@sun-asterisk/sunlint 1.3.26 → 1.3.28

package/rules/security/S013_tls_enforcement/symbol-based-analyzer.js

@@ -29,11 +29,38 @@ class S013SymbolBasedAnalyzer {
     try {
       const { SyntaxKind } = require("ts-morph");
 
+      // Skip test files - they use http:// for mocking
+      if (
+        filePath.includes('.test.') ||
+        filePath.includes('.spec.') ||
+        filePath.includes('__tests__/') ||
+        filePath.includes('__mocks__/')
+      ) {
+        return violations; // Skip test files
+      }
+
       // Check for imports/requires of 'http' module
       const importDecls = sourceFile.getImportDeclarations();
       for (const imp of importDecls) {
         const moduleName = imp.getModuleSpecifierValue();
         if (moduleName === "http") {
+          // Check if it's only used for typing (e.g., http.IncomingMessage)
+          const namedImports = imp.getNamedImports();
+          const namespaceImport = imp.getNamespaceImport();
+
+          // Skip if it's a namespace import used only for types
+          if (namespaceImport) {
+            const importName = namespaceImport.getText();
+            const sourceText = sourceFile.getFullText();
+            // Check if only used for typing (e.g., import * as http for http.IncomingMessage type)
+            const usagePattern = new RegExp(`${importName}\\.(?:IncomingMessage|ServerResponse|Server)`, 'g');
+            const actualUsagePattern = new RegExp(`${importName}\\.(?:createServer|get|request)\\s*\\(`, 'g');
+
+            if (usagePattern.test(sourceText) && !actualUsagePattern.test(sourceText)) {
+              continue; // Only used for typing, not actual HTTP calls
+            }
+          }
+
           const startLine = imp.getStartLineNumber();
           violations.push({
             ruleId: this.ruleId,
@@ -148,6 +175,30 @@ class S013SymbolBasedAnalyzer {
             if (kind === SyntaxKind.StringLiteral) {
               const lit = a.getLiteralValue();
               if (/^http:\/\//i.test(lit)) {
+                // Skip if it's a string check in utility functions (e.g., startsWith('http://'))
+                if (lit === 'http://' || lit === 'https://') {
+                  const callText = call.getParent().getText();
+                  // Check if it's used in string manipulation (startsWith, replace, includes, etc.)
+                  if (
+                    /\.(?:startsWith|replace|includes|indexOf|match|test)\s*\(/.test(callText) ||
+                    /case\s+.*startsWith/.test(callText)
+                  ) {
+                    continue; // Skip utility functions that convert http -> https
+                  }
+                }
+
+                // Skip localhost URLs used as base URL for parsing (e.g., new URL(path, 'http://localhost'))
+                if (lit === 'http://localhost' && args.length >= 2) {
+                  // This is likely used as base URL for URL constructor
+                  continue;
+                }
+
+                // Skip Swagger .addServer() with localhost in development
+                const callExprText = expr.getText();
+                if (/\.addServer/.test(callExprText) && /localhost/.test(lit)) {
+                  continue; // Swagger config for local development
+                }
+
                 const msgPrefix = isNewExpression
                   ? "Constructor"
                   : "Insecure client call";
@@ -176,6 +227,16 @@ class S013SymbolBasedAnalyzer {
             ) {
               const text = a.getText();
               if (/http:\/\//i.test(text)) {
+                // Skip Firebase Emulator configuration (local development only)
+                const callExprText = expr.getText();
+                if (
+                  /connect.*Emulator/i.test(callExprText) ||
+                  (text.includes('localhost') || text.includes('EMULATOR_HOST') || text.includes('127.0.0.1'))
+                ) {
+                  // Firebase/local emulator config - safe for development
+                  continue;
+                }
+
                 violations.push({
                   ruleId: this.ruleId,
                   message: `Insecure URL in template literal detected - use 'https://'`,
@@ -220,6 +281,11 @@ class S013SymbolBasedAnalyzer {
                   column: 1,
                 });
               } else if (/^http:\/\//i.test(lit)) {
+                // Skip localhost URLs used as base URL for URL constructor (e.g., new URL(path, 'http://localhost'))
+                if (lit === 'http://localhost' && args.length >= 2) {
+                  continue; // Used as base URL for parsing
+                }
+
                 violations.push({
                   ruleId: this.ruleId,
                   message: `Constructor with insecure URL '${lit}' detected - use 'https://'`,
@@ -266,6 +332,27 @@ class S013SymbolBasedAnalyzer {
             if (kind === SyntaxKind.StringLiteral) {
               const value = initializer.getLiteralValue();
               if (/^http:\/\//i.test(value)) {
+                // Skip API documentation examples
+                if (value === 'http://example.com' || value === 'http://localhost') {
+                  // Check if this is inside @ApiProperty decorator
+                  const propertyName = prop.getName && prop.getName();
+                  const parent = prop.getParent();
+                  const grandParent = parent && parent.getParent();
+
+                  // Check for @ApiProperty({ example: 'http://...' })
+                  if (grandParent) {
+                    const decorators = grandParent.getDecorators && grandParent.getDecorators();
+                    if (decorators && decorators.some(d => d.getText().includes('ApiProperty'))) {
+                      continue; // Skip API documentation examples
+                    }
+                  }
+
+                  // Also check if property name is 'example'
+                  if (propertyName === 'example') {
+                    continue; // Skip example values
+                  }
+                }
+
                 violations.push({
                   ruleId: this.ruleId,
                   message: `Object property contains insecure URL '${value}' - use 'https://'`,

