@sun-asterisk/sunlint 1.3.3 → 1.3.5

package/config/presets/security.json

@@ -2,7 +2,6 @@
   "name": "@sun/sunlint/security",
   "description": "Security-focused configuration with all security rules",
   "rules": {
-    "C041": "warn",
     "S001": "error",
     "S002": "error",
     "S003": "warn",
@@ -12,51 +11,51 @@
     "S007": "warn",
     "S008": "warn",
     "S009": "warn",
-    "S010": "error",
-    "S011": "error",
+    "S010": "warn",
+    "S011": "warn",
     "S012": "warn",
-    "S013": "error",
+    "S013": "warn",
     "S014": "warn",
     "S015": "warn",
-    "S016": "error",
+    "S016": "warn",
     "S017": "error",
     "S018": "warn",
     "S019": "warn",
-    "S020": "error",
+    "S020": "warn",
     "S021": "warn",
     "S022": "warn",
-    "S023": "error",
+    "S023": "warn",
     "S025": "warn",
     "S026": "warn",
     "S027": "warn",
     "S028": "warn",
-    "S029": "error",
+    "S029": "warn",
     "S030": "warn",
-    "S031": "error",
+    "S031": "warn",
     "S032": "warn",
     "S033": "warn",
     "S034": "warn",
     "S035": "warn",
-    "S036": "error",
+    "S036": "warn",
     "S037": "warn",
-    "S039": "error",
-    "S040": "error",
+    "S039": "warn",
+    "S040": "warn",
     "S041": "warn",
     "S042": "warn",
     "S043": "warn",
     "S044": "warn",
     "S045": "warn",
     "S046": "warn",
-    "S047": "error",
+    "S047": "warn",
     "S048": "warn",
     "S049": "warn",
     "S050": "warn",
     "S051": "warn",
     "S052": "warn",
     "S053": "warn",
-    "S054": "error",
+    "S054": "warn",
     "S055": "warn",
-    "S056": "error",
+    "S056": "warn",
     "S057": "warn",
     "S058": "warn",
     "S059": "warn"
@@ -80,9 +79,11 @@
     "**/*.min.*"
   ],
   "metadata": {
-    "totalRules": 58,
-    "removedRules": 0,
-    "lastUpdated": "2025-07-30T08:59:10.121Z",
-    "source": "origin-rules"
+    "totalRules": 57,
+    "securityRules": 57,
+    "approach": "security-focused",
+    "source": "security-en.md",
+    "lastUpdated": "2025-09-08T04:33:23.247Z",
+    "version": "2.0.0"
   }
 }

package/config/presets/strict.json

@@ -2,9 +2,9 @@
   "name": "@sun/sunlint/strict",
   "description": "Strict configuration for production projects",
   "rules": {
+    "C006": "error",
     "C019": "error",
-    "C029": "error",
-    "C006": "warn"
+    "C029": "error"
   },
   "categories": {
     "quality": "error",
@@ -25,18 +25,11 @@
     "**/*.generated.*",
     "**/*.min.*"
   ],
-  "ai": {
-    "enabled": true,
-    "fallbackToPattern": false
-  },
-  "reporting": {
-    "exitOnError": true,
-    "showProgress": true
-  },
   "metadata": {
     "totalRules": 3,
-    "removedRules": 0,
-    "lastUpdated": "2025-07-30T08:59:10.121Z",
-    "source": "origin-rules"
+    "approach": "strict",
+    "source": "core rules as errors",
+    "lastUpdated": "2025-09-08T04:34:12.590Z",
+    "version": "2.0.0"
   }
 }

