@sun-asterisk/sunlint 1.3.17 → 1.3.19

package/config/rules/enhanced-rules-registry.json

@@ -870,6 +870,23 @@
       "status": "stable",
       "tags": ["security", "secrets", "hardcoded"]
     },
+    "S028": {
+      "name": "Limit upload file size and number of files per user",
+      "description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript", "java"],
+      "analyzer": "./rules/security/S028_file_upload_size_limits/analyzer.js",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "file-upload",
+        "dos-prevention",
+        "resource-limits",
+        "owasp"
+      ]
+    },
     "S029": {
       "name": "Require CSRF Protection",
       "description": "Require CSRF protection for state-changing operations",
@@ -1079,16 +1096,27 @@
       }
     },
     "S041": {
-      "name": "Require Session Invalidate on Logout",
-      "description": "Require session invalidation on logout",
+      "name": "Session Tokens must be invalidated after logout or expiration",
+      "description": "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s041",
+      "analyzer": "./rules/security/S041_session_token_invalidation/analyzer.js",
+      "config": "./rules/security/S041_session_token_invalidation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "session", "logout"]
+      "tags": ["security", "session", "token", "logout", "invalidation", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S041_session_token_invalidation/analyzer.js"]
+      }
     },
     "S042": {
       "name": "Require Periodic Reauthentication",
@@ -1115,28 +1143,49 @@
       "tags": ["security", "session", "password"]
     },
     "S044": {
-      "name": "Require Full Session for Sensitive Operations",
-      "description": "Require full session validation for sensitive operations",
+      "name": "Re-authentication Required for Sensitive Operations",
+      "description": "Require re-authentication before performing sensitive operations such as password changes, email changes, profile updates, and other critical account modifications. This prevents unauthorized access to sensitive account functions even if a session is compromised.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s044",
+      "analyzer": "./rules/security/S044_re_authentication_required/analyzer.js",
+      "config": "./rules/security/S044_re_authentication_required/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "session", "validation"]
+      "tags": ["security", "authentication", "re-authentication", "sensitive-operations", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S044_re_authentication_required/analyzer.js"]
+      }
     },
     "S045": {
-      "name": "Anti Automation Controls",
-      "description": "Implement anti-automation controls",
+      "name": "Brute-force Protection",
+      "description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.",
       "category": "security",
-      "severity": "warning",
+      "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s045",
+      "analyzer": "./rules/security/S045_brute_force_protection/analyzer.js",
+      "config": "./rules/security/S045_brute_force_protection/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "automation", "protection"]
+      "tags": ["security", "authentication", "brute-force", "rate-limiting", "owasp"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 95
+        }
+      },
+      "engineMappings": {
+        "heuristic": "rules/security/S045_brute_force_protection/analyzer.js"
+      }
     },
     "S046": {
       "name": "Secure Notification on Auth Change",
@@ -1239,8 +1288,16 @@
       "name": "One Behavior per Test (AAA Pattern)",
       "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
       "category": "common",
-      "severity": "warning", 
-      "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin", "python"],
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript",
+        "java",
+        "csharp",
+        "swift",
+        "kotlin",
+        "python"
+      ],
       "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
       "config": "./rules/common/C065_one_behavior_per_test/config.json",
       "version": "1.0.0",
@@ -1451,6 +1508,8 @@
       "category": "general",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/common/C017_constructor_logic/analyzer.js",
+      "config": "./rules/common/C017_constructor_logic/config.json",
       "version": "1.0.0",
       "status": "migrated",
       "tags": ["migrated"],

package/core/analysis-orchestrator.js

@@ -547,9 +547,17 @@ class AnalysisOrchestrator {
     for (const engineResult of engineResults) {
       uniqueEngines.add(engineResult.engine);
       
