npm - @sun-asterisk/sunlint - Versions diffs - 1.3.18 → 1.3.19 - Mend

@sun-asterisk/sunlint 1.3.18 → 1.3.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/config/rules/enhanced-rules-registry.json CHANGED Viewed

@@ -870,6 +870,23 @@
       "status": "stable",
       "tags": ["security", "secrets", "hardcoded"]
     },
+    "S028": {
+      "name": "Limit upload file size and number of files per user",
+      "description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript", "java"],
+      "analyzer": "./rules/security/S028_file_upload_size_limits/analyzer.js",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "file-upload",
+        "dos-prevention",
+        "resource-limits",
+        "owasp"
+      ]
+    },
     "S029": {
       "name": "Require CSRF Protection",
       "description": "Require CSRF protection for state-changing operations",
@@ -1079,16 +1096,27 @@
       }
     },
     "S041": {
-      "name": "Require Session Invalidate on Logout",
-      "description": "Require session invalidation on logout",
+      "name": "Session Tokens must be invalidated after logout or expiration",
+      "description": "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s041",
+      "analyzer": "./rules/security/S041_session_token_invalidation/analyzer.js",
+      "config": "./rules/security/S041_session_token_invalidation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "session", "logout"]
+      "tags": ["security", "session", "token", "logout", "invalidation", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S041_session_token_invalidation/analyzer.js"]
+      }
     },
     "S042": {
       "name": "Require Periodic Reauthentication",
@@ -1115,28 +1143,49 @@
       "tags": ["security", "session", "password"]
     },
     "S044": {
-      "name": "Require Full Session for Sensitive Operations",
-      "description": "Require full session validation for sensitive operations",
+      "name": "Re-authentication Required for Sensitive Operations",
+      "description": "Require re-authentication before performing sensitive operations such as password changes, email changes, profile updates, and other critical account modifications. This prevents unauthorized access to sensitive account functions even if a session is compromised.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s044",
+      "analyzer": "./rules/security/S044_re_authentication_required/analyzer.js",
+      "config": "./rules/security/S044_re_authentication_required/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "session", "validation"]
+      "tags": ["security", "authentication", "re-authentication", "sensitive-operations", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S044_re_authentication_required/analyzer.js"]
+      }
     },
     "S045": {
-      "name": "Anti Automation Controls",
-      "description": "Implement anti-automation controls",
+      "name": "Brute-force Protection",
+      "description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.",
       "category": "security",
-      "severity": "warning",
+      "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s045",
+      "analyzer": "./rules/security/S045_brute_force_protection/analyzer.js",
+      "config": "./rules/security/S045_brute_force_protection/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "automation", "protection"]
+      "tags": ["security", "authentication", "brute-force", "rate-limiting", "owasp"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 95
+        }
+      },
+      "engineMappings": {
+        "heuristic": "rules/security/S045_brute_force_protection/analyzer.js"
+      }
     },
     "S046": {
       "name": "Secure Notification on Auth Change",
@@ -1239,8 +1288,16 @@
       "name": "One Behavior per Test (AAA Pattern)",
       "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
       "category": "common",
-      "severity": "warning",
-      "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin", "python"],
+      "severity": "warning",
+      "languages": [
+        "typescript",
+        "javascript",
+        "java",
+        "csharp",
+        "swift",
+        "kotlin",
+        "python"
+      ],
       "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
       "config": "./rules/common/C065_one_behavior_per_test/config.json",
       "version": "1.0.0",
@@ -1451,6 +1508,8 @@
       "category": "general",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/common/C017_constructor_logic/analyzer.js",
+      "config": "./rules/common/C017_constructor_logic/config.json",
       "version": "1.0.0",
       "status": "migrated",
       "tags": ["migrated"],

package/core/cli-program.js CHANGED Viewed

@@ -36,7 +36,8 @@ function createCliProgram() {
     .option('-o, --output <file>', 'Output file path')
     .option('--output-summary <file>', 'Output summary report file path (JSON format for CI/CD)')
     .option('--upload-report [url]', 'Upload summary report to API endpoint after analysis (default: Sun* Coding Standards API)')
-    .option('--config <file>', 'Configuration file path (default: auto-discover)');
+    .option('--config <file>', 'Configuration file path (default: auto-discover)')
+    .option('--github-annotate', 'Annotate GitHub PR with results (requires --output and --format=json)');
   // File targeting options
   program

