${version}`
+                // We can't know the runtime value, but we can detect potential issues
+                const templateText = initializer.getText();
+                // Check if template contains TLS/SSL patterns that might result in insecure versions
+                if (/TLSv|SSLv/i.test(templateText)) {
+                  // This is potentially insecure - warn about dynamic TLS version
+                  violations.push({
+                    ruleId: this.ruleId,
+                    message: `Dynamic TLS/SSL version detected in '${propName}' - ensure it uses TLS 1.2 or 1.3 only`,
+                    severity: "error",
+                    line: propAssignment.getStartLineNumber(),
+                    column:
+                      propAssignment.getStartLinePos() -
+                      propAssignment.getStartLinePos(true) +
+                      1,
+                    filePath: filePath,
+                  });
+                  continue; // Skip further checking for this property
+                }
+                value = templateText;
+              } else if (kind === SyntaxKind.Identifier) {
+                // Handle variable reference
+                value = initializer.getText();
+              } else {
+                value = initializer.getText().replace(/['"]/g, "");
+              }
+              // Check if value contains insecure version
+              for (const insecurePattern of this.insecureVersions) {
+                if (insecurePattern.test(value)) {
+                  violations.push({
+                    ruleId: this.ruleId,
+                    message: `Insecure TLS/SSL version '${value}' detected in '${propName}' - use TLS 1.2 or 1.3 only`,
+                    severity: "error",
+                    line: propAssignment.getStartLineNumber(),
+                    column:
+                      propAssignment.getStartLinePos() -
+                      propAssignment.getStartLinePos(true) +
+                      1,
+                    filePath: filePath,
+                  });
+                  break;
+                }
+              }
+            }
+          }
+        } catch (e) {
+          // Skip problematic objects
+        }
+      }
+      // Check standalone variable declarations (only for simple string assignments)
+      // This catches cases like: const tlsVersion = "TLSv1"
+      const varDecls = sourceFile.getDescendantsOfKind(
+        SyntaxKind.VariableDeclaration
+      );
+      for (const varDecl of varDecls) {
+        try {
+          const init = varDecl.getInitializer();
+          if (!init) continue;
+          const kind = init.getKind();
+          // Only check simple string literals or template literals (not objects/calls)
+          // This prevents duplicate detection with ObjectLiteral properties
+          if (
+            kind !== SyntaxKind.StringLiteral &&
+            kind !== SyntaxKind.NoSubstitutionTemplateLiteral &&
+            kind !== SyntaxKind.TemplateExpression
+          ) {
+            continue; // Skip complex expressions
+          }
+          let value = "";
+          if (kind === SyntaxKind.StringLiteral) {
+            value = init.getLiteralValue();
+          } else if (kind === SyntaxKind.NoSubstitutionTemplateLiteral) {
+            value = init.getLiteralText().slice(1, -1);
+          } else if (kind === SyntaxKind.TemplateExpression) {
+            // For template expressions, get the static parts
+            value = init.getText();
+          } else {
+            value = init.getText().replace(/['"]/g, "");
+          }
+          // Check for insecure versions in variable values
+          for (const insecurePattern of this.insecureVersions) {
+            if (insecurePattern.test(value)) {
+              violations.push({
+                ruleId: this.ruleId,
+                message: `Insecure TLS/SSL version '${value}' assigned to variable - use TLS 1.2 or 1.3 only`,
+                severity: "error",
+                line: varDecl.getStartLineNumber(),
+                column:
+                  varDecl.getStartLinePos() - varDecl.getStartLinePos(true) + 1,
+                filePath: filePath,
+              });
+              break;
+            }
+          }
+        } catch (e) {
+          // Skip problematic variables
+        }
+      }
+      // Note: CallExpression checking is not needed because getDescendantsOfKind
+      // for ObjectLiteralExpression already captures all objects including those
+      // passed as arguments to function calls (e.g., https.createServer({...}))
+      // This prevents duplicate violations.
+    } catch (err) {
+      console.warn(
+        `⚠ [S014] Symbol analysis failed for ${filePath}:`,
+        err.message
+      );
+    }
+    return violations;
+  }
+  cleanup() {}
+}
+module.exports = S014SymbolBasedAnalyzer;