-      // Add engine-specific results
-      if (engineResult.results) {
-        mergedResults.results.push(...engineResult.results);
+      // Add engine-specific results with validation
+      if (engineResult.results && Array.isArray(engineResult.results)) {
+        // Filter out invalid entries (non-objects or config objects)
+        const validResults = engineResult.results.filter(result => {
+          if (!result || typeof result !== 'object') return false;
+          // Skip objects that look like metadata/config
+          if (result.semanticEngine || result.project || result._context) return false;
+          // Must have either file/filePath or be a valid result object
+          return result.file || result.filePath || result.violations || result.messages;
+        });
+        mergedResults.results.push(...validResults);
       }
       
       // Track engine statistics

package/core/cli-program.js

@@ -36,7 +36,8 @@ function createCliProgram() {
     .option('-o, --output <file>', 'Output file path')
     .option('--output-summary <file>', 'Output summary report file path (JSON format for CI/CD)')
     .option('--upload-report [url]', 'Upload summary report to API endpoint after analysis (default: Sun* Coding Standards API)')
-    .option('--config <file>', 'Configuration file path (default: auto-discover)');
+    .option('--config <file>', 'Configuration file path (default: auto-discover)')
+    .option('--github-annotate', 'Annotate GitHub PR with results (requires --output and --format=json)');
 
   // File targeting options
   program

package/core/github-annotate-service.js

@@ -0,0 +1,89 @@
+/**
+ * GitHub Annotate Service
+ * Đọc file JSON kết quả và comment annotation lên GitHub PR tương ứng
+ * Usage: githubAnnotateService.annotate({ jsonFile, githubToken, repo, prNumber })
+ */
+
+const fs = require('fs');
+let Octokit;
+
+/**
+ * Annotate GitHub PR with SunLint results
+ * @param {Object} options
+ * @param {string} options.jsonFile - Path to JSON result file
+ * @param {string} options.githubToken - GitHub token (with repo:write)
+ * @param {string} options.repo - GitHub repo in format owner/repo
+ * @param {number} options.prNumber - Pull request number
+ */
+async function annotate({ jsonFile, githubToken, repo, prNumber }) {
+  if (!fs.existsSync(jsonFile)) {
+    throw new Error(`Result file not found: ${jsonFile}`);
+  }
+  const raw = JSON.parse(fs.readFileSync(jsonFile, 'utf8'));
+  let violations = [];
+  if (Array.isArray(raw)) {
+  const cwd = process.env.GITHUB_WORKSPACE || process.cwd();
+    for (const fileObj of raw) {
+      if (fileObj && fileObj.filePath && Array.isArray(fileObj.messages)) {
+        let relPath = fileObj.filePath;
+        if (relPath.startsWith(cwd)) {
+          relPath = relPath.slice(cwd.length);
+          if (relPath.startsWith('/') || relPath.startsWith('\\')) relPath = relPath.slice(1);
+        }
+        for (const msg of fileObj.messages) {
+          violations.push({
+            file: relPath,
+            line: msg.line,
+            rule: msg.ruleId,
+            severity: msg.severity === 2 ? 'error' : 'warning',
+            message: msg.message
+          });
+        }
+      }
+    }
+  } else {
+    violations = raw.violations || [];
+  }
+console.log(violations);
+  const token = githubToken || process.env.GITHUB_TOKEN;
+  if (!token) throw new Error('Missing GitHub token');
+  const [owner, repoName] = repo.split('/');
+  if (!Octokit) {
+    // Dynamic import để hỗ trợ ESM
+    Octokit = (await import('@octokit/rest')).Octokit;
+  }
+  const octokit = new Octokit({ auth: token });
+
+  const { data: prData } = await octokit.pulls.get({ owner, repo: repoName, pull_number: prNumber });
+  const head_sha = prData.head.sha;
+
+  const filesRes = await octokit.pulls.listFiles({ owner, repo: repoName, pull_number: prNumber });
+  const prFiles = filesRes.data.map(f => f.filename);
+
+  const reviewComments = violations
+    .filter(v => prFiles.includes(v.file))
+    .map(v => ({
+      path: v.file,
+      line: v.line,
+      side: 'RIGHT',
+      body: `[${v.rule}] ${v.message}`
+    }));
+
+  if (reviewComments.length === 0) return { message: 'No matching PR file violations to comment.' };
+
+  // Nếu có error thì yêu cầu thay đổi, không thì chỉ comment
+  const hasError = violations.some(v => v.severity === 'error');
+  const eventType = hasError ? 'REQUEST_CHANGES' : 'COMMENT';
+
+  const reviewRes = await octokit.pulls.createReview({
+    owner,
+    repo: repoName,
+    pull_number: prNumber,
+    commit_id: head_sha,
+    event: eventType,
+    comments: reviewComments
+  });
+  return reviewRes.data;
+}
+
+module.exports = { annotate };

