@sun-asterisk/sunlint 1.3.27 → 1.3.29

package/rules/security/S017_use_parameterized_queries/symbol-based-analyzer.js

@@ -84,6 +84,76 @@ class S017SymbolBasedAnalyzer {
       "values",
     ];
 
+    // HTTP client libraries (NOT SQL - should be excluded)
+    this.httpClientLibraries = [
+      "axios",
+      "fetch",
+      "node-fetch",
+      "superagent",
+      "got",
+      "request",
+      "http",
+      "https",
+      "undici",
+      "@angular/common/http",
+    ];
+
+    // HTTP client variable/object names (case-insensitive patterns)
+    this.httpClientPatterns = [
+      /^axios/i,
+      /^fetch/i,
+      /^http/i,
+      /^https/i,
+      /client$/i,
+      /api$/i,
+      /request$/i,
+    ];
+
+    // Styled-components and CSS-in-JS libraries
+    this.styledLibraries = [
+      "styled-components",
+      "@emotion/styled",
+      "emotion",
+      "@mui/system",
+      "goober",
+    ];
+
+    // TypeORM migration file patterns
+    this.migrationFilePatterns = [
+      /\/migrations?\//,
+      /\\migrations?\\/,
+      /-\d{13,}\.ts$/,  // TypeORM migration timestamp pattern
+      /\.migration\.ts$/,
+    ];
+
+    // Swagger/API documentation file patterns
+    this.swaggerFilePatterns = [
+      /\.swagger\.ts$/,
+      /\/swagger\//,
+      /\\swagger\\/,
+    ];
+
+    // Validation message patterns (common in DTOs and Swagger docs)
+    this.validationMessagePatterns = [
+      /must be one of the following values:/i,
+      /should be one of:/i,
+      /isEnum:/i,
+      /constraints:/i,
+      /validation error/i,
+    ];
+
+    // DOM manipulation methods that use HTML templates (NOT SQL)
+    this.domManipulationMethods = [
+      "insertAdjacentHTML",
+      "innerHTML",
+      "outerHTML",
+      "insertAdjacentElement",
+      "insertAdjacentText",
+      "setHTML",
+      "write",
+      "writeln",
+    ];
+
     if (this.debug) {
       console.log(
         `🔧 [S017-Symbol] Constructor - databaseLibraries:`,
@@ -123,6 +193,22 @@ class S017SymbolBasedAnalyzer {
     const violations = [];
     const violationMap = new Map(); // Track unique violations
 
+    // IMPROVEMENT 1: Skip test files
+    if (this.isTestFile(filePath)) {
+      if (this.debug) {
+        console.log(`⏭️ [S017-Symbol] Skipping test file: ${filePath}`);
+      }
+      return violations;
+    }
+
+    // PHASE 3C IMPROVEMENT: Skip migration files
+    if (this.isMigrationFile(filePath)) {
+      if (this.debug) {
+        console.log(`⏭️ [S017-Symbol] Skipping migration file: ${filePath}`);
+      }
+      return violations;
+    }
+
     try {
       const project = new Project({
         useInMemoryFileSystem: true,
@@ -195,12 +281,17 @@ class S017SymbolBasedAnalyzer {
 
   /**
    * Add violations to map, avoiding duplicates
+   * PHASE 3B: Improved deduplication - use line:column only (ignore message)
    */
   addUniqueViolations(newViolations, violationMap) {
     newViolations.forEach((v) => {
-      const key = `${v.line}:${v.column}:${v.message}`;
+      // Use line:column as key to deduplicate same location violations
+      // Ignore message since different analyzers may report same location with different messages
+      const key = `${v.line}:${v.column}`;
       if (!violationMap.has(key)) {
         violationMap.set(key, v);
+      } else if (this.debug) {
+        console.log(`⏭️ [S017-Symbol] Skipping duplicate violation at ${key}`);
       }
     });
   }
@@ -269,6 +360,24 @@ class S017SymbolBasedAnalyzer {
         const methodName = this.getMethodName(callExpr);
 
         if (this.sqlMethods.includes(methodName)) {
+          // Skip HTTP client calls (e.g., axios.get(), fetch())
+          if (this.isHttpClientCall(callExpr)) {
+            return; // Skip this call
+          }
+
+          // Skip config getter calls (e.g., appConfig.get(...))
+          const expression = callExpr.getExpression();
+          if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+            const propAccess = expression;
+            const object = propAccess.getExpression().getText();
+            if (methodName === 'get' && /config/i.test(object)) {
+              if (this.debug) {
+                console.log(`⚙️  [S017-Symbol] Skipping config getter in analyzeMethodCallsWithContext: ${object}.${methodName}()`);
+              }
+              return; // Skip config getter
+            }
+          }
+
           const args = callExpr.getArguments();
 
           if (args.length > 0) {
@@ -309,6 +418,11 @@ class S017SymbolBasedAnalyzer {
   analyzeSqlVariableAssignments(sourceFile, filePath) {
     const violations = [];
 
