@sun-asterisk/sunlint 1.3.26 → 1.3.27

package/config/rules/enhanced-rules-registry.json

@@ -496,16 +496,62 @@
       "tags": ["security", "idor", "access-control"]
     },
     "S003": {
-      "name": "No Unvalidated Redirect",
-      "description": "Prevent unvalidated redirects and forwards",
+      "name": "Open Redirect Protection",
+      "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s003",
+      "analyzer": "./rules/security/S003_open_redirect_protection/analyzer.js",
+      "config": "./rules/security/S003_open_redirect_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "owasp", "injection", "open-redirect", "phishing", "url-validation"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 95
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S003_open_redirect_protection/analyzer.js"]
+      },
+      "metadata": {
+        "owaspCategory": "A03:2021 - Injection",
+        "cweId": "CWE-601",
+        "frameworks": ["Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot"],
+        "detectionPatterns": 28,
+        "testCases": 118
+      }
+    },
+    "S004": {
+      "name": "Sensitive Data Logging Protection",
+      "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction",
+      "category": "security",
+      "severity": "warning",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S004_sensitive_data_logging/analyzer.js",
+      "config": "./rules/security/S004_sensitive_data_logging/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "redirect", "validation"]
+      "tags": ["security", "owasp", "logging", "sensitive-data", "pii", "credentials", "data-exposure"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S004_sensitive_data_logging/analyzer.js"]
+      },
+      "metadata": {
+        "owaspCategory": "A09:2021 - Security Logging and Monitoring Failures",
+        "cweId": "CWE-532",
+        "frameworks": ["Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot", "Winston", "Pino", "Bunyan"],
+        "detectionPatterns": 90,
+        "testCases": 45
+      }
     },
     "S005": {
       "name": "No Origin Header Authentication",
@@ -636,16 +682,34 @@
       "tags": ["security", "uuid", "random"]
     },
     "S012": {
-      "name": "No Hardcoded Secrets",
-      "description": "Prevent hardcoded secrets in source code",
+      "name": "Hardcoded Secrets Protection",
+      "description": "Detects hardcoded secrets, API keys, passwords, tokens, and credentials in source code to prevent accidental exposure through version control",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s012",
+      "analyzer": "./rules/security/S012_hardcoded_secrets/analyzer.js",
+      "config": "./rules/security/S012_hardcoded_secrets/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "secrets", "hardcoded"]
+      "tags": ["security", "owasp", "secrets", "credentials", "cryptographic-failures", "hardcoded-secrets", "api-keys", "passwords", "tokens"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 92
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S012_hardcoded_secrets/analyzer.js"]
+      },
+      "metadata": {
+        "owaspCategory": "A02:2021 - Cryptographic Failures",
+        "cweId": "CWE-798",
+        "frameworks": ["Node.js", "Express", "NestJS", "Next.js", "React", "Vue", "Angular"],
+        "secretTypes": ["API Keys", "Passwords", "Access Tokens", "Private Keys", "JWT Secrets", "Database Credentials", "OAuth Secrets", "AWS Keys", "GitHub Tokens", "Slack Tokens"],
+        "detectionPatterns": 50,
+        "testCases": 30
+      }
     },
     "S013": {
       "name": "Verify TLS Connection",
@@ -736,16 +800,34 @@
       "tags": ["security", "validation", "input"]
     },
     "S019": {
-      "name": "No Raw User Input in Email",
-      "description": "Prevent raw user input in email content",
+      "name": "SMTP Injection Protection",
+      "description": "Detects potential SMTP/IMAP injection vulnerabilities by identifying unsanitized user input in email fields and direct SMTP protocol manipulation",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s019",
+      "analyzer": "./rules/security/S019_smtp_injection_protection/analyzer.js",
+      "config": "./rules/security/S019_smtp_injection_protection/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "email", "injection"]
+      "tags": ["security", "owasp", "injection", "smtp", "email", "crlf"],
+      "strategy": {
+        "preferred": "heuristic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "heuristic": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S019_smtp_injection_protection/analyzer.js"]
+      },
+      "metadata": {
+        "owaspCategory": "A03:2021 - Injection",
+        "cweId": "CWE-93, CWE-144",
+        "frameworks": ["Node.js", "Express", "NestJS", "Next.js"],
+        "emailLibraries": ["nodemailer", "sendgrid", "mailgun", "aws-ses", "postmark"],
+        "detectionTypes": ["Unsanitized email fields", "SMTP command injection", "CRLF injection"],
+        "testCases": 40
+      }
     },
     "S020": {
       "name": "Avoid using eval() or executing dynamic code",
@@ -1156,7 +1238,8 @@
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "analyzer": "./rules/security/S042_require_re_authentication_for_long_lived/analyzer.js",
+      "config": "./rules/security/S042_require_re_authentication_for_long_lived/config.json",
       "eslintRule": "custom/typescript_s042",
       "version": "1.0.0",
       "status": "stable",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.26",
+  "version": "1.3.27",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C029_catch_block_logging/analyzer.js