package/core/output-service.js

@@ -28,12 +28,13 @@ class OutputService {
     try {
       const packageJsonPath = path.join(__dirname, '..', 'package.json');
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-      return packageJson.version || '1.3.16';
+      return packageJson.version || '1.3.18';
     } catch (error) {
-      return '1.3.16'; // Fallback version
+      return '1.3.18'; // Fallback version
     }
   }
 
+
   async outputResults(results, options, metadata = {}) {
     // Generate report based on format
     const report = this.generateReport(results, metadata, options);
@@ -49,6 +50,30 @@ class OutputService {
       const content = typeof outputData === 'string' ? outputData : JSON.stringify(outputData, null, 2);
       fs.writeFileSync(options.output, content);
       console.log(chalk.green(`📄 Report saved to: ${options.output}`));
+
+      // Annotate GitHub nếu đủ điều kiện
+      if (options.githubAnnotate && options.format === 'json') {
+        try {
+          const annotate = require('./github-annotate-service').annotate;
+          // Lấy các biến môi trường cần thiết cho annotate
+          const repo = process.env.GITHUB_REPOSITORY || options.githubRepo;
+          const prNumber = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER) : options.githubPrNumber;
+          const githubToken = process.env.GITHUB_TOKEN || options.githubToken;
+          if (repo && prNumber && githubToken) {
+            await annotate({
+              jsonFile: options.output,
+              githubToken,
+              repo,
+              prNumber
+            });
+            console.log(chalk.green('✅ Annotated GitHub PR with SunLint results.'));
+          } else {
+            console.log(chalk.yellow('⚠️  Missing GITHUB_REPOSITORY, GITHUB_PR_NUMBER, or GITHUB_TOKEN for GitHub annotation.'));
+          }
+        } catch (err) {
+          console.log(chalk.red('❌ Failed to annotate GitHub PR:'), err.message);
+        }
+      }
     }
 
     // Summary report output (new feature for CI/CD)
@@ -140,6 +165,17 @@ class OutputService {
     const allViolations = [];
     let totalFiles = results.filesAnalyzed || results.summary?.totalFiles || results.totalFiles || results.fileCount || 0;
 
+    // Helper function to validate violation object
+    const isValidViolation = (violation) => {
+      if (!violation || typeof violation !== 'object') return false;
+      // Skip config/metadata objects (have nested objects like semanticEngine, project, etc.)
+      if (violation.semanticEngine || violation.project || violation._context) return false;
+      // Must have ruleId as string
+      const ruleId = violation.ruleId || violation.rule;
+      if (!ruleId || typeof ruleId !== 'string') return false;
+      return true;
+    };
+
     // Collect all violations - handle both file-based and rule-based results
     if (results.results) {
       results.results.forEach(result => {
@@ -147,16 +183,20 @@ class OutputService {
           // Handle rule-based format (MultiRuleRunner)
           if (result.ruleId) {
             result.violations.forEach(violation => {
-              allViolations.push(violation); // violation already has file path
+              if (isValidViolation(violation)) {
+                allViolations.push(violation); // violation already has file path
+              }
             });
           } 
           // Handle file-based format (legacy)
           else {
             result.violations.forEach(violation => {
-              allViolations.push({
-                ...violation,
-                file: result.filePath || result.file // Use filePath first, then file
-              });
+              if (isValidViolation(violation)) {
+                allViolations.push({
+                  ...violation,
+                  file: result.filePath || result.file // Use filePath first, then file
+                });
+              }
             });
           }
         }
@@ -164,7 +204,7 @@ class OutputService {
         // Handle ESLint format (messages array)
         if (result.messages) {
           result.messages.forEach(message => {
-            allViolations.push({
+            const violation = {
               file: result.filePath || message.file,
               ruleId: message.ruleId,
               severity: message.severity === 2 ? 'error' : 'warning',
@@ -172,7 +212,10 @@ class OutputService {
               line: message.line,
               column: message.column,
               source: message.source || 'eslint'
-            });
+            };
+            if (isValidViolation(violation)) {
+              allViolations.push(violation);
+            }
           });
         }
       });