+    // Skip files in /queries/ or /query/ folders - these are SQL query definition files
+    if (filePath.includes('/queries/') || filePath.includes('/query/') || filePath.includes('\\queries\\') || filePath.includes('\\query\\')) {
+      return violations;
+    }
+
     sourceFile.forEachDescendant((node) => {
       if (node.getKind() === SyntaxKind.VariableDeclaration) {
         const varDecl = node;
@@ -318,6 +432,56 @@ class S017SymbolBasedAnalyzer {
           const vulnerability = this.checkForSqlConstruction(initializer);
 
           if (vulnerability) {
+            // Check if this is safe SQL fragment composition
+            if (initializer.getKind() === SyntaxKind.TemplateExpression) {
+              // PHASE 3A: Apply isParameterizedQuery check
+              if (this.isParameterizedQuery(initializer)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] Parameterized query in variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - safe parameterized query
+              }
+
+              // PHASE 3C: Check if this is a query fragment variable
+              if (this.isQueryFragmentVariable(varDecl)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] Query fragment variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - safe query fragment
+              }
+
+              if (this.hasOnlySafeSqlFragments(initializer)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] Safe SQL fragment in variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - safe SQL fragment composition
+              }
+
+              // Check if this is a URL construction (not SQL)
+              if (this.isUrlConstruction(initializer)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] URL construction in variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - URL construction
+              }
+
+              // Check if this is a logger call
+              if (this.isLoggerCall(initializer)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] Logger call in variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - logger call
+              }
+
+              // Check if this is a config getter
+              if (this.isConfigGetterCall(initializer)) {
+                if (this.debug) {
+                  console.log(`✅ [S017-Symbol] Config getter in variable at line ${varDecl.getStartLineNumber()}`);
+                }
+                return; // Skip - config getter
+              }
+            }
+
             violations.push({
               ruleId: this.ruleId,
               severity: "error",
@@ -410,8 +574,24 @@ class S017SymbolBasedAnalyzer {
   analyzeSqlArgument(argNode, methodName) {
     const kind = argNode.getKind();
 
+    // PHASE 3C: Skip NoSQL queries (different security concern)
+    if (this.isNoSqlQuery(argNode)) {
+      if (this.debug) {
+        console.log(`✅ [S017-Symbol] NoSQL query detected in ${methodName}()`);
+      }
+      return null; // Skip - NoSQL query, not SQL injection
+    }
+
     // Template expression with interpolation
     if (kind === SyntaxKind.TemplateExpression) {
+      // PHASE 3A: Apply isParameterizedQuery check
+      if (this.isParameterizedQuery(argNode)) {
+        if (this.debug) {
+          console.log(`✅ [S017-Symbol] Parameterized query in ${methodName}() call`);
+        }
+        return null; // Skip - safe parameterized query
+      }
+
       const templateSpans = argNode.getTemplateSpans();
       if (templateSpans.length > 0) {
         return {
@@ -681,22 +861,603 @@ class S017SymbolBasedAnalyzer {
     return text.length > 100 ? text.substring(0, 100) + "..." : text;
   }
 
