@sun-asterisk/sunlint 1.3.18 → 1.3.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/config/rules/enhanced-rules-registry.json +77 -18
- package/core/cli-program.js +9 -1
- package/core/github-annotate-service.js +986 -0
- package/core/output-service.js +294 -6
- package/core/summary-report-service.js +30 -30
- package/docs/GITHUB_ACTIONS_INTEGRATION.md +421 -0
- package/package.json +2 -1
- package/rules/common/C014_dependency_injection/symbol-based-analyzer.js +392 -280
- package/rules/common/C017_constructor_logic/analyzer.js +137 -503
- package/rules/common/C017_constructor_logic/config.json +50 -0
- package/rules/common/C017_constructor_logic/symbol-based-analyzer.js +463 -0
- package/rules/security/S006_no_plaintext_recovery_codes/symbol-based-analyzer.js +463 -21
- package/rules/security/S011_secure_guid_generation/README.md +255 -0
- package/rules/security/S011_secure_guid_generation/analyzer.js +135 -0
- package/rules/security/S011_secure_guid_generation/config.json +56 -0
- package/rules/security/S011_secure_guid_generation/symbol-based-analyzer.js +609 -0
- package/rules/security/S028_file_upload_size_limits/README.md +537 -0
- package/rules/security/S028_file_upload_size_limits/analyzer.js +202 -0
- package/rules/security/S028_file_upload_size_limits/config.json +186 -0
- package/rules/security/S028_file_upload_size_limits/symbol-based-analyzer.js +530 -0
- package/rules/security/S041_session_token_invalidation/README.md +303 -0
- package/rules/security/S041_session_token_invalidation/analyzer.js +242 -0
- package/rules/security/S041_session_token_invalidation/config.json +175 -0
- package/rules/security/S041_session_token_invalidation/regex-based-analyzer.js +411 -0
- package/rules/security/S041_session_token_invalidation/symbol-based-analyzer.js +674 -0
- package/rules/security/S044_re_authentication_required/README.md +136 -0
- package/rules/security/S044_re_authentication_required/analyzer.js +242 -0
- package/rules/security/S044_re_authentication_required/config.json +161 -0
- package/rules/security/S044_re_authentication_required/regex-based-analyzer.js +329 -0
- package/rules/security/S044_re_authentication_required/symbol-based-analyzer.js +537 -0
- package/rules/security/S045_brute_force_protection/README.md +345 -0
- package/rules/security/S045_brute_force_protection/analyzer.js +336 -0
- package/rules/security/S045_brute_force_protection/config.json +139 -0
- package/rules/security/S045_brute_force_protection/symbol-based-analyzer.js +646 -0
- package/rules/common/C017_constructor_logic/semantic-analyzer.js +0 -340
|
@@ -870,6 +870,23 @@
|
|
|
870
870
|
"status": "stable",
|
|
871
871
|
"tags": ["security", "secrets", "hardcoded"]
|
|
872
872
|
},
|
|
873
|
+
"S028": {
|
|
874
|
+
"name": "Limit upload file size and number of files per user",
|
|
875
|
+
"description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.",
|
|
876
|
+
"category": "security",
|
|
877
|
+
"severity": "error",
|
|
878
|
+
"languages": ["typescript", "javascript", "java"],
|
|
879
|
+
"analyzer": "./rules/security/S028_file_upload_size_limits/analyzer.js",
|
|
880
|
+
"version": "1.0.0",
|
|
881
|
+
"status": "stable",
|
|
882
|
+
"tags": [
|
|
883
|
+
"security",
|
|
884
|
+
"file-upload",
|
|
885
|
+
"dos-prevention",
|
|
886
|
+
"resource-limits",
|
|
887
|
+
"owasp"
|
|
888
|
+
]
|
|
889
|
+
},
|
|
873
890
|
"S029": {
|
|
874
891
|
"name": "Require CSRF Protection",
|
|
875
892
|