package/core/summary-report-service.js

@@ -13,7 +13,7 @@ class SummaryReportService {
     // Load version from package.json
     this.version = this._loadVersion();
   }
-  
+
   /**
    * Load version from package.json
    * @returns {string} Package version
@@ -23,9 +23,9 @@ class SummaryReportService {
     try {
       const packageJsonPath = path.join(__dirname, '..', 'package.json');
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-      return packageJson.version || '1.3.16';
+      return packageJson.version || '1.3.19';
     } catch (error) {
-      return '1.3.16'; // Fallback version
+      return '1.3.19'; // Fallback version
     }
   }
 
@@ -154,51 +154,69 @@ class SummaryReportService {
     const gitInfo = this.getGitInfo(options.cwd);
 
     // Override with environment variables if available (from CI/CD)
-    const repository_url = process.env.GITHUB_REPOSITORY 
+    const repository_url = process.env.GITHUB_REPOSITORY
       ? `https://github.com/${process.env.GITHUB_REPOSITORY}`
       : gitInfo.repository_url;
-    
-    const repository_name = process.env.GITHUB_REPOSITORY 
+
+    const repository_name = process.env.GITHUB_REPOSITORY
       ? process.env.GITHUB_REPOSITORY.split('/')[1]
       : (gitInfo.repository_name || null);
-    
+
     const branch = process.env.GITHUB_REF_NAME || gitInfo.branch;
     const commit_hash = process.env.GITHUB_SHA || gitInfo.commit_hash;
-    
+
     // Get commit details from GitHub context or git
-    const commit_message = process.env.GITHUB_EVENT_HEAD_COMMIT_MESSAGE 
-      || (process.env.GITHUB_EVENT_PATH 
+    const commit_message = process.env.GITHUB_EVENT_HEAD_COMMIT_MESSAGE
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.message')
         : null)
       || gitInfo.commit_message;
-    
+
     const author_email = process.env.GITHUB_EVENT_HEAD_COMMIT_AUTHOR_EMAIL
-      || (process.env.GITHUB_EVENT_PATH 
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.author.email')
         : null)
       || gitInfo.author_email;
-    
+
     const author_name = process.env.GITHUB_EVENT_HEAD_COMMIT_AUTHOR_NAME
-      || (process.env.GITHUB_EVENT_PATH 
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.author.name')
         : null)
       || gitInfo.author_name;
-    
+
     // Get PR number from GitHub event or git
     let pr_number = null;
     if (process.env.GITHUB_EVENT_PATH) {
-      pr_number = this._getGitHubEventData('pull_request.number') 
+      pr_number = this._getGitHubEventData('pull_request.number')
         || this._getGitHubEventData('number');
     }
     pr_number = pr_number || gitInfo.pr_number;
-    
+
     // Get project path (for mono-repo support)
     const project_path = gitInfo.project_path;
 