package/config/rules/enhanced-rules-registry.json

@@ -703,17 +703,51 @@
         }
       }
     },
+    "S024": {
+      "name": "Protect against XPath Injection and XML External Entity (XXE)",
+      "description": "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S024_xpath_xxe_protection/analyzer.js",
+      "config": "./rules/security/S024_xpath_xxe_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "xpath", "xxe", "xml", "injection", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S024_xpath_xxe_protection/analyzer.js"]
+      }
+    },
     "S025": {
-      "name": "Server Side Input Validation",
-      "description": "Require server-side input validation",
+      "name": "Always validate client-side data on the server",
+      "description": "Ensure all client-side data is validated on the server. Client-side validation is not sufficient for security as it can be bypassed by attackers. Server-side validation is mandatory for data integrity and security.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s025",
+      "analyzer": "./rules/security/S025_server_side_validation/analyzer.js",
+      "config": "./rules/security/S025_server_side_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "validation", "server-side"]
+      "tags": ["security", "validation", "server-side", "owasp", "input-validation"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S025_server_side_validation/analyzer.js"]
+      }
     },
     "S026": {
       "name": "JSON Schema Validation",
@@ -1301,6 +1335,28 @@
         "eslint": ["@typescript-eslint/naming-convention", "camelcase"]
       }
     },
+    "C067": {
+      "name": "No Hardcoded Configuration",
+      "description": "Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.",
+      "category": "configuration",
+      "severity": "warning",
+      "languages": ["typescript", "javascript", "dart", "kotlin"],
+      "analyzer": "./rules/common/C067_no_hardcoded_config/analyzer.js",
+      "config": "./rules/common/C067_no_hardcoded_config/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["configuration", "hardcode", "environment", "maintainability", "security"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast"],
+        "accuracy": {
+          "ast": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/common/C067_no_hardcoded_config/analyzer.js"]
+      }
+    },
     "C072": {
       "id": "C072",
       "name": "Single Test Behavior",
@@ -1771,6 +1827,7 @@
         "S020",
         "S022",
         "S023",
+        "S024",
         "S025",
         "S026",
         "S027",
@@ -1889,9 +1946,9 @@
   "metadata": {
     "version": "1.1.7",
     "lastUpdated": "2025-08-25",
-    "totalRules": 97,
+    "totalRules": 98,
     "qualityRules": 33,
-    "securityRules": 49,
+    "securityRules": 50,
     "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,

package/core/analysis-orchestrator.js

@@ -345,6 +345,12 @@ class AnalysisOrchestrator {
   getEnginePreference(rule, config) {
     // If user specified a specific engine via --engine option, use only that engine
     if (config.requestedEngine) {
+      // Handle "auto" engine selection
+      if (config.requestedEngine === 'auto') {
+        // Auto-select best engines: default to heuristic, add eslint for JS/TS
+        return ['heuristic', 'eslint'];
+      }
+      
       return [config.requestedEngine];
     }
 

package/core/cli-action-handler.js

@@ -164,6 +164,20 @@ class CliActionHandler {
   determineEnabledEngines(config) {
     // If specific engine is requested via --engine option, use only that engine
     if (this.options.engine) {
+      // Handle "auto" engine selection
+      if (this.options.engine === 'auto') {
+        // Auto-select best engines: default to heuristic for compatibility
+        const autoEngines = ['heuristic'];
+        
+        // Add ESLint for JS/TS files if available
+        if (this.hasJavaScriptTypeScriptFiles() || config.eslint?.enabled !== false) {
+          autoEngines.push('eslint');
+        }
+        
+        return autoEngines;
+      }
+      
+      // Return specific engine as requested
       return [this.options.engine];
     }
 
@@ -272,7 +286,7 @@ class CliActionHandler {
   validateInput(config) {
     // Validate engine option if specified (check this first, always)
     if (this.options.engine) {
-      const validEngines = ['eslint', 'heuristic', 'openai'];
+      const validEngines = ['auto', 'eslint', 'heuristic', 'openai'];
       if (!validEngines.includes(this.options.engine)) {
         throw new Error(
           chalk.red(`❌ Invalid engine: ${this.options.engine}\n`) +

package/core/config-preset-resolver.js

@@ -10,9 +10,14 @@ class ConfigPresetResolver {
   constructor() {
     this.presetMap = {
       '@sun/sunlint/recommended': 'config/presets/recommended.json',
-      '@sun/sunlint/strict': 'config/presets/strict.json',
+      '@sun/sunlint/security': 'config/presets/security.json',
+      '@sun/sunlint/quality': 'config/presets/quality.json',
       '@sun/sunlint/beginner': 'config/presets/beginner.json',
-      '@sun/sunlint/ci': 'config/presets/ci.json'
+      '@sun/sunlint/ci': 'config/presets/ci.json',
+      '@sun/sunlint/strict': 'config/presets/strict.json',
+      '@sun/sunlint/maintainability': 'config/presets/maintainability.json',
+      '@sun/sunlint/performance': 'config/presets/performance.json',
+      '@sun/sunlint/all': 'config/presets/all.json'
     };
   }
 

package/engines/engine-factory.js

@@ -51,6 +51,13 @@ class EngineFactory {
     let engine = null;
 
     switch (engineType.toLowerCase()) {
+      case 'auto':
+        // Auto-detection: default to heuristic for best performance/compatibility
+        engine = new HeuristicEngine();
+        if (this.verbose) {
+          console.log('🤖 Auto-detected engine: heuristic (best performance/compatibility)');
+        }
+        break;
       case 'heuristic':
         engine = new HeuristicEngine();
         break;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.3",
+  "version": "1.3.5",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C067_no_hardcoded_config/analyzer.js