package/rules/security/S017_use_parameterized_queries/analyzer.js

@@ -1,12 +1,10 @@
 /**
  * S017 Main Analyzer - Always use parameterized queries
- * Primary: Symbol-based analysis (when available)
- * Fallback: Regex-based for all other cases
+ * Uses symbol-based analysis only (regex-based removed)
  * Command: node cli.js --rule=S017 --input=examples/rule-test-fixtures/rules/S017_use_parameterized_queries --engine=heuristic
  */
 
 const S017SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S017RegexBasedAnalyzer = require("./regex-based-analyzer.js");
 
 class S017Analyzer {
   constructor(options = {}) {
@@ -26,14 +24,7 @@ class S017Analyzer {
     this.semanticEngine = options.semanticEngine || null;
     this.verbose = options.verbose || false;
 
-    // Configuration
-    this.config = {
-      useSymbolBased: true, // Primary approach
-      fallbackToRegex: true, // Secondary approach
-      regexBasedOnly: false, // Can be set to true for pure mode
-    };
-
-    // Initialize analyzers
+    // Initialize symbol analyzer only
     try {
       this.symbolAnalyzer = new S017SymbolBasedAnalyzer(this.semanticEngine);
       if (process.env.SUNLINT_DEBUG) {
@@ -43,15 +34,6 @@ class S017Analyzer {
       console.error(`🔧 [S017] Error creating symbol analyzer:`, error);
     }
 
-    try {
-      this.regexAnalyzer = new S017RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG) {
-        console.log(`🔧 [S017] Regex analyzer created successfully`);
-      }
-    } catch (error) {
-      console.error(`🔧 [S017] Error creating regex analyzer:`, error);
-    }
-
     if (process.env.SUNLINT_DEBUG) {
       console.log(`🔧 [S017] Constructor completed`);
     }
@@ -66,25 +48,19 @@ class S017Analyzer {
     }
     this.verbose = semanticEngine?.verbose || false;
 
-    // Initialize both analyzers
+    // Initialize symbol analyzer
     if (this.symbolAnalyzer) {
       await this.symbolAnalyzer.initialize?.(semanticEngine);
     }
-    if (this.regexAnalyzer) {
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    }
 
     // Ensure verbose flag is propagated
-    if (this.regexAnalyzer) {
-      this.regexAnalyzer.verbose = this.verbose;
-    }
     if (this.symbolAnalyzer) {
       this.symbolAnalyzer.verbose = this.verbose;
     }
 
     if (this.verbose) {
       console.log(
-        `🔧 [S017 Hybrid] Analyzer initialized - verbose: ${this.verbose}`
+        `🔧 [S017] Analyzer initialized - verbose: ${this.verbose}`
       );
     }
   }
@@ -147,15 +123,11 @@ class S017Analyzer {
     // Create a Set to track unique violations and prevent duplicates
     const violationMap = new Map();
 
-    // 1. Try Symbol-based analysis first (primary)
-    if (
-      this.config.useSymbolBased &&
-      this.semanticEngine?.project &&
-      this.semanticEngine?.initialized
-    ) {
+    // Symbol-based analysis only
+    if (this.semanticEngine?.project && this.semanticEngine?.initialized) {
       try {
         if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S017] Trying symbol-based analysis...`);
+          console.log(`🔧 [S017] Running symbol-based analysis...`);
         }
         const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
         if (sourceFile) {
@@ -197,12 +169,10 @@ class S017Analyzer {
         }
       } catch (error) {
         console.warn(`⚠️ [S017] Symbol analysis failed: ${error.message}`);
-        // Continue to fallback
       }
     } else {
       if (process.env.SUNLINT_DEBUG) {
         console.log(`🔄 [S017] Symbol analysis conditions check:`);
-        console.log(`  - useSymbolBased: ${this.config.useSymbolBased}`);
         console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
         console.log(
           `  - semanticEngine.project: ${!!this.semanticEngine?.project}`
@@ -210,51 +180,14 @@ class S017Analyzer {
         console.log(
           `  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`
         );
-        console.log(
-          `🔄 [S017] Symbol analysis unavailable, using regex fallback`
-        );
+        console.log(`🔄 [S017] Symbol analysis unavailable`);
       }
     }
 
-    // 2. Fallback to regex-based analysis (only if symbol-based failed or unavailable)
-    if (this.config.fallbackToRegex) {
-      try {
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S017] Trying regex-based analysis...`);
-        }
-
-        // Read file content for regex analyzer
-        const fs = require("fs");
-        const fileContent = fs.readFileSync(filePath, "utf8");
-
-        const violations = await this.regexAnalyzer.analyzeFile(
-          filePath,
-          fileContent,
-          options
-        );
-
-        // Add violations to map to deduplicate
-        violations.forEach((v) => {
-          const key = `${v.line}:${v.column}:${v.message}`;
-          if (!violationMap.has(key)) {
-            v.analysisStrategy = "regex-fallback";
-            violationMap.set(key, v);
-          }
-        });
-
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔄 [S017] Regex-based analysis: ${violations.length} violations`
-          );
-        }
-        return Array.from(violationMap.values()); // Return deduplicated violations
-      } catch (error) {
-        console.error(`⚠ [S017] Regex analysis failed: ${error.message}`);
-      }
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S017] Analysis completed: ${violationMap.size} violations`);
     }
-
-    console.log(`🔧 [S017] No analysis methods succeeded, returning empty`);
-    return [];
+    return Array.from(violationMap.values());
   }
 
   /**