+  /**
+   * Check if interpolated expression is a safe constant/fragment
+   */
+  isSafeSqlFragmentInterpolation(expression) {
+    const text = expression.getText();
+
+    // Check if it's an uppercase constant (e.g., SELECT_QUERY, BASE_SQL)
+    if (/^[A-Z_][A-Z0-9_]*$/.test(text)) {
+      return true;
+    }
+
+    // Check if it's a camelCase constant starting with lowercase (e.g., selectQuery, baseQuery)
+    if (/^[a-z][a-zA-Z0-9]*Query$|^[a-z][a-zA-Z0-9]*Sql$|^[a-z][a-zA-Z0-9]*Select$|^[a-z][a-zA-Z0-9]*CTE$/.test(text)) {
+      return true;
+    }
+
+    // Check if it's accessing a property that looks like a SQL fragment
+    if (text.includes('.') && (text.toLowerCase().includes('query') || text.toLowerCase().includes('sql') || text.toLowerCase().includes('select'))) {
+      return true;
+    }
+
+    // Check if it's a conditional expression with SQL fragment variables
+    // Pattern: condition ? sqlFragmentVar : '' or condition ? '' : sqlFragmentVar
+    if (expression.getKind() === SyntaxKind.ConditionalExpression) {
+      const condExpr = expression;
+      const whenTrue = condExpr.getWhenTrue();
+      const whenFalse = condExpr.getWhenFalse();
+
+      const trueText = whenTrue.getText();
+      const falseText = whenFalse.getText();
+
+      // Check if either branch is empty string and the other is a SQL fragment variable
+      if ((trueText === "''" || trueText === '""' || trueText === '``') && this.isSqlFragmentVariable(falseText)) {
+        return true;
+      }
+      if ((falseText === "''" || falseText === '""' || falseText === '``') && this.isSqlFragmentVariable(trueText)) {
+        return true;
+      }
+
+      // Check if both branches are SQL fragment variables
+      if (this.isSqlFragmentVariable(trueText) && this.isSqlFragmentVariable(falseText)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if a variable name looks like a SQL fragment variable
+   */
+  isSqlFragmentVariable(text) {
+    // Pattern: xxxQuery, xxxSql, xxxSelect, xxxWhere, xxxJoin, xxxCondition, etc.
+    return /^[a-z][a-zA-Z0-9]*(Query|Sql|Select|Where|Join|Condition|Fragment|Clause)$/i.test(text) ||
+           /^[A-Z_][A-Z0-9_]*(QUERY|SQL|SELECT|WHERE|JOIN|CONDITION|FRAGMENT|CLAUSE)$/.test(text);
+  }
+
+  /**
+   * Check if a template literal is wrapping a QueryBuilder result
+   * Pattern: const [query, params] = qb.getQueryAndParameters(); `...${query}...`
+   */
+  isQueryBuilderWrapping(template, sourceFile) {
+    const spans = template.getTemplateSpans();
+
+    for (const span of spans) {
+      const expression = span.getExpression();
+      const exprText = expression.getText();
+
+      // Check if interpolated variable is 'query' or 'sql' (common names for QueryBuilder results)
+      if (exprText === 'query' || exprText === 'sql' || exprText === 'sqlQuery') {
+        // Search in broader scope - check multiple levels up for getQueryAndParameters()
+        let scope = template.getParent();
+        let foundPattern = false;
+        let maxDepth = 10; // Limit depth to avoid infinite loops
+
+        while (scope && maxDepth > 0) {
+          const scopeText = scope.getText();
+
+          // Check if this scope contains getQueryAndParameters() call
+          // and destructuring assignment to the variable name
+          const hasQueryBuilderPattern =
+            scopeText.includes('getQueryAndParameters()') &&
+            (scopeText.includes(`[${exprText},`) || scopeText.includes(`[ ${exprText},`) ||
+             scopeText.includes(`[${exprText} ,`) || scopeText.includes(`[${exprText}]`) ||
+             scopeText.includes(`const ${exprText} =`) || scopeText.includes(`let ${exprText} =`));
+
+          if (hasQueryBuilderPattern) {
+            if (this.debug) {
+              console.log(`✅ [S017-Symbol] Detected QueryBuilder wrapping pattern with variable: ${exprText}`);
+            }
+            foundPattern = true;
+            break;
+          }
+
+          scope = scope.getParent();
+          maxDepth--;
+        }
+
+        if (foundPattern) {
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if all interpolations in template are safe SQL fragments
+   */
+  hasOnlySafeSqlFragments(template) {
+    const spans = template.getTemplateSpans();
+
+    for (const span of spans) {
+      const expression = span.getExpression();
+      if (!this.isSafeSqlFragmentInterpolation(expression)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Check if file is a TypeORM migration file
+   */
+  isMigrationFile(filePath) {
+    return this.migrationFilePatterns.some(pattern => pattern.test(filePath));
+  }
+
+  /**
+   * Check if file is a Swagger/API documentation file
+   */
+  isSwaggerFile(filePath) {
+    return this.swaggerFilePatterns.some(pattern => pattern.test(filePath));
+  }
+
+  /**
+   * Check if template literal contains validation message pattern
+   */
+  isValidationMessage(template) {
+    const text = template.getText();
+    return this.validationMessagePatterns.some(pattern => pattern.test(text));
+  }
+
+  /**
+   * Check if template literal is used in logger/console call
+   */
+  isLoggerCall(template) {
+    let parent = template.getParent();
+
+    // Walk up to find if we're in a logger/console call
+    while (parent) {
+      if (parent.getKind() === SyntaxKind.CallExpression) {
+        const callExpr = parent;
+        const expression = callExpr.getExpression();
+        const callText = expression.getText();
+
+        // Check for logger methods
+        const loggerPatterns = [
+          /logger\.(log|error|warn|info|debug)/i,
+          /console\.(log|error|warn|info|debug)/i,
+          /log(Debug|Info|Warn|Error)/i,
+          /this\.logger\./i,
+        ];
+
+        if (loggerPatterns.some(pattern => pattern.test(callText))) {
+          if (this.debug) {
+            console.log(`📝 [S017-Symbol] Detected logger call: ${callText}()`);
+          }
+          return true;
+        }
+      }
+      parent = parent.getParent();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal is used in config getter call
+   * e.g., appConfig.get(`service.vms.${site}`)
+   */
+  isConfigGetterCall(template) {
+    let parent = template.getParent();
+
+    // Walk up to find if we're in a config getter call
+    while (parent) {
+      if (parent.getKind() === SyntaxKind.CallExpression) {
+        const callExpr = parent;
+        const expression = callExpr.getExpression();
+
+        // Check if it's a PropertyAccessExpression (e.g., appConfig.get)
+        if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const propAccess = expression;
+          const method = propAccess.getName();
+          const object = propAccess.getExpression().getText();
+
+          // Check for config getters: appConfig.get, config.get, etc.
+          if (method === 'get' && /config/i.test(object)) {
+            if (this.debug) {
+              console.log(`⚙️  [S017-Symbol] Detected config getter: ${object}.${method}()`);
+            }
+            return true;
+          }
+        }
+      }
+      parent = parent.getParent();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal is likely a URL construction
+   */
+  isUrlConstruction(template) {
+    const text = template.getText();
+
+    // Strong URL indicators
+    const strongUrlPatterns = [
+      /https?:\/\//i,                           // Contains http:// or https://
+      /\/(api|endpoint|service)\/[\w-]+/i,     // Contains /api/, /endpoint/, /service/
+      /\?[\w]+=[^&\s]+&[\w]+=/,                // Multiple query parameters (e.g., ?where=...&limit=...)
+    ];
+
+    // If has strong URL pattern, it's definitely a URL
+    if (strongUrlPatterns.some(pattern => pattern.test(text))) {
+      if (this.debug) {
+        console.log(`🔗 [S017-Symbol] Detected URL construction (strong pattern)`);
+      }
+      return true;
+    }
+
+    // Check for URL variable patterns in interpolation
+    // e.g., ${database_base_url}, ${api_url}, ${baseUrl}
+    const urlVariablePatterns = [
+      /\$\{[^}]*(_url|_base_url|baseUrl|apiUrl|Base[Uu]rl|API[Uu]rl)[^}]*\}/,
+      /\$\{[^}]*database[^}]*url[^}]*\}/i,
+      /\$\{[^}]*service[^}]*url[^}]*\}/i,
+    ];
+
+    if (urlVariablePatterns.some(pattern => pattern.test(text))) {
