@sun-asterisk/sunlint 1.3.28 → 1.3.30

package/origin-rules/common-en.md

@@ -81,6 +81,20 @@
     - Use verbs that describe specific actions
     - Boolean functions should start with is/has/can/should
     - Avoid generic names that lack context
+    - Accepted verbs (reference list):
+      - Getters/Queries: `get`, `fetch`, `retrieve`, `find`, `search`, `query`, `load`
+      - Setters/Modifiers: `set`, `update`, `modify`, `change`, `edit`, `alter`, `transform`
+      - Creation: `create`, `build`, `make`, `generate`, `construct`, `produce`
+      - Deletion: `delete`, `remove`, `destroy`, `clean`, `clear`, `reset`
+      - Validation: `validate`, `verify`, `check`, `confirm`, `ensure`, `test`, `compare`
+      - Computation: `calculate`, `compute`, `parse`, `format`, `convert`
+      - Communication: `send`, `receive`, `transmit`, `broadcast`, `emit`, `publish`
+      - Collections: `map`, `filter`, `sort`, `group`, `merge`, `split`, `add`, `append`, `insert`
+      - State checks: `is`, `has`, `can`, `should`, `will`, `does`
+      - UI actions: `show`, `hide`, `display`, `render`, `draw`, `toggle`, `enable`, `disable`
+      - Lifecycle: `connect`, `disconnect`, `open`, `close`, `start`, `stop`, `run`, `refresh`
+      - Event Handling: `on`, `trigger`, `fire`, `dispatch`, `invoke`, `call`
+      - Monitoring: `count`, `measure`, `monitor`, `watch`, `track`, `observe`
 - **Applies to**: All languages
 - **Tools**: PR review, AI Suggestion (Copilot Review)
 - **Principles**: CODE_QUALITY

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.28",
+  "version": "1.3.30",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C006_function_naming/analyzer.js

@@ -277,7 +277,7 @@ class SmartC006Analyzer {
       'delete', 'remove', 'destroy', 'clean', 'clear', 'reset',
       'load', 'save', 'fetch', 'retrieve', 'find', 'search', 'query',
       'validate', 'verify', 'check', 'confirm', 'ensure', 'test',
-      'calculate', 'compute', 'parse', 'format', 'convert',
+      'calculate', 'compute', 'compare', 'parse', 'format', 'convert',
       'send', 'receive', 'transmit', 'broadcast', 'emit', 'publish',
       'map', 'filter', 'sort', 'group', 'merge', 'split',
       'connect', 'disconnect', 'open', 'close', 'start', 'stop', 'run',
@@ -428,10 +428,13 @@ class SmartC006Analyzer {
     
     let reason = `Function '${functionName}' should follow verb-noun naming pattern`;
     let suggestion = this.generateSmartSuggestion(functionName, semanticIntent, architecturalContext);
-    
+
     if (architecturalContext.layer !== 'UNKNOWN') {
       reason += ` (${architecturalContext.layer} layer)`;
     }
+
+    // Add helpful note about accepted verbs
+    reason += `. Accepted verbs: get, set, create, update, delete, validate, check, compare, etc. See: https://coding-standards.sun-asterisk.vn/rules/rule/C006/`;
     
     return {
       isViolation: true,

package/rules/security/S041_session_token_invalidation/analyzer.js

@@ -29,7 +29,7 @@ class S041Analyzer {
     // Configuration
     this.config = {
       useSymbolBased: true, // Primary approach
-      fallbackToRegex: true, // Secondary approach
+      fallbackToRegex: false, // Secondary approach
       regexBasedOnly: false, // Can be set to true for pure mode
     };
 

package/rules/security/S041_session_token_invalidation/symbol-based-analyzer.js

@@ -11,6 +11,17 @@ class S041SymbolBasedAnalyzer {
     this.ruleId = "S041";
     this.category = "security";
 
+    this.skipPatterns = [
+      /\/node_modules\//,
+      /\/tests?\//,
+      /\/dist\//,
+      /\/build\//,
+      /\.spec\.ts$/,
+      /\.spec\.tsx$/,
+      /\.test\.ts$/,
+      /\.test\.tsx$/,
+    ];
+
     // Session management methods that should invalidate tokens
     this.sessionMethods = [
       "logout",
@@ -106,7 +117,7 @@ class S041SymbolBasedAnalyzer {
     }
   }
 
-  async analyze(filePath) {
+  async analyze(sourceFile, filePath) {
     if (this.verbose) {
       console.log(
         `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
@@ -123,7 +134,6 @@ class S041SymbolBasedAnalyzer {
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
       if (!sourceFile) {
         if (this.verbose) {
           console.log(
@@ -179,6 +189,11 @@ class S041SymbolBasedAnalyzer {
         console.log(`🔍 [${this.ruleId}] Symbol: Starting symbol-based analysis`);
       }
 
