@sun-asterisk/sunlint 1.3.29 → 1.3.31

package/rules/security/S031_secure_session_cookies/analyzer.js

@@ -1,12 +1,10 @@
 /**
  * S031 Main Analyzer - Set Secure flag for Session Cookies
- * Primary: Symbol-based analysis (when available)
- * Fallback: Regex-based for all other cases
+ * Uses symbol-based analysis only (regex-based removed)
  * Command: node cli.js --rule=S031 --input=examples/rule-test-fixtures/rules/S031_secure_session_cookies --engine=heuristic
  */
 
 const S031SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S031RegexBasedAnalyzer = require("./regex-based-analyzer.js");
 
 class S031Analyzer {
   constructor(options = {}) {
@@ -26,14 +24,7 @@ class S031Analyzer {
     this.semanticEngine = options.semanticEngine || null;
     this.verbose = options.verbose || false;
 
-    // Configuration
-    this.config = {
-      useSymbolBased: true, // Primary approach
-      fallbackToRegex: true, // Secondary approach
-      regexBasedOnly: false, // Can be set to true for pure mode
-    };
-
-    // Initialize analyzers
+    // Initialize symbol analyzer only
     try {
       this.symbolAnalyzer = new S031SymbolBasedAnalyzer(this.semanticEngine);
       if (process.env.SUNLINT_DEBUG) {
@@ -43,48 +34,39 @@ class S031Analyzer {
       console.error(`🔧 [S031] Error creating symbol analyzer:`, error);
     }
 
-    try {
-      this.regexAnalyzer = new S031RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG) {
-        console.log(`🔧 [S031] Regex analyzer created successfully`);
-      }
-    } catch (error) {
-      console.error(`🔧 [S031] Error creating regex analyzer:`, error);
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Constructor completed`);
     }
   }
 
   /**
    * Initialize analyzer with semantic engine
-
    */
-  async initialize(semanticEngine) {
-    this.semanticEngine = semanticEngine;
-
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Main analyzer initializing...`);
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
     }
+    this.verbose = semanticEngine?.verbose || false;
 
-    // Initialize both analyzers
+    // Initialize symbol analyzer
     if (this.symbolAnalyzer) {
       await this.symbolAnalyzer.initialize?.(semanticEngine);
     }
-    if (this.regexAnalyzer) {
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    }
 
-    // Clean up if needed
-    if (this.regexAnalyzer) {
-      this.regexAnalyzer.cleanup?.();
+    // Ensure verbose flag is propagated
+    if (this.symbolAnalyzer) {
+      this.symbolAnalyzer.verbose = this.verbose;
     }
 
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Main analyzer initialized successfully`);
+    if (this.verbose) {
+      console.log(
+        `🔧 [S031] Analyzer initialized - verbose: ${this.verbose}`
+      );
     }
   }
 
   /**
    * Single file analysis method for testing
-
    */
   analyzeSingle(filePath, options = {}) {
     if (process.env.SUNLINT_DEBUG) {
@@ -141,122 +123,95 @@ class S031Analyzer {
     // Create a Map to track unique violations and prevent duplicates
     const violationMap = new Map();
 
-    // 1. Try Symbol-based analysis first (primary)
-    if (
-      this.config.useSymbolBased &&
-      this.semanticEngine?.project &&
-      this.semanticEngine?.initialized
-    ) {
+    // Symbol-based analysis only
+    if (this.semanticEngine?.project && this.semanticEngine?.initialized) {
       try {
         if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S031] Trying symbol-based analysis...`);
+          console.log(`🔧 [S031] Running symbol-based analysis...`);
         }
         const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
         if (sourceFile) {
           if (process.env.SUNLINT_DEBUG) {
-            console.log(`🔧 [S031] Source file found, analyzing...`);
+            console.log(
+              `🔧 [S031] Source file found, analyzing with symbol-based...`
+            );
           }
-          const symbolViolations = await this.symbolAnalyzer.analyze(
+
+          const violations = await this.symbolAnalyzer.analyze(
             sourceFile,
             filePath
           );
 