+      if (this.debug) {
+        console.log(`🔗 [S017-Symbol] Detected URL construction (URL variable pattern)`);
+      }
+      return true;
+    }
+
+    // Weaker indicators - need more checks
+    const weakUrlPatterns = [
+      /\/[\w-]+\/[\w-]+\//,     // Contains path segments
+      /\?[\w]+=/,                // Contains query parameter
+    ];
+
+    if (weakUrlPatterns.some(pattern => pattern.test(text))) {
+      // Additional check: Make sure it's not actually SQL
+      // URL constructions usually don't have SELECT, INSERT, UPDATE, DELETE (but may have WHERE in query string)
+      const hasSqlDML = /\b(SELECT|INSERT|UPDATE|DELETE|ALTER|CREATE|DROP)\b/i.test(text);
+
+      if (!hasSqlDML) {
+        if (this.debug) {
+          console.log(`🔗 [S017-Symbol] Detected URL construction (weak pattern + no DML)`);
+        }
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if a call expression is an HTTP client call
+   */
+  isHttpClientCall(callExpr) {
+    const expression = callExpr.getExpression();
+
+    // HTTP methods
+    const httpMethods = ['get', 'post', 'put', 'patch', 'delete', 'head', 'options', 'request'];
+
+    // Check for property access like axios.get(), fetch(), apiClient.post(), this.get()
+    if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+      const propAccess = expression;
+      const method = propAccess.getName();
+
+      // Check if method is an HTTP method
+      if (!httpMethods.includes(method)) {
+        return false;
+      }
+
+      // Get the full object path (handles nested like apiClient.xxx.get)
+      let fullObject = propAccess.getExpression().getText();
+
+      // Check for config getters (appConfig.get, config.get, etc.) - NOT HTTP clients
+      if (/config/i.test(fullObject) && method === 'get') {
+        if (this.debug) {
+          console.log(`⚙️  [S017-Symbol] Skipping config getter: ${fullObject}.${method}()`);
+        }
+        return false;
+      }
+
+      // Check if the root object (first part) matches HTTP client patterns
+      // For "apiClient.maintenanceCustomerManagement.get()", check "apiClient"
+      const rootObject = fullObject.split('.')[0];
+      const isHttpObject = this.httpClientPatterns.some(pattern => pattern.test(rootObject));
+
+      if (isHttpObject) {
+        if (this.debug) {
+          console.log(`🌐 [S017-Symbol] Detected HTTP client call: ${fullObject}.${method}()`);
+        }
+        return true;
+      }
+
+      // For nested access, also check if any part contains API/client keywords
+      if (fullObject.includes('.')) {
+        const hasApiKeyword = /api|client|http|request|service/i.test(fullObject);
+        if (hasApiKeyword) {
+          if (this.debug) {
+            console.log(`🌐 [S017-Symbol] Detected nested HTTP client call: ${fullObject}.${method}()`);
+          }
+          return true;
+        }
+      }
+
+      // Check for this.get/post/etc() in API class contexts
+      if (rootObject === 'this') {
+        // Look for class that extends BaseApi, ApiClient, HttpClient, etc.
+        const classDecl = callExpr.getFirstAncestorByKind(SyntaxKind.ClassDeclaration);
+        if (classDecl) {
+          const extendsClause = classDecl.getExtends();
+          if (extendsClause) {
+            const baseClassName = extendsClause.getExpression().getText();
+            // Check if base class name suggests HTTP/API client
+            if (/Api|Client|Service|Http|Request/i.test(baseClassName)) {
+              if (this.debug) {
+                console.log(`🌐 [S017-Symbol] Detected HTTP client call in API class: this.${method}()`);
+              }
+              return true;
+            }
+          }
+        }
+      }
+    }
+
+    // Check for standalone fetch()
+    if (expression.getKind() === SyntaxKind.Identifier) {
+      const identifier = expression.getText();
+      if (['fetch', 'request'].includes(identifier)) {
+        if (this.debug) {
+          console.log(`🌐 [S017-Symbol] Detected HTTP client call: ${identifier}()`);
+        }
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if a template literal is used in styled-components
+   */
+  isStyledComponentsCall(node) {
+    // Check if node is inside a tagged template with 'styled' or 'css'
+    let parent = node.getParent();
+
+    while (parent) {
+      if (parent.getKind() === SyntaxKind.TaggedTemplateExpression) {
+        const tag = parent.getTag().getText();
+        // Check for styled.div`...`, css`...`, styled(Component)`...`
+        if (tag.startsWith('styled') || tag === 'css' || tag.includes('styled.')) {
+          if (this.debug) {
+            console.log(`💅 [S017-Symbol] Detected styled-components usage`);
+          }
+          return true;
+        }
+      }
+      parent = parent.getParent();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal is used in JSX/HTML attribute
+   */
+  isJsxAttribute(node) {
+    let parent = node.getParent();
+
+    // Walk up the tree to find JSX context
+    while (parent) {
+      const kind = parent.getKind();
+
+      // Check if we're inside a JSX attribute
+      if (kind === SyntaxKind.JsxAttribute || kind === SyntaxKind.JsxExpression) {
+        if (this.debug) {
+          console.log(`⚛️  [S017-Symbol] Detected JSX attribute context`);
+        }
+        return true;
+      }
+
+      // Check if we're inside JSX element
+      if (kind === SyntaxKind.JsxElement || kind === SyntaxKind.JsxSelfClosingElement || kind === SyntaxKind.JsxFragment) {
+        if (this.debug) {
+          console.log(`⚛️  [S017-Symbol] Detected JSX element context`);
+        }
+        return true;
+      }
+
+      parent = parent.getParent();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal is used in DOM manipulation methods
+   * Examples: element.insertAdjacentHTML('afterbegin', `<tr>...</tr>`)
+   */
+  isDomManipulation(node) {
+    let parent = node.getParent();
+
+    // Walk up to find if we're inside a call expression
+    while (parent) {
+      const kind = parent.getKind();
+
+      // Check if parent is a call expression
+      if (kind === SyntaxKind.CallExpression) {
+        const callExpr = parent;
+        const expression = callExpr.getExpression();
+
+        // Check if it's a property access (e.g., element.insertAdjacentHTML)
+        if (expression.getKind() === SyntaxKind.PropertyAccessExpression) {
+          const propertyAccess = expression;
+          const propertyName = propertyAccess.getName();
+
+          // Check if the method name is a DOM manipulation method
+          if (this.domManipulationMethods.includes(propertyName)) {
+            if (this.debug) {
+              console.log(`🌐 [S017-Symbol] Detected DOM manipulation method: ${propertyName}`);
+            }
+            return true;
+          }
+        }
+      }
+
+      parent = parent.getParent();
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if template literal contains only schema/DDL operations with constants
+   * (TypeORM migrations often use template literals for ALTER TABLE with computed column sizes)
+   */
+  isSchemaDDLWithConstants(template) {
+    const text = template.getText();
+    const upperText = text.toUpperCase();
+
+    // DDL keywords
+    const ddlKeywords = ['ALTER TABLE', 'CREATE TABLE', 'CREATE INDEX', 'DROP TABLE', 'ADD COLUMN', 'ALTER COLUMN', 'DROP COLUMN'];
+    const hasDDL = ddlKeywords.some(keyword => upperText.includes(keyword));
+
+    if (!hasDDL) {
+      return false;
+    }
+
+    // Check if interpolations are simple function calls or constants (not user data)
+    const spans = template.getTemplateSpans();
+    for (const span of spans) {
+      const expr = span.getExpression();
+      const exprText = expr.getText();
+
+      // Allow function calls like encryptedLength(128)
+      if (expr.getKind() === SyntaxKind.CallExpression) {
+        continue;
+      }
+
+      // Allow simple constants
+      if (/^[A-Z_][A-Z0-9_]*$/.test(exprText)) {
+        continue;
+      }
+
+      // Otherwise, it might be risky
+      return false;
+    }
+
+    return true;
+  }
+
   /**
    * Analyze universal SQL patterns regardless of imports
    */
   analyzeUniversalSqlPatterns(sourceFile, filePath) {
     const violations = [];
 