package/core/github-annotate-service.js ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * GitHub Annotate Service
+ * Đọc file JSON kết quả và comment annotation lên GitHub PR tương ứng
+ * Usage: githubAnnotateService.annotate({ jsonFile, githubToken, repo, prNumber })
+ */
+const fs = require('fs');
+let Octokit;
+/**
+ * Annotate GitHub PR with SunLint results
+ * @param {Object} options
+ * @param {string} options.jsonFile - Path to JSON result file
+ * @param {string} options.githubToken - GitHub token (with repo:write)
+ * @param {string} options.repo - GitHub repo in format owner/repo
+ * @param {number} options.prNumber - Pull request number
+ */
+async function annotate({ jsonFile, githubToken, repo, prNumber }) {
+  if (!fs.existsSync(jsonFile)) {
+    throw new Error(`Result file not found: ${jsonFile}`);
+  }
+  const raw = JSON.parse(fs.readFileSync(jsonFile, 'utf8'));
+  let violations = [];
+  if (Array.isArray(raw)) {
+  const cwd = process.env.GITHUB_WORKSPACE || process.cwd();
+    for (const fileObj of raw) {
+      if (fileObj && fileObj.filePath && Array.isArray(fileObj.messages)) {
+        let relPath = fileObj.filePath;
+        if (relPath.startsWith(cwd)) {
+          relPath = relPath.slice(cwd.length);
+          if (relPath.startsWith('/') || relPath.startsWith('\\')) relPath = relPath.slice(1);
+        }
+        for (const msg of fileObj.messages) {
+          violations.push({
+            file: relPath,
+            line: msg.line,
+            rule: msg.ruleId,
+            severity: msg.severity === 2 ? 'error' : 'warning',
+            message: msg.message
+          });
+        }
+      }
+    }
+  } else {
+    violations = raw.violations || [];
+  }
+console.log(violations);
+  const token = githubToken || process.env.GITHUB_TOKEN;
+  if (!token) throw new Error('Missing GitHub token');
+  const [owner, repoName] = repo.split('/');
+  if (!Octokit) {
+    // Dynamic import để hỗ trợ ESM
+    Octokit = (await import('@octokit/rest')).Octokit;
+  }
+  const octokit = new Octokit({ auth: token });
+  const { data: prData } = await octokit.pulls.get({ owner, repo: repoName, pull_number: prNumber });
+  const head_sha = prData.head.sha;
+  const filesRes = await octokit.pulls.listFiles({ owner, repo: repoName, pull_number: prNumber });
+  const prFiles = filesRes.data.map(f => f.filename);
+  const reviewComments = violations
+    .filter(v => prFiles.includes(v.file))
+    .map(v => ({
+      path: v.file,
+      line: v.line,
+      side: 'RIGHT',
+      body: `[${v.rule}] ${v.message}`
+    }));
+  if (reviewComments.length === 0) return { message: 'No matching PR file violations to comment.' };
+  // Nếu có error thì yêu cầu thay đổi, không thì chỉ comment
+  const hasError = violations.some(v => v.severity === 'error');
+  const eventType = hasError ? 'REQUEST_CHANGES' : 'COMMENT';
+  const reviewRes = await octokit.pulls.createReview({
+    owner,
+    repo: repoName,
+    pull_number: prNumber,
+    commit_id: head_sha,
+    event: eventType,
+    comments: reviewComments
+  });
+  return reviewRes.data;
+}
+module.exports = { annotate };