-          // Add to violation map with deduplication
-          symbolViolations.forEach((violation) => {
-            // Create a cookie-specific key to allow multiple violations for same cookie at different locations
-            const cookieName = this.extractCookieName(violation.message) || "";
-            const key = `cookie:${cookieName}:line:${violation.line}:secure`;
+          // Add violations to map to deduplicate and add filePath
+          violations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
             if (!violationMap.has(key)) {
-              violationMap.set(key, violation);
+              v.analysisStrategy = "symbol-based";
+              v.filePath = filePath;
+              v.file = filePath; // Also add 'file' for compatibility
+              violationMap.set(key, v);
             }
           });
 
           if (process.env.SUNLINT_DEBUG) {
             console.log(
-              `🔧 [S031] Symbol analysis completed: ${symbolViolations.length} violations`
+              `✅ [S031] Symbol-based analysis: ${violations.length} violations`
             );
           }
+
+          const finalViolations = Array.from(violationMap.values());
+          return finalViolations; // Return deduplicated violations with filePath
         } else {
           if (process.env.SUNLINT_DEBUG) {
-            console.log(`🔧 [S031] Source file not found, falling back...`);
+            console.log(`⚠️ [S031] Source file not found in project`);
           }
         }
       } catch (error) {
-        console.warn(`⚠ [S031] Symbol analysis failed:`, error.message);
+        console.warn(`⚠️ [S031] Symbol analysis failed: ${error.message}`);
       }
-    }
-
-    // 2. Try Regex-based analysis (fallback or additional)
-    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
-      try {
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S031] Trying regex-based analysis...`);
-        }
-        const regexViolations = await this.regexAnalyzer.analyze(filePath);
-
-        // Add to violation map with deduplication
-        regexViolations.forEach((violation) => {
-          // Create a cookie-specific key to allow multiple violations for same cookie at different locations
-          const cookieName = this.extractCookieName(violation.message) || "";
-          const key = `cookie:${cookieName}:line:${violation.line}:secure`;
-          if (!violationMap.has(key)) {
-            violationMap.set(key, violation);
-          }
-        });
-
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔧 [S031] Regex analysis completed: ${regexViolations.length} violations`
-          );
-        }
-      } catch (error) {
-        console.warn(`⚠ [S031] Regex analysis failed:`, error.message);
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S031] Symbol analysis conditions check:`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(
+          `  - semanticEngine.project: ${!!this.semanticEngine?.project}`
+        );
+        console.log(
+          `  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`
+        );
+        console.log(`🔄 [S031] Symbol analysis unavailable`);
       }
     }
 
-    // Convert Map values to array and add filePath to each violation
-    const finalViolations = Array.from(violationMap.values()).map(
-      (violation) => ({
-        ...violation,
-        filePath: filePath,
-        file: filePath, // Also add 'file' for compatibility
-      })
-    );
-
     if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S031] File analysis completed: ${finalViolations.length} unique violations`
-      );
+      console.log(`🔧 [S031] Analysis completed: ${violationMap.size} violations`);
     }
-
-    return finalViolations;
+    return Array.from(violationMap.values());
   }
 
   /**
-   * Extract cookie name from violation message for better deduplication
+   * Methods for compatibility with different engine invocation patterns
    */
-  extractCookieName(message) {
-    try {
-      const match = message.match(
-        /Session cookie "([^"]+)"|Session cookie from "([^"]+)"/
-      );
-      return match ? match[1] || match[2] : "";
-    } catch (error) {
-      return "";
-    }
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
   }
 
-  /**
-   * Clean up resources
+  async analyzeWithSemantics(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
 