+    // Skip files in /queries/ or /query/ folders - these are SQL query definition files
+    if (filePath.includes('/queries/') || filePath.includes('/query/') || filePath.includes('\\queries\\') || filePath.includes('\\query\\')) {
+      if (this.debug) {
+        console.log(`⏭️  [S017-Symbol] Skipping query definition file: ${filePath}`);
+      }
+      return violations;
+    }
+
+    // Skip Swagger/API documentation files (validation messages, not SQL)
+    if (this.isSwaggerFile(filePath)) {
+      if (this.debug) {
+        console.log(`⏭️  [S017-Symbol] Skipping Swagger documentation file: ${filePath}`);
+      }
+      return violations;
+    }
+
     sourceFile.forEachDescendant((node) => {
       // Check template literals with SQL keywords
       if (node.getKind() === SyntaxKind.TemplateExpression) {
         const template = node;
         const text = template.getText();
 
+        // Skip styled-components and CSS-in-JS
+        if (this.isStyledComponentsCall(template)) {
+          return; // Skip - this is styled-components
+        }
+
+        // Skip JSX/HTML attributes (e.g., key={`select-${id}`}, data-testid={`...`})
+        if (this.isJsxAttribute(template)) {
+          return; // Skip - this is JSX attribute
+        }
+
+        // Skip DOM manipulation methods (e.g., element.insertAdjacentHTML(`<tr>...</tr>`))
+        if (this.isDomManipulation(template)) {
+          return; // Skip - this is DOM manipulation with HTML
+        }
+
+        // Skip validation messages (e.g., "must be one of the following values: ...")
+        if (this.isValidationMessage(template)) {
+          return; // Skip - this is validation message
+        }
+
+        // Skip logger/console calls (e.g., logger.error(`Error: ${message}`))
+        if (this.isLoggerCall(template)) {
+          return; // Skip - this is logger call
+        }
+
+        // Skip config getter calls (e.g., appConfig.get(`service.vms.${site}`))
+        if (this.isConfigGetterCall(template)) {
+          return; // Skip - this is config getter
+        }
+
+        // Skip URL construction (e.g., `${baseUrl}/api/${id}?where=${filter}`)
+        if (this.isUrlConstruction(template)) {
+          return; // Skip - this is URL construction
+        }
+
+        // IMPROVEMENT 2: Check if this is a parameterized query with safe conditional fragments
+        if (this.isParameterizedQuery(template)) {
+          if (this.debug) {
+            console.log(`✅ [S017-Symbol] Parameterized query with safe fragments at line ${template.getStartLineNumber()}`);
+          }
+          return; // Skip - this is a safe parameterized query
+        }
+
+        // PHASE 3C: Check if inside static array iteration
+        if (this.isStaticArrayIteration(template)) {
+          if (this.debug) {
+            console.log(`✅ [S017-Symbol] Static array iteration at line ${template.getStartLineNumber()}`);
+          }
+          return; // Skip - safe static array iteration
+        }
+
         // Check if template contains SQL keywords and has interpolation
         const containsSql = this.containsSqlKeywords(text);
 