"description": "Require CSRF protection for state-changing operations",
|
|
@@ -1079,16 +1096,27 @@
|
|
|
1079
1096
|
}
|
|
1080
1097
|
},
|
|
1081
1098
|
"S041": {
|
|
1082
|
-
"name": "
|
|
1083
|
-
"description": "
|
|
1099
|
+
"name": "Session Tokens must be invalidated after logout or expiration",
|
|
1100
|
+
"description": "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.",
|
|
1084
1101
|
"category": "security",
|
|
1085
1102
|
"severity": "error",
|
|
1086
1103
|
"languages": ["typescript", "javascript"],
|
|
1087
|
-
"analyzer": "
|
|
1088
|
-
"
|
|
1104
|
+
"analyzer": "./rules/security/S041_session_token_invalidation/analyzer.js",
|
|
1105
|
+
"config": "./rules/security/S041_session_token_invalidation/config.json",
|
|
1089
1106
|
"version": "1.0.0",
|
|
1090
1107
|
"status": "stable",
|
|
1091
|
-
"tags": ["security", "session", "logout"]
|
|
1108
|
+
"tags": ["security", "session", "token", "logout", "invalidation", "owasp"],
|
|
1109
|
+
"strategy": {
|
|
1110
|
+
"preferred": "ast",
|
|
1111
|
+
"fallbacks": ["ast", "regex"],
|
|
1112
|
+
"accuracy": {
|
|
1113
|
+
"ast": 95,
|
|
1114
|
+
"regex": 85
|
|
1115
|
+
}
|
|
1116
|
+
},
|
|
1117
|
+
"engineMappings": {
|
|
1118
|
+
"heuristic": ["rules/security/S041_session_token_invalidation/analyzer.js"]
|
|
1119
|
+
}
|
|
1092
1120
|
},
|
|
1093
1121
|
"S042": {
|
|
1094
1122
|
"name": "Require Periodic Reauthentication",
|
|
@@ -1115,28 +1143,49 @@
|
|
|
1115
1143
|
"tags": ["security", "session", "password"]
|
|
1116
1144
|
},
|
|
1117
1145
|
"S044": {
|
|
1118
|
-
"name": "
|
|
1119
|
-
"description": "Require
|
|
1146
|
+
"name": "Re-authentication Required for Sensitive Operations",
|
|
1147
|
+
"description": "Require re-authentication before performing sensitive operations such as password changes, email changes, profile updates, and other critical account modifications. This prevents unauthorized access to sensitive account functions even if a session is compromised.",
|
|
1120
1148
|
"category": "security",
|
|
1121
1149
|
"severity": "error",
|
|
1122
1150
|
"languages": ["typescript", "javascript"],
|
|
1123
|
-
"analyzer": "
|
|
1124
|
-
"
|
|
1151
|
+
"analyzer": "./rules/security/S044_re_authentication_required/analyzer.js",
|
|
1152
|
+
"config": "./rules/security/S044_re_authentication_required/config.json",
|
|
1125
1153
|
"version": "1.0.0",
|
|
1126
1154
|
"status": "stable",
|
|
1127
|
-
"tags": ["security", "
|
|
1155
|
+
"tags": ["security", "authentication", "re-authentication", "sensitive-operations", "owasp"],
|
|
1156
|
+
"strategy": {
|
|
1157
|
+
"preferred": "ast",
|
|
1158
|
+
"fallbacks": ["ast", "regex"],
|
|
1159
|
+
"accuracy": {
|
|
1160
|
+
"ast": 95,
|
|
1161
|
+
"regex": 85
|
|
1162
|
+
}
|
|
1163
|
+
},
|
|
1164
|
+
"engineMappings": {
|
|
1165
|
+
"heuristic": ["rules/security/S044_re_authentication_required/analyzer.js"]
|
|
1166
|
+
}
|
|
1128
1167
|
},
|
|
1129
1168
|
"S045": {
|
|
1130
|
-
"name": "
|
|
1131
|
-
"description": "Implement
|
|
1169
|
+
"name": "Brute-force Protection",
|
|
1170
|
+
"description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.",
|
|
1132
1171
|
"category": "security",
|
|
1133
|
-
"severity": "
|
|
1172
|
+
"severity": "error",
|
|
1134
1173
|
"languages": ["typescript", "javascript"],
|
|
1135
|
-
"analyzer": "
|
|
1136
|
-
"
|
|
1174
|
+
"analyzer": "./rules/security/S045_brute_force_protection/analyzer.js",
|
|
1175
|
+
"config": "./rules/security/S045_brute_force_protection/config.json",
|
|