@@ -0,0 +1,95 @@
+// rules/common/C067_no_hardcoded_config/analyzer.js
+const C067SymbolBasedAnalyzer = require('./symbol-based-analyzer.js');
+
+class C067Analyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'C067';
+    this.ruleName = 'No Hardcoded Configuration';
+    this.description = 'Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    
+    // Use symbol-based only for accuracy
+    this.symbolAnalyzer = new C067SymbolBasedAnalyzer(semanticEngine);
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    await this.symbolAnalyzer.initialize(semanticEngine);
+  }
+
+  // Main analyze method required by heuristic engine
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`[DEBUG] 🎯 C067: Analyzing ${filePath.split('/').pop()}`);
+      }
+      
+      try {
+        const fileViolations = await this.analyzeFileBasic(filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`C067: Skipping ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    try {
+      // Try semantic engine first, fallback to standalone ts-morph
+      if (this.semanticEngine?.isSymbolEngineReady?.() && this.semanticEngine.project) {
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Using semantic engine for ${filePath.split('/').pop()}`);
+        }
+        
+        const violations = await this.symbolAnalyzer.analyzeFileBasic(filePath, options);
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Symbol-based analysis found ${violations.length} violations`);
+        }
+
+        return violations;
+      } else {
+        // Fallback to standalone analysis
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Using standalone analysis for ${filePath.split('/').pop()}`);
+        }
+        
+        const violations = await this.symbolAnalyzer.analyzeFileStandalone(filePath, options);
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Standalone analysis found ${violations.length} violations`);
+        }
+
+        return violations;
+      }
+    } catch (error) {
+      if (this.verbose) {
+        console.error(`[DEBUG] ❌ C067: Analysis failed: ${error.message}`);
+      }
+      throw new Error(`C067 analysis failed: ${error.message}`);
+    }
+  }
+
+  async analyzeFiles(files, options = {}) {
+    const allViolations = [];
+    for (const filePath of files) {
+      try {
+        const violations = await this.analyzeFileBasic(filePath, options);
+        allViolations.push(...violations);
+      } catch (error) {
+        console.warn(`C067: Skipping ${filePath}: ${error.message}`);
+      }
+    }
+    return allViolations;
+  }
+}
+
+module.exports = C067Analyzer;

package/rules/common/C067_no_hardcoded_config/config.json

@@ -0,0 +1,81 @@
+{
+  "maxConfigValues": 50,
+  "excludePatterns": [
+    "**/*.test.js",
+    "**/*.spec.js",
+    "**/*.test.ts",
+    "**/*.spec.ts",
+    "**/config/**",
+    "**/constants/**",
+    "**/*.config.js",
+    "**/*.config.ts",
+    "**/.env*"
+  ],
+  "includePatterns": [
+    "**/*.js",
+    "**/*.ts",
+    "**/*.jsx",
+    "**/*.tsx"
+  ],
+  "allowedDomains": [
+    "localhost",
+    "127.0.0.1",
+    "0.0.0.0",
+    "example.com",
+    "test.com",
+    "dummy.com"
+  ],
+  "allowedPorts": [
+    3000,
+    8080,
+    5000,
+    4200,
+    3001
+  ],
+  "commonConstants": [
+    100, 200, 300, 400, 500,
+    1000, 2000, 3000, 5000,
+    8080, 3000, 4200
+  ],
+  "credentialKeywords": [
+    "password",
+    "secret",
+    "key",
+    "token",
+    "auth",
+    "credential",
+    "apikey",
+    "api_key"
+  ],
+  "configKeywords": [
+    "timeout",
+    "interval",
+    "delay",
+    "duration",
+    "limit",
+    "max",
+    "min",
+    "size",
+    "count",
+    "port",
+    "url",
+    "endpoint",
+    "host",
+    "retry",
+    "batch"
+  ],
+  "allowedUIValues": [
+    "password",
+    "text",
+    "email",
+    "username",
+    "input",
+    "field",
+    "ok",
+    "cancel",
+    "yes",
+    "no",
+    "true",
+    "false"
+  ]
+}