         if (containsSql && template.getTemplateSpans().length > 0) {
+          // Check if all interpolations are safe SQL fragments/constants
+          if (this.hasOnlySafeSqlFragments(template)) {
+            if (this.debug) {
+              console.log(`✅ [S017-Symbol] Safe SQL fragment composition at line ${template.getStartLineNumber()}`);
+            }
+            return; // Skip - this is safe SQL fragment composition
+          }
+
+          // Check if this is QueryBuilder result wrapping
+          if (this.isQueryBuilderWrapping(template, sourceFile)) {
+            if (this.debug) {
+              console.log(`✅ [S017-Symbol] QueryBuilder wrapping at line ${template.getStartLineNumber()}`);
+            }
+            return; // Skip - QueryBuilder result wrapping
+          }
+
+          // Check if this is a schema DDL operation in a migration file with only constants
+          if (this.isMigrationFile(filePath) && this.isSchemaDDLWithConstants(template)) {
+            if (this.debug) {
+              console.log(`✅ [S017-Symbol] Safe DDL operation in migration at line ${template.getStartLineNumber()}`);
+            }
+            return; // Skip - safe DDL with constants in migration
+          }
+
           violations.push({
             ruleId: this.ruleId,
             severity: "error",
@@ -731,6 +1492,14 @@ class S017SymbolBasedAnalyzer {
           const hasSqlKeyword = this.containsSqlKeywords(fullText);
 
           if (hasSqlKeyword) {
+            // IMPROVEMENT 3: Skip validation messages in binary expressions
+            if (this.isValidationMessage(binExpr)) {
+              if (this.debug) {
+                console.log(`✅ [S017-Symbol] Skipping validation message at line ${binExpr.getStartLineNumber()}`);
+              }
+              return; // Skip - this is validation message
+            }
+
             violations.push({
               ruleId: this.ruleId,
               severity: "error",
@@ -759,6 +1528,382 @@ class S017SymbolBasedAnalyzer {
     return violations;
   }
 