+  /**
+   * Get analyzer metadata
    */
-  cleanup() {
-    if (this.symbolAnalyzer?.cleanup) {
-      this.symbolAnalyzer.cleanup();
-    }
-    if (this.regexAnalyzer?.cleanup) {
-      this.regexAnalyzer.cleanup();
-    }
+  getMetadata() {
+    return {
+      rule: "S031",
+      name: "Set Secure flag for Session Cookies",
+      category: "security",
+      type: "symbol-based",
+      description:
+        "Uses symbol-based analysis to detect session cookies missing Secure flag",
+    };
   }
 }
 

package/rules/security/S041_session_token_invalidation/analyzer.js

@@ -29,7 +29,7 @@ class S041Analyzer {
     // Configuration
     this.config = {
       useSymbolBased: true, // Primary approach
-      fallbackToRegex: true, // Secondary approach
+      fallbackToRegex: false, // Secondary approach
       regexBasedOnly: false, // Can be set to true for pure mode
     };
 

package/rules/security/S041_session_token_invalidation/symbol-based-analyzer.js

@@ -11,6 +11,17 @@ class S041SymbolBasedAnalyzer {
     this.ruleId = "S041";
     this.category = "security";
 
+    this.skipPatterns = [
+      /\/node_modules\//,
+      /\/tests?\//,
+      /\/dist\//,
+      /\/build\//,
+      /\.spec\.ts$/,
+      /\.spec\.tsx$/,
+      /\.test\.ts$/,
+      /\.test\.tsx$/,
+    ];
+
     // Session management methods that should invalidate tokens
     this.sessionMethods = [
       "logout",
@@ -106,7 +117,7 @@ class S041SymbolBasedAnalyzer {
     }
   }
 
-  async analyze(filePath) {
+  async analyze(sourceFile, filePath) {
     if (this.verbose) {
       console.log(
         `🔍 [${this.ruleId}] Symbol: Starting analysis for ${filePath}`
@@ -123,7 +134,6 @@ class S041SymbolBasedAnalyzer {
     }
 
     try {
-      const sourceFile = this.semanticEngine.getSourceFile(filePath);
       if (!sourceFile) {
         if (this.verbose) {
           console.log(
@@ -179,6 +189,11 @@ class S041SymbolBasedAnalyzer {
         console.log(`🔍 [${this.ruleId}] Symbol: Starting symbol-based analysis`);
       }
 
+      if (this.shouldIgnoreFile(filePath)) {
+        if (verbose) console.log(`[${this.ruleId}] Ignoring ${filePath}`);
+        return [];
+      }
+
       const callExpressions = sourceFile.getDescendantsOfKind
         ? sourceFile.getDescendantsOfKind(
             require("typescript").SyntaxKind.CallExpression
@@ -669,6 +684,10 @@ class S041SymbolBasedAnalyzer {
       return null;
     }
   }
+
+  shouldIgnoreFile(filePath) {
+    return this.skipPatterns.some((pattern) => pattern.test(filePath));
+  }
 }
 
 module.exports = S041SymbolBasedAnalyzer;

package/rules/security/S042_require_re_authentication_for_long_lived/symbol-based-analyzer.js

@@ -25,7 +25,9 @@ class S042SymbolBasedAnalyzer {
       /\/dist\//,
       /\/build\//,
       /\.spec\.ts$/,
-      /\.test\.ts$/
+      /\.spec\.tsx$/,
+      /\.test\.ts$/,
+      /\.test\.tsx$/,
     ];
 
     // Sensitive action patterns
@@ -679,13 +681,16 @@ class S042SymbolBasedAnalyzer {
     const hasIdleTimeout = this.hasIdleTimeoutLogic(sourceFile);
 
     if (hasSessionConfig && !hasIdleTimeout) {
+      // Try to find the actual session configuration location
+      const sessionConfigLocation = this.findSessionConfigLocation(sourceFile);
+
       violations.push({
         ruleId: this.ruleId,
         ruleName: this.ruleName,
         severity: 'medium',
         message: `Session management detected but no idle timeout implementation found.`,
-        line: 1,
-        column: 1,
+        line: sessionConfigLocation.line,
+        column: sessionConfigLocation.column,
         filePath: sourceFile.getFilePath(),
         type: 'MISSING_IDLE_TIMEOUT_LOGIC',
         details: `Implement idle timeout to automatically expire sessions after ${this.formatDuration(this.MAX_IDLE_TIME)} of inactivity.`
@@ -695,6 +700,91 @@ class S042SymbolBasedAnalyzer {
     return violations;
   }
 