package/core/output-service.js CHANGED Viewed

@@ -34,6 +34,7 @@ class OutputService {
     }
   }
   async outputResults(results, options, metadata = {}) {
     // Generate report based on format
     const report = this.generateReport(results, metadata, options);
@@ -49,6 +50,30 @@ class OutputService {
       const content = typeof outputData === 'string' ? outputData : JSON.stringify(outputData, null, 2);
       fs.writeFileSync(options.output, content);
       console.log(chalk.green(`📄 Report saved to: ${options.output}`));
+      // Annotate GitHub nếu đủ điều kiện
+      if (options.githubAnnotate && options.format === 'json') {
+        try {
+          const annotate = require('./github-annotate-service').annotate;
+          // Lấy các biến môi trường cần thiết cho annotate
+          const repo = process.env.GITHUB_REPOSITORY || options.githubRepo;
+          const prNumber = process.env.GITHUB_PR_NUMBER ? parseInt(process.env.GITHUB_PR_NUMBER) : options.githubPrNumber;
+          const githubToken = process.env.GITHUB_TOKEN || options.githubToken;
+          if (repo && prNumber && githubToken) {
+            await annotate({
+              jsonFile: options.output,
+              githubToken,
+              repo,
+              prNumber
+            });
+            console.log(chalk.green('✅ Annotated GitHub PR with SunLint results.'));
+          } else {
+            console.log(chalk.yellow('⚠️  Missing GITHUB_REPOSITORY, GITHUB_PR_NUMBER, or GITHUB_TOKEN for GitHub annotation.'));
+          }
+        } catch (err) {
+          console.log(chalk.red('❌ Failed to annotate GitHub PR:'), err.message);
+        }
+      }
     }
     // Summary report output (new feature for CI/CD)