+  /**
+   * IMPROVEMENT 1: Check if file is a test file
+   */
+  isTestFile(filePath) {
+    return (
+      filePath.includes('.test.') ||
+      filePath.includes('.spec.') ||
+      filePath.includes('__tests__/') ||
+      filePath.includes('__mocks__/') ||
+      filePath.includes('/test/') ||
+      filePath.includes('/tests/')
+    );
+  }
+
+  /**
+   * PHASE 3C IMPROVEMENT 1: Check if file is a database migration file
+   * Migration files typically contain DDL statements that are safe
+   */
+  isMigrationFile(filePath) {
+    return (
+      filePath.includes('/migrations/') ||
+      filePath.includes('\\migrations\\') ||
+      /\d{13,}-[A-Z]/.test(filePath) // Timestamp pattern like 1721804767710-AddColumn
+    );
+  }
+
+  /**
+   * PHASE 3C IMPROVEMENT 2: Check if template literal is inside a static array iteration
+   * Example: ['col1', 'col2'].forEach(col => query(`DROP COLUMN ${col}`))
+   */
+  isStaticArrayIteration(node) {
+    let parent = node.getParent();
+    let depth = 0;
+    const maxDepth = 5;
+
+    while (parent && depth < maxDepth) {
+      const kind = parent.getKind();
+
+      // Check for forEach/map/filter calls
+      if (kind === SyntaxKind.CallExpression) {
+        const expr = parent.getExpression();
+        const text = expr?.getText() || '';
+
+        // Check if it's .forEach(), .map(), .filter() etc.
+        if (text.includes('.forEach') || text.includes('.map') || text.includes('.filter')) {
+          // Get the object being called on (the array)
+          const arrayExpr = expr.getExpression?.();
+
+          if (arrayExpr) {
+            const arrayKind = arrayExpr.getKind();
+
+            // Check if it's a static array literal: ['a', 'b', 'c']
+            if (arrayKind === SyntaxKind.ArrayLiteralExpression) {
+              if (this.debug) {
+                console.log(`✅ [S017-Symbol] Found static array iteration`);
+              }
+              return true;
+            }
+          }
+        }
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    return false;
+  }
+
+  /**
+   * PHASE 3C IMPROVEMENT 3: Check if variable is a query fragment
+   * Query fragments are intermediate variables that build parts of SQL queries
+   */
+  isQueryFragmentVariable(node) {
+    const varName = node.getName?.();
+    if (!varName) return false;
+
+    // Check if variable name suggests it's a query fragment
+    const fragmentPatterns = [
+      /query/i,
+      /clause/i,
+      /condition/i,
+      /join/i,
+      /where/i,
+      /select/i,
+      /from/i,
+      /sql/i
+    ];
+
+    const matchesPattern = fragmentPatterns.some(p => p.test(varName));
+
+    if (matchesPattern) {
+      // Check if the initializer is a parameterized query
+      const initializer = node.getInitializer();
+      if (initializer && initializer.getKind() === SyntaxKind.TemplateExpression) {
+        if (this.isParameterizedQuery(initializer)) {
+          if (this.debug) {
+            console.log(`✅ [S017-Symbol] Query fragment variable detected: ${varName}`);
+          }
+          return true;
+        }
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * PHASE 3C IMPROVEMENT 4: Check if this is a NoSQL query (CosmosDB, MongoDB, etc.)
+   * NoSQL injection is a different security concern than SQL injection
+   */
+  isNoSqlQuery(node) {
+    // Get the method name being called
+    const methodName = this.getMethodName(node);
+
+    const noSqlMethods = [
+      'findByRawQueryWithPagination',
+      'findByStateQueryType',
+      'findByStateQueryTypeWithPagination',
+      'executeCosmosQuery',
+      'queryDocuments',
+      'cosmosQuery',
+      'mongoFind',
+      'mongoAggregate',
+      'findOne',
+      'findMany',
+      'aggregate'
+    ];
+
+    const isNoSql = noSqlMethods.some(m => methodName.includes(m));
+
+    if (isNoSql && this.debug) {
+      console.log(`✅ [S017-Symbol] NoSQL query detected: ${methodName}`);
+    }
+
+    return isNoSql;
+  }
+
+  /**
+   * Helper: Get method name from a call expression
+   */
+  getMethodName(node) {
+    let current = node;
+    let depth = 0;
+    const maxDepth = 3;
+
+    while (current && depth < maxDepth) {
+      if (current.getKind() === SyntaxKind.CallExpression) {
+        const expr = current.getExpression();
+        return expr?.getText() || '';
+      }
+      current = current.getParent();
+      depth++;
+    }
+
+    return '';
+  }
+
+  /**
+   * IMPROVEMENT 2: Check if template literal uses parameterized queries
+   * Detects patterns like :paramName, $1, $2, or ? placeholders
+   */
+  isParameterizedQuery(template) {
+    const text = template.getText();
+
+    // Check for TypeORM-style named parameters (:paramName)
+    const hasNamedParams = /:[\w]+/.test(text);
+
+    // Check for PostgreSQL-style positional parameters ($1, $2, etc.)
+    const hasPositionalParams = /\$\d+/.test(text);
+
+    // Check for MySQL/SQLite-style placeholders (?)
+    const hasQuestionMarks = /\?/.test(text);
+
+    if (!hasNamedParams && !hasPositionalParams && !hasQuestionMarks) {
+      return false; // No parameterization found
+    }
+
+    // If has parameters, check if interpolated expressions are safe
+    const templateSpans = template.getTemplateSpans();
+    if (templateSpans.length === 0) {
+      return true; // No interpolation, just static parameterized query
+    }
+
+    // Check each interpolated expression
+    for (const span of templateSpans) {
+      const expr = span.getExpression();
+      const kind = expr.getKind();
+
+      // Safe pattern 1: Conditional expression with SQL fragments
+      if (kind === SyntaxKind.ConditionalExpression) {
+        const whenTrue = expr.getWhenTrue()?.getText() || '';
+        const whenFalse = expr.getWhenFalse()?.getText() || '';
+
+        // PHASE 2 IMPROVEMENT: Enhanced SQL fragment detection
+        const isSqlFragment = (str) => {
+          const trimmed = str.trim();
+
+          // Empty string is always safe
+          if (trimmed === '' || trimmed === "''" || trimmed === '""' || trimmed === '``') {
+            return true;
+          }
+
+          // Remove surrounding quotes to analyze content (but keep backticks for template literals)
+          let unquoted = trimmed.replace(/^['"]|['"]$/g, '');
+
+          // Special handling for nested template literals (e.g., `AND date >= :date`)
+          // These are common in TypeORM conditional queries