+  findSessionConfigLocation(sourceFile) {
+    const defaultLocation = { line: 1, column: 1 };
+
+    try {
+      // Look for session-related call expressions
+      const callExpressions = sourceFile.getDescendantsOfKind(SyntaxKind.CallExpression);
+
+      for (const callExpr of callExpressions) {
+        const expression = callExpr.getExpression();
+        const expressionText = expression.getText();
+
+        // Check for session middleware calls
+        if (expressionText.match(/session|express-session|cookie-session/i)) {
+          const args = callExpr.getArguments();
+
+          // If there's a config object argument, use its location
+          if (args.length > 0 && args[0].getKind() === SyntaxKind.ObjectLiteralExpression) {
+            const configObj = args[0];
+            return {
+              line: configObj.getStartLineNumber(),
+              column: configObj.getStart() - configObj.getStartLinePos() + 1
+            };
+          }
+
+          // Otherwise use the call expression location
+          return {
+            line: callExpr.getStartLineNumber(),
+            column: callExpr.getStart() - callExpr.getStartLinePos() + 1
+          };
+        }
+      }
+
+      // Look for variable declarations with session config
+      const variableDeclarations = sourceFile.getDescendantsOfKind(SyntaxKind.VariableDeclaration);
+
+      for (const varDecl of variableDeclarations) {
+        const name = varDecl.getName();
+
+        if (name.match(/sessionConfig|sessionOptions|sessionMiddleware/i)) {
+          const initializer = varDecl.getInitializer();
+
+          if (initializer) {
+            return {
+              line: initializer.getStartLineNumber(),
+              column: initializer.getStart() - initializer.getStartLinePos() + 1
+            };
+          }
+        }
+      }
+
+      // Look for object literals with session config keys
+      const objectLiterals = sourceFile.getDescendantsOfKind(SyntaxKind.ObjectLiteralExpression);
+
+      for (const objLiteral of objectLiterals) {
+        const properties = objLiteral.getProperties();
+        let sessionKeyCount = 0;
+
+        for (const prop of properties) {
+          if (prop.getKind() === SyntaxKind.PropertyAssignment) {
+            const name = prop.getName();
+            if (this.sessionConfigKeys.some(key => name === key)) {
+              sessionKeyCount++;
+            }
+          }
+        }
+
+        // If we found multiple session config keys, this is likely the config
+        if (sessionKeyCount >= 2) {
+          return {
+            line: objLiteral.getStartLineNumber(),
+            column: objLiteral.getStart() - objLiteral.getStartLinePos() + 1
+          };
+        }
+      }
+
+    } catch (error) {
+      // Fall back to default location on error
+      if (verbose) {
+        console.warn(`[${this.ruleId}] Failed to find session config location:`, error.message);
+      }
+    }
+
+    return defaultLocation;
+  }
+
   // Helper methods
 
   isJWTSignCall(expressionText) {
@@ -1046,7 +1136,10 @@ class S042SymbolBasedAnalyzer {
 
   hasSessionConfiguration(sourceFile) {
     const text = sourceFile.getText();
-    return /session\(|express-session|cookie-session|getSessionConfig|sessionConfig/i.test(text);
+
+    // More specific patterns for server-side session middleware
+    // Avoid matching client-side hooks like useSession()
+    return /express-session|cookie-session|session\.Session|getSessionConfig|sessionConfig|sessionOptions|sessionMiddleware|session\(\{|require\(['"](express-session|cookie-session)['"]\)/i.test(text);
   }
 
   hasIdleTimeoutLogic(sourceFile) {