@@ -215,14 +215,18 @@ class C029Analyzer {
     } else {
       // No logging found - check if there's valid error handling
       const hasErrorHandling = this.hasValidErrorHandling(block, exceptionVar);
-      
-      if (!hasErrorHandling && !this.isTestFile(filePath)) {
+
+      // Skip if underscore variable (intentional ignore) AND has error handling
+      const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+      const shouldSkip = (isIntentionallyIgnored && hasErrorHandling) || this.isTestFile(filePath);
+
+      if (!hasErrorHandling && !shouldSkip) {
         violations.push(this.createViolation(
           filePath,
           startLine,
           startColumn,
           'no_logging',
-          exceptionVar 
+          exceptionVar
             ? `Catch block does not log exception '${exceptionVar}'`
             : 'Catch block does not log exception',
           'Add console.error() or logger.error() with error details',
@@ -232,7 +236,10 @@ class C029Analyzer {
     }
 
     // STAGE 4: Check for unused exception variable
-    if (exceptionVar && !this.isExceptionUsed(block, exceptionVar) && !this.hasExplicitIgnoreComment(catchClause)) {
+    // Skip if variable name starts with underscore (conventional way to indicate intentional ignore)
+    const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+
+    if (exceptionVar && !isIntentionallyIgnored && !this.isExceptionUsed(block, exceptionVar) && !this.hasExplicitIgnoreComment(catchClause)) {
       violations.push(this.createViolation(
         filePath,
         startLine,
@@ -277,7 +284,8 @@ class C029Analyzer {
       usesExceptionVar: false,
       logLevels: [],
       hasStackTrace: false,
-      hasContextData: false
+      hasContextData: false,
+      loggingExpressions: [] // Track actual expressions used
     };
 
     // Find all call expressions
@@ -333,6 +341,9 @@ class C029Analyzer {
           arguments: argsText,
           line: call.getStartLineNumber()
         });
+
+        // Track expression for better error messages
+        loggingInfo.loggingExpressions.push(expressionText);
       }
     }
 
@@ -367,21 +378,32 @@ class C029Analyzer {
     const issues = [];
 
     // Issue 1: Using inappropriate log level (log/info/debug instead of error/warn)
-    const hasInappropriateLevel = loggingInfo.logLevels.some(level =>
-      this.config.inappropriateLevels.includes(level)
-    );
+    // BUT only for console.xxx, not for logger.xxx (custom loggers may have different semantics)
+    const hasInappropriateConsoleLevel = loggingInfo.calls.some(call => {
+      const isConsole = call.expression.startsWith('console.');
+      const isInappropriateLevel = this.config.inappropriateLevels.includes(call.level);
+      return isConsole && isInappropriateLevel;
+    });
+
+    if (hasInappropriateConsoleLevel && !this.isTestFile(filePath)) {
+      // Get only console calls with inappropriate levels
+      const consoleLevels = loggingInfo.calls
+        .filter(c => c.expression.startsWith('console.') && this.config.inappropriateLevels.includes(c.level))
+        .map(c => c.level);
 
-    if (hasInappropriateLevel && !this.isTestFile(filePath)) {
       issues.push({
         type: 'inappropriate_log_level',
-        message: `Catch block uses console.${loggingInfo.logLevels.join('/')} instead of console.error or console.warn`,
+        message: `Catch block uses console.${[...new Set(consoleLevels)].join('/')} instead of console.error or console.warn`,
         suggestion: 'Use console.error() or console.warn() for error logging in catch blocks',
         confidence: 0.75
       });
     }
 