1137
1176
|
"version": "1.0.0",
|
|
1138
1177
|
"status": "stable",
|
|
1139
|
-
"tags": ["security", "
|
|
1178
|
+
"tags": ["security", "authentication", "brute-force", "rate-limiting", "owasp"],
|
|
1179
|
+
"strategy": {
|
|
1180
|
+
"preferred": "heuristic",
|
|
1181
|
+
"fallbacks": ["heuristic"],
|
|
1182
|
+
"accuracy": {
|
|
1183
|
+
"heuristic": 95
|
|
1184
|
+
}
|
|
1185
|
+
},
|
|
1186
|
+
"engineMappings": {
|
|
1187
|
+
"heuristic": "rules/security/S045_brute_force_protection/analyzer.js"
|
|
1188
|
+
}
|
|
1140
1189
|
},
|
|
1141
1190
|
"S046": {
|
|
1142
1191
|
"name": "Secure Notification on Auth Change",
|
|
@@ -1239,8 +1288,16 @@
|
|
|
1239
1288
|
"name": "One Behavior per Test (AAA Pattern)",
|
|
1240
1289
|
"description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
|
|
1241
1290
|
"category": "common",
|
|
1242
|
-
"severity": "warning",
|
|
1243
|
-
"languages": [
|
|
1291
|
+
"severity": "warning",
|
|
1292
|
+
"languages": [
|
|
1293
|
+
"typescript",
|
|
1294
|
+
"javascript",
|
|
1295
|
+
"java",
|
|
1296
|
+
"csharp",
|
|
1297
|
+
"swift",
|
|
1298
|
+
"kotlin",
|
|
1299
|
+
"python"
|
|
1300
|
+
],
|
|
1244
1301
|
"analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
|
|
1245
1302
|
"config": "./rules/common/C065_one_behavior_per_test/config.json",
|
|
1246
1303
|
"version": "1.0.0",
|
|
@@ -1451,6 +1508,8 @@
|
|
|
1451
1508
|
"category": "general",
|
|
1452
1509
|
"severity": "warning",
|
|
1453
1510
|
"languages": ["typescript", "javascript"],
|
|
1511
|
+
"analyzer": "./rules/common/C017_constructor_logic/analyzer.js",
|
|
1512
|
+
"config": "./rules/common/C017_constructor_logic/config.json",
|
|
1454
1513
|
"version": "1.0.0",
|
|
1455
1514
|
"status": "migrated",
|
|
1456
1515
|
"tags": ["migrated"],
|
package/core/cli-program.js
CHANGED
|
@@ -36,7 +36,8 @@ function createCliProgram() {
|
|
|
36
36
|
.option('-o, --output <file>', 'Output file path')
|
|
37
37
|
.option('--output-summary <file>', 'Output summary report file path (JSON format for CI/CD)')
|
|
38
38
|
.option('--upload-report [url]', 'Upload summary report to API endpoint after analysis (default: Sun* Coding Standards API)')
|
|
39
|
-
.option('--config <file>', 'Configuration file path (default: auto-discover)')
|
|
39
|
+
.option('--config <file>', 'Configuration file path (default: auto-discover)')
|
|
40
|
+
.option('--github-annotate [mode]', 'Annotate GitHub PR: annotate (inline), summary (comment), all (both) - default: all');
|
|
40
41
|
|
|
41
42
|
// File targeting options
|
|
42
43
|
program
|
|
@@ -134,6 +135,13 @@ CI/CD Integration:
|
|
|
134
135
|
$ sunlint --all --output-summary=report.json --upload-report
|
|
135
136
|
$ sunlint --all --output-summary=report.json --upload-report=https://custom-api.com/reports
|
|
136
137
|
|
|
138
|
+
GitHub Actions Integration:
|
|
139
|
+
$ sunlint --all --input=src --github-annotate # Both inline + summary (default)
|
|
140
|
+
$ sunlint --all --input=src --github-annotate=annotate # Inline comments only
|
|
141
|
+
$ sunlint --all --input=src --github-annotate=summary # Summary comment only
|
|
142
|
+
$ sunlint --all --input=src --github-annotate=all # Both inline + summary
|
|
143
|
+
$ sunlint --all --changed-files --github-annotate # With changed files
|
|
144
|
+
|
|
137
145
|
ESLint Integration:
|
|
138
146
|
$ sunlint --typescript --eslint-integration --input=src
|
|
139
147
|
$ sunlint --all --eslint-integration --eslint-merge-rules --input=src
|