+          if (unquoted.startsWith('`') && unquoted.endsWith('`')) {
+            unquoted = unquoted.slice(1, -1); // Remove outer backticks
+          }
+
+          // Check if contains SQL keywords
+          const hasSqlKeywords = /\b(AND|OR|WHERE|JOIN|LEFT JOIN|RIGHT JOIN|INNER JOIN|OUTER JOIN|ORDER BY|GROUP BY|HAVING|LIMIT|OFFSET|UNION|SELECT|FROM|SET|VALUES|INSERT|UPDATE|DELETE|TO_DATE|CAST|CONVERT)\b/i.test(unquoted);
+
+          if (!hasSqlKeywords) {
+            // No SQL keywords, likely safe string
+            return true;
+          }
+
+          // Has SQL keywords - check if parameterized
+          const hasParams = /:[\w]+|\$\d+|\?/.test(unquoted);
+
+          if (!hasParams) {
+            // SQL keywords but no parameters - could be unsafe
+            // However, check if it's just static SQL syntax (no variables at all)
+            // Pattern: pure SQL like 'ORDER BY created_at DESC' or 'AND NOT del_flg'
+            const hasVariablePlaceholders = /\$\{[^}]+\}/.test(str); // Template interpolation like ${var}
+
+            if (hasVariablePlaceholders) {
+              return false; // Unsafe: has SQL keywords and variable interpolation
+            }
+
+            // Check for common safe static SQL patterns
+            const isSafeStaticSql = (
+              /^\s*(AND|OR)\s+(NOT\s+)?\w+\s*$/i.test(unquoted) || // 'AND NOT del_flg'
+              /ORDER\s+BY\s+[\w.]+\s+(ASC|DESC)?/i.test(unquoted) || // 'ORDER BY col ASC'
+              /GROUP\s+BY\s+[\w.,\s]+/i.test(unquoted) || // 'GROUP BY col1, col2'
+              /LIMIT\s+\d+/i.test(unquoted) || // 'LIMIT 10'
+              /OFFSET\s+\d+/i.test(unquoted) // 'OFFSET 20'
+            );
+
+            if (isSafeStaticSql) {
+              return true; // Safe static SQL clause
+            }
+
+            // No variable interpolation in this branch - likely safe static SQL
+            return true;
+          }
+
+          // Has SQL keywords AND parameters - check if safe
+          // Safe patterns:
+          // 1. 'AND column = :param'
+          // 2. 'WHERE id IN (:ids)'
+          // 3. `AND date >= :dateFrom`
+          // 4. `AND date >= TO_DATE(:dateStr, 'YYYY/MM/DD')`
+
+          // Unsafe patterns (has direct variable interpolation):
+          // 1. 'AND column = ' + variable (this would be binary expression, not template)
+          // 2. `AND ${columnName} = :value` (dynamic column name)
+
+          // Check for unsafe dynamic column/table names
+          const hasDynamicIdentifiers = /\$\{[\w.]+\}\s*=/i.test(str) || // ${col} =
+                                       /=\s*\$\{[\w.]+\}(?!:)/i.test(str) || // = ${val} (not := or ::)
+                                       /FROM\s+\$\{/i.test(str) || // FROM ${table}
+                                       /JOIN\s+\$\{/i.test(str); // JOIN ${table}
+
+          if (hasDynamicIdentifiers) {
+            return false; // Unsafe: dynamic column or table names
+          }
+
+          // Passed all checks - this is a safe parameterized SQL fragment
+          return true;
+        };
+
+        if (isSqlFragment(whenTrue) && isSqlFragment(whenFalse)) {
+          continue; // Safe conditional SQL fragment
+        }
+      }
+
+      // Safe pattern 2: Property access (e.g., obj.length, array?.length)
+      if (kind === SyntaxKind.PropertyAccessExpression) {
+        const propAccess = expr.asKindOrThrow(SyntaxKind.PropertyAccessExpression);
+        const propName = propAccess.getName();
+        if (propName === 'length') {
+          continue; // .length check is safe for conditionals
+        }
+      }
+
+      // Safe pattern 3: Optional chaining property access (e.g., obj?.length)
+      if (kind === SyntaxKind.PropertyAccessExpression) {
+        const text = expr.getText();
+        if (text.includes('?.length')) {
+          continue; // Optional chaining .length is safe
+        }
+      }
+
+      // Safe pattern 4: Binary expression for length checks (e.g., arr.length > 0)
+      if (kind === SyntaxKind.BinaryExpression) {
+        const binExpr = expr;
+        const text = binExpr.getText();
+        // Check if it's a length comparison
+        if (/\.length\s*[><=!]+\s*\d+/.test(text) || /\d+\s*[><=!]+\s*\.length/.test(text)) {
+          continue; // Length comparison is safe
+        }
+      }
+
+      // Safe pattern 5: Logical expressions (e.g., defined !== undefined && defined !== null)
+      if (kind === SyntaxKind.BinaryExpression) {
+        const binExpr = expr;
+        const text = binExpr.getText();
+        // Check for null/undefined checks
+        if (/(undefined|null|!==|===)/.test(text) && !/SELECT|INSERT|UPDATE|DELETE|WHERE|FROM/i.test(text)) {
+          continue; // Null/undefined check is safe
+        }
+      }
+
+      // If we get here, the interpolation might be unsafe
+      return false;
+    }
+
+    return true; // All checks passed
+  }
+
+  /**
+   * IMPROVEMENT 3: Check if node is inside a validation message context
+   */
+  isValidationMessage(node) {
+    let parent = node.getParent();
+    let depth = 0;
+    const maxDepth = 10;
+
+    while (parent && depth < maxDepth) {
+      const kind = parent.getKind();
+
+      // Check if inside a validator or constraint class
+      if (kind === SyntaxKind.ClassDeclaration) {
+        const className = parent.getName?.() || '';
+        if (
+          className.includes('Validator') ||
+          className.includes('Constraint') ||
+          className.includes('Decorator') ||
+          className.includes('ValidationRule')
+        ) {
+          return true;
+        }
+      }
+
+      // Check if assigned to 'message' or 'defaultMessage' property
+      if (kind === SyntaxKind.PropertyAssignment) {
+        const propName = parent.getName?.() || '';
+        if (propName === 'message' || propName === 'defaultMessage' || propName === 'description') {
+          return true;
+        }
+      }
+
+      // Check if inside decorator
+      if (kind === SyntaxKind.Decorator) {
+        return true;
+      }
+
+      parent = parent.getParent();
+      depth++;
+    }
+
+    // Check text content for validation message patterns
+    const text = node.getText();
+    for (const pattern of this.validationMessagePatterns) {
+      if (pattern.test(text)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
   /**
    * Get analyzer metadata
    */