     // Issue 2: Exception variable not included in logging
-    if (exceptionVar && !loggingInfo.usesExceptionVar) {
+    // Skip if variable is underscore (intentional ignore - developer explicitly doesn't want error details)
+    const isIntentionallyIgnored = exceptionVar && exceptionVar.startsWith('_');
+
+    if (exceptionVar && !isIntentionallyIgnored && !loggingInfo.usesExceptionVar) {
       issues.push({
         type: 'exception_not_logged',
         message: `Exception variable '${exceptionVar}' is not included in logging`,
@@ -462,7 +484,20 @@ class C029Analyzer {
       /utils?\.log/i,
       /helpers?\.log/i,
       /ErrorUtils/,
-      /ErrorService/
+      /ErrorService/,
+      // UI Feedback patterns (toast, notification, alert, etc.)
+      /toast\.(error|failed|show|warning)\s*\(/,
+      /notification\.(error|show|warning)\s*\(/,
+      /message\.(error|show|warning)\s*\(/,
+      /alert\s*\(/,
+      /showError\s*\(/,
+      /showMessage\s*\(/,
+      // Fallback/recovery actions
+      /window\.open\s*\(/,
+      /window\.location/,
+      /navigate\s*\(/,
+      /redirect\s*\(/,
+      /router\.(push|replace)\s*\(/
     ];
 
     if (errorHandlerPatterns.some(pattern => pattern.test(text))) {

package/rules/common/C033_separate_service_repository/symbol-based-analyzer.js

@@ -768,32 +768,52 @@ class C033SymbolBasedAnalyzer {
   analyzeControllerFile(sourceFile, filePath) {
     const violations = [];
     const classes = sourceFile.getClasses();
-    
+
     for (const cls of classes) {
       const className = cls.getName() || 'UnnamedClass';
       const methods = cls.getMethods();
-      
+
       for (const method of methods) {
         const methodBody = method.getBodyText() || '';
-        
+
         // Controllers should not directly access database
         for (const operation of this.databaseOperations) {
-          const pattern = new RegExp(`\\b${operation}\\s*\\(`, 'i');
-          if (pattern.test(methodBody)) {
-            violations.push({
-              ruleId: this.ruleId,
-              severity: 'warning',
-              message: `Controller class '${className}' should not directly access database with '${operation}'. Use Service layer instead.`,
-              file: filePath,
-              line: method.getStartLineNumber(),
-              column: 1
-            });
-            break;
+          const operationPattern = new RegExp(`\\b${operation}\\s*\\(`, 'gi');
+          const matches = methodBody.matchAll(operationPattern);
+
+          for (const match of matches) {
+            const matchIndex = match.index;
+            const contextStart = Math.max(0, matchIndex - 50);
+            const context = methodBody.substring(contextStart, matchIndex);
+
+            // Check if this is a call through service (ALLOWED)
+            // Matches: this.xxxService.method(), this.xxxUseCase.method(), this.xxxHandler.method()
+            const serviceCallPattern = /this\.([\w]+Service|[\w]+UseCase|[\w]+Handler)\s*\.\s*$/i;
+            if (serviceCallPattern.test(context)) {
+              continue; // Skip - this is allowed
+            }
+
+            // Check if this is direct database call (VIOLATION)
+            // Matches: this.repository, this.userRepository, this.entityManager, this.xxxClient, etc.
+            const directDbCallPattern = /this\.([\w]*Repository|[\w]*Repo|dataSource|connection|entityManager|manager|database|db|[\w]*Client|prisma)\./i;
+            const globalDbCallPattern = /(getRepository|getConnection|getManager|createQueryBuilder)\s*\([^)]*\)\s*\.?[\w.]*$/i;
+
+            if (directDbCallPattern.test(context) || globalDbCallPattern.test(context)) {
+              violations.push({
+                ruleId: this.ruleId,
+                severity: 'warning',
+                message: `Controller class '${className}' should not directly access database with '${operation}'. Use Service layer instead.`,
+                file: filePath,
+                line: method.getStartLineNumber(),
+                column: 1
+              });
+              break;
+            }
           }
         }
       }
     }
-    
+
     return violations;
   }
 }