package/core/summary-report-service.js CHANGED Viewed

@@ -13,7 +13,7 @@ class SummaryReportService {
     // Load version from package.json
     this.version = this._loadVersion();
   }
   /**
    * Load version from package.json
    * @returns {string} Package version
@@ -23,9 +23,9 @@ class SummaryReportService {
     try {
       const packageJsonPath = path.join(__dirname, '..', 'package.json');
       const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
-      return packageJson.version || '1.3.18';
+      return packageJson.version || '1.3.19';
     } catch (error) {
-      return '1.3.18'; // Fallback version
+      return '1.3.19'; // Fallback version
     }
   }
@@ -154,44 +154,44 @@ class SummaryReportService {
     const gitInfo = this.getGitInfo(options.cwd);
     // Override with environment variables if available (from CI/CD)
-    const repository_url = process.env.GITHUB_REPOSITORY
+    const repository_url = process.env.GITHUB_REPOSITORY
       ? `https://github.com/${process.env.GITHUB_REPOSITORY}`
       : gitInfo.repository_url;
-    const repository_name = process.env.GITHUB_REPOSITORY
+    const repository_name = process.env.GITHUB_REPOSITORY
       ? process.env.GITHUB_REPOSITORY.split('/')[1]
       : (gitInfo.repository_name || null);
     const branch = process.env.GITHUB_REF_NAME || gitInfo.branch;
     const commit_hash = process.env.GITHUB_SHA || gitInfo.commit_hash;
     // Get commit details from GitHub context or git
-    const commit_message = process.env.GITHUB_EVENT_HEAD_COMMIT_MESSAGE
-      || (process.env.GITHUB_EVENT_PATH
+    const commit_message = process.env.GITHUB_EVENT_HEAD_COMMIT_MESSAGE
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.message')
         : null)
       || gitInfo.commit_message;
     const author_email = process.env.GITHUB_EVENT_HEAD_COMMIT_AUTHOR_EMAIL
-      || (process.env.GITHUB_EVENT_PATH
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.author.email')
         : null)
       || gitInfo.author_email;
     const author_name = process.env.GITHUB_EVENT_HEAD_COMMIT_AUTHOR_NAME
-      || (process.env.GITHUB_EVENT_PATH
+      || (process.env.GITHUB_EVENT_PATH
         ? this._getGitHubEventData('head_commit.author.name')
         : null)
       || gitInfo.author_name;
     // Get PR number from GitHub event or git
     let pr_number = null;
     if (process.env.GITHUB_EVENT_PATH) {
-      pr_number = this._getGitHubEventData('pull_request.number')
+      pr_number = this._getGitHubEventData('pull_request.number')
         || this._getGitHubEventData('number');
     }
     pr_number = pr_number || gitInfo.pr_number;
     // Get project path (for mono-repo support)
     const project_path = gitInfo.project_path;
@@ -203,20 +203,20 @@ class SummaryReportService {
       if (!violation || typeof violation !== 'object') {
         return; // Skip non-objects
       }
       // Skip objects that look like metadata/config (have nested objects like semanticEngine, project, etc.)
       if (violation.semanticEngine || violation.project || violation.options) {
         return; // Skip config objects
       }
       // Get ruleId from various possible fields
       const ruleId = violation.ruleId || violation.rule || 'unknown';
       // Ensure ruleId is a string (not an object)
       if (typeof ruleId !== 'string') {
         return; // Skip invalid ruleId
       }
       if (!violationsByRule[ruleId]) {
         violationsByRule[ruleId] = {
           rule_code: ruleId,
@@ -253,7 +253,7 @@ class SummaryReportService {
       sunlint_version: options.version || this.version,
       analysis_duration_ms: options.duration || 0,
       violations: violationsSummary,
       // Additional metadata for backwards compatibility
       metadata: {
         generated_at: new Date().toISOString(),
@@ -283,11 +283,11 @@ class SummaryReportService {
       if (!eventPath || !fs.existsSync(eventPath)) {
         return null;
       }
       const eventData = JSON.parse(fs.readFileSync(eventPath, 'utf8'));
       const keys = path.split('.');
       let value = eventData;
       for (const key of keys) {
         if (value && typeof value === 'object' && key in value) {
           value = value[key];
@@ -295,7 +295,7 @@ class SummaryReportService {
           return null;
         }
       }
       return value;
     } catch (error) {
       return null;
@@ -311,7 +311,7 @@ class SummaryReportService {
    */
   saveSummaryReport(violations, scoringSummary, outputPath, options = {}) {
     const summaryReport = this.generateSummaryReport(violations, scoringSummary, options);
     // Ensure directory exists
     const dir = path.dirname(outputPath);
     if (!fs.existsSync(dir)) {
@@ -320,7 +320,7 @@ class SummaryReportService {
     // Write to file with pretty formatting
     fs.writeFileSync(outputPath, JSON.stringify(summaryReport, null, 2), 'utf8');
     return summaryReport;
   }
@@ -340,7 +340,7 @@ class SummaryReportService {
     const warningCount = summaryReport.warning_count || 0;
     const violationsByRule = summaryReport.violations || [];
     const violationsPerKLOC = summaryReport.quality?.metrics?.violationsPerKLOC || 0;
     let output = '\n📊 Quality Summary Report\n';
     output += '━'.repeat(50) + '\n';
     output += `📈 Quality Score: ${score} (Grade: ${grade})\n`;
@@ -348,14 +348,14 @@ class SummaryReportService {
     output += `📏 Lines of Code: ${linesOfCode.toLocaleString()}\n`;
     output += `⚠️  Total Violations: ${totalViolations} (${errorCount} errors, ${warningCount} warnings)\n`;
     output += `📊 Violations per KLOC: ${violationsPerKLOC}\n`;
     if (violationsByRule.length > 0) {
       output += '\n🔍 Top Violations by Rule:\n';
       violationsByRule.slice(0, 10).forEach((item, index) => {
         output += `  ${index + 1}. ${item.rule_code}: ${item.count} violations (${item.severity})\n`;
       });
     }
     return output;
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.18",
+  "version": "1.3.19",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {
@@ -91,6 +91,7 @@
   },
   "dependencies": {
     "@babel/parser": "^7.25.8",
+    "@octokit/rest": "^22.0.0",
     "@typescript-eslint/eslint-plugin": "^8.38.0",
     "@typescript-eslint/parser": "^8.38.0",
     "chalk": "^4.1.2",
@@ -138,4 +139,4 @@
     "url": "https://github.com/sun-asterisk/engineer-excellence/issues"
   },
   "homepage": "https://github.com/sun-asterisk/engineer-excellence/tree/main/coding-quality/extensions/sunlint#readme"
-}
+}