+      if (this.shouldIgnoreFile(filePath)) {
+        if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+        return [];
+      }
+
       const callExpressions = sourceFile.getDescendantsOfKind
         ? sourceFile.getDescendantsOfKind(
             require("typescript").SyntaxKind.CallExpression
@@ -669,6 +684,10 @@ class S041SymbolBasedAnalyzer {
       return null;
     }
   }
+
+  shouldIgnoreFile(filePath) {
+    return this.skipPatterns.some((pattern) => pattern.test(filePath));
+  }
 }
 
 module.exports = S041SymbolBasedAnalyzer;

package/rules/security/S042_require_re_authentication_for_long_lived/symbol-based-analyzer.js

@@ -25,7 +25,9 @@ class S042SymbolBasedAnalyzer {
       /\/dist\//,
       /\/build\//,
       /\.spec\.ts$/,
-      /\.test\.ts$/
+      /\.spec\.tsx$/,
+      /\.test\.ts$/,
+      /\.test\.tsx$/,
     ];
 
     // Sensitive action patterns
@@ -679,13 +681,16 @@ class S042SymbolBasedAnalyzer {
     const hasIdleTimeout = this.hasIdleTimeoutLogic(sourceFile);
 
     if (hasSessionConfig && !hasIdleTimeout) {
+      // Try to find the actual session configuration location
+      const sessionConfigLocation = this.findSessionConfigLocation(sourceFile);
+
       violations.push({
         ruleId: this.ruleId,
         ruleName: this.ruleName,
         severity: 'medium',
         message: `Session management detected but no idle timeout implementation found.`,
-        line: 1,
-        column: 1,
+        line: sessionConfigLocation.line,
+        column: sessionConfigLocation.column,
         filePath: sourceFile.getFilePath(),
         type: 'MISSING_IDLE_TIMEOUT_LOGIC',
         details: `Implement idle timeout to automatically expire sessions after ${this.formatDuration(this.MAX_IDLE_TIME)} of inactivity.`
@@ -695,6 +700,91 @@ class S042SymbolBasedAnalyzer {
     return violations;
   }
 
+  findSessionConfigLocation(sourceFile) {
+    const defaultLocation = { line: 1, column: 1 };
+
+    try {
+      // Look for session-related call expressions
+      const callExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+
+      for (const callExpr of callExpressions) {
+        const expression = callExpr.getExpression();
+        const expressionText = expression.getText();
+
+        // Check for session middleware calls
+        if (expressionText.match(/session|express-session|cookie-session/i)) {
+          const args = callExpr.getArguments();
+
+          // If there's a config object argument, use its location
+          if (args.length > 0 && args[0].getKind() === SyntaxKind.ObjectLiteralExpression) {
+            const configObj = args[0];
+            return {
+              line: configObj.getStartLineNumber(),
+              column: configObj.getStart() - configObj.getStartLinePos() + 1
+            };
+          }
+
+          // Otherwise use the call expression location
+          return {
+            line: callExpr.getStartLineNumber(),
+            column: callExpr.getStart() - callExpr.getStartLinePos() + 1
+          };
+        }
+      }
+
+      // Look for variable declarations with session config
+      const variableDeclarations = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+
+      for (const varDecl of variableDeclarations) {
+        const name = varDecl.getName();
+
+        if (name.match(/sessionConfig|sessionOptions|sessionMiddleware/i)) {
+          const initializer = varDecl.getInitializer();
+
+          if (initializer) {
+            return {
+              line: initializer.getStartLineNumber(),
+              column: initializer.getStart() - initializer.getStartLinePos() + 1
+            };
+          }
+        }
+      }
+
+      // Look for object literals with session config keys
+      const objectLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.ObjectLiteralExpression);
+
+      for (const objLiteral of objectLiterals) {
+        const properties = objLiteral.getProperties();
+        let sessionKeyCount = 0;
+
+        for (const prop of properties) {
+          if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+            const name = prop.getName();
+            if (this.sessionConfigKeys.some(key => name === key)) {
+              sessionKeyCount++;
+            }
+          }
+        }
+
+        // If we found multiple session config keys, this is likely the config
+        if (sessionKeyCount >= 2) {
+          return {
+            line: objLiteral.getStartLineNumber(),
+            column: objLiteral.getStart() - objLiteral.getStartLinePos() + 1
+          };
+        }
+      }
+
+    } catch (error) {
+      // Fall back to default location on error
+      if (verbose) {
+        console.warn(`[${this.ruleId}] Failed to find session config location:`, error.message);
+      }
+    }
+
+    return defaultLocation;
+  }
+
   // Helper methods
 
   isJWTSignCall(expressionText) {
@@ -1046,7 +1136,10 @@ class S042SymbolBasedAnalyzer {
 
   hasSessionConfiguration(sourceFile) {
     const text = sourceFile.getText();
-    return /session\(|express-session|cookie-session|getSessionConfig|sessionConfig/i.test(text);
+
+    // More specific patterns for server-side session middleware
+    // Avoid matching client-side hooks like useSession()
+    return /express-session|cookie-session|session\.Session|getSessionConfig|sessionConfig|sessionOptions|sessionMiddleware|session\(\{|require\(['"](express-session|cookie-session)['"]\)/i.test(text);
   }
 
   hasIdleTimeoutLogic(sourceFile) {