     // Count violations by rule
     const violationsByRule = {};
     violations.forEach(violation => {
-      const ruleId = violation.ruleId || 'unknown';
+      // Validate that this is actually a violation object (not metadata/config)
+      // A valid violation should have ruleId/rule as string and message
+      if (!violation || typeof violation !== 'object') {
+        return; // Skip non-objects
+      }
+
+      // Skip objects that look like metadata/config (have nested objects like semanticEngine, project, etc.)
+      if (violation.semanticEngine || violation.project || violation.options) {
+        return; // Skip config objects
+      }
+
+      // Get ruleId from various possible fields
+      const ruleId = violation.ruleId || violation.rule || 'unknown';
+
+      // Ensure ruleId is a string (not an object)
+      if (typeof ruleId !== 'string') {
+        return; // Skip invalid ruleId
+      }
+
       if (!violationsByRule[ruleId]) {
         violationsByRule[ruleId] = {
           rule_code: ruleId,
@@ -235,7 +253,7 @@ class SummaryReportService {
       sunlint_version: options.version || this.version,
       analysis_duration_ms: options.duration || 0,
       violations: violationsSummary,
-      
+
       // Additional metadata for backwards compatibility
       metadata: {
         generated_at: new Date().toISOString(),
@@ -265,11 +283,11 @@ class SummaryReportService {
       if (!eventPath || !fs.existsSync(eventPath)) {
         return null;
       }
-      
+
       const eventData = JSON.parse(fs.readFileSync(eventPath, 'utf8'));
       const keys = path.split('.');
       let value = eventData;
-      
+
       for (const key of keys) {
         if (value && typeof value === 'object' && key in value) {
           value = value[key];
@@ -277,7 +295,7 @@ class SummaryReportService {
           return null;
         }
       }
-      
+
       return value;
     } catch (error) {
       return null;
@@ -293,7 +311,7 @@ class SummaryReportService {
    */
   saveSummaryReport(violations, scoringSummary, outputPath, options = {}) {
     const summaryReport = this.generateSummaryReport(violations, scoringSummary, options);
-    
+
     // Ensure directory exists
     const dir = path.dirname(outputPath);
     if (!fs.existsSync(dir)) {
@@ -302,7 +320,7 @@ class SummaryReportService {
 
     // Write to file with pretty formatting
     fs.writeFileSync(outputPath, JSON.stringify(summaryReport, null, 2), 'utf8');
-    
+
     return summaryReport;
   }
 
@@ -322,7 +340,7 @@ class SummaryReportService {
     const warningCount = summaryReport.warning_count || 0;
     const violationsByRule = summaryReport.violations || [];
     const violationsPerKLOC = summaryReport.quality?.metrics?.violationsPerKLOC || 0;
-    
+
     let output = '\n📊 Quality Summary Report\n';
     output += '━'.repeat(50) + '\n';
     output += `📈 Quality Score: ${score} (Grade: ${grade})\n`;
@@ -330,14 +348,14 @@ class SummaryReportService {
     output += `📏 Lines of Code: ${linesOfCode.toLocaleString()}\n`;
     output += `⚠️  Total Violations: ${totalViolations} (${errorCount} errors, ${warningCount} warnings)\n`;
     output += `📊 Violations per KLOC: ${violationsPerKLOC}\n`;
-    
+
     if (violationsByRule.length > 0) {
       output += '\n🔍 Top Violations by Rule:\n';
       violationsByRule.slice(0, 10).forEach((item, index) => {
         output += `  ${index + 1}. ${item.rule_code}: ${item.count} violations (${item.severity})\n`;
       });
     }
-    
+
     return output;
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.17",
+  "version": "1.3.19",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {
@@ -91,6 +91,7 @@
   },
   "dependencies": {
     "@babel/parser": "^7.25.8",
+    "@octokit/rest": "^22.0.0",
     "@typescript-eslint/eslint-plugin": "^8.38.0",
     "@typescript-eslint/parser": "^8.38.0",
     "chalk": "^4.1.2",
@@ -138,4 +139,4 @@
     "url": "https://github.com/sun-asterisk/engineer-excellence/issues"
   },
   "homepage": "https://github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint#readme"
-}
+}