@sun-asterisk/sunlint 1.3.30 → 1.3.32

package/rules/security/S031_secure_session_cookies/analyzer.js

@@ -1,12 +1,10 @@
 /**
  * S031 Main Analyzer - Set Secure flag for Session Cookies
- * Primary: Symbol-based analysis (when available)
- * Fallback: Regex-based for all other cases
+ * Uses symbol-based analysis only (regex-based removed)
  * Command: node cli.js --rule=S031 --input=examples/rule-test-fixtures/rules/S031_secure_session_cookies --engine=heuristic
  */
 
 const S031SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
-const S031RegexBasedAnalyzer = require("./regex-based-analyzer.js");
 
 class S031Analyzer {
   constructor(options = {}) {
@@ -26,14 +24,7 @@ class S031Analyzer {
     this.semanticEngine = options.semanticEngine || null;
     this.verbose = options.verbose || false;
 
-    // Configuration
-    this.config = {
-      useSymbolBased: true, // Primary approach
-      fallbackToRegex: true, // Secondary approach
-      regexBasedOnly: false, // Can be set to true for pure mode
-    };
-
-    // Initialize analyzers
+    // Initialize symbol analyzer only
     try {
       this.symbolAnalyzer = new S031SymbolBasedAnalyzer(this.semanticEngine);
       if (process.env.SUNLINT_DEBUG) {
@@ -43,48 +34,39 @@ class S031Analyzer {
       console.error(`🔧 [S031] Error creating symbol analyzer:`, error);
     }
 
-    try {
-      this.regexAnalyzer = new S031RegexBasedAnalyzer(this.semanticEngine);
-      if (process.env.SUNLINT_DEBUG) {
-        console.log(`🔧 [S031] Regex analyzer created successfully`);
-      }
-    } catch (error) {
-      console.error(`🔧 [S031] Error creating regex analyzer:`, error);
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S031] Constructor completed`);
     }
   }
 
   /**
    * Initialize analyzer with semantic engine
-
    */
-  async initialize(semanticEngine) {
-    this.semanticEngine = semanticEngine;
-
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Main analyzer initializing...`);
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
     }
+    this.verbose = semanticEngine?.verbose || false;
 
-    // Initialize both analyzers
+    // Initialize symbol analyzer
     if (this.symbolAnalyzer) {
       await this.symbolAnalyzer.initialize?.(semanticEngine);
     }
-    if (this.regexAnalyzer) {
-      await this.regexAnalyzer.initialize?.(semanticEngine);
-    }
 
-    // Clean up if needed
-    if (this.regexAnalyzer) {
-      this.regexAnalyzer.cleanup?.();
+    // Ensure verbose flag is propagated
+    if (this.symbolAnalyzer) {
+      this.symbolAnalyzer.verbose = this.verbose;
     }
 
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Main analyzer initialized successfully`);
+    if (this.verbose) {
+      console.log(
+        `🔧 [S031] Analyzer initialized - verbose: ${this.verbose}`
+      );
     }
   }
 
   /**
    * Single file analysis method for testing
-
    */
   analyzeSingle(filePath, options = {}) {
     if (process.env.SUNLINT_DEBUG) {
@@ -141,122 +123,95 @@ class S031Analyzer {
     // Create a Map to track unique violations and prevent duplicates
     const violationMap = new Map();
 
-    // 1. Try Symbol-based analysis first (primary)
-    if (
-      this.config.useSymbolBased &&
-      this.semanticEngine?.project &&
-      this.semanticEngine?.initialized
-    ) {
+    // Symbol-based analysis only
+    if (this.semanticEngine?.project && this.semanticEngine?.initialized) {
       try {
         if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S031] Trying symbol-based analysis...`);
+          console.log(`🔧 [S031] Running symbol-based analysis...`);
         }
         const sourceFile = this.semanticEngine.project.getSourceFile(filePath);
         if (sourceFile) {
           if (process.env.SUNLINT_DEBUG) {
-            console.log(`🔧 [S031] Source file found, analyzing...`);
+            console.log(
+              `🔧 [S031] Source file found, analyzing with symbol-based...`
+            );
           }
-          const symbolViolations = await this.symbolAnalyzer.analyze(
+
+          const violations = await this.symbolAnalyzer.analyze(
             sourceFile,
             filePath
           );
 
-          // Add to violation map with deduplication
-          symbolViolations.forEach((violation) => {
-            // Create a cookie-specific key to allow multiple violations for same cookie at different locations
-            const cookieName = this.extractCookieName(violation.message) || "";
-            const key = `cookie:${cookieName}:line:${violation.line}:secure`;
+          // Add violations to map to deduplicate and add filePath
+          violations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
             if (!violationMap.has(key)) {
-              violationMap.set(key, violation);
+              v.analysisStrategy = "symbol-based";
+              v.filePath = filePath;
+              v.file = filePath; // Also add 'file' for compatibility
+              violationMap.set(key, v);
             }
           });
 
           if (process.env.SUNLINT_DEBUG) {
             console.log(
-              `🔧 [S031] Symbol analysis completed: ${symbolViolations.length} violations`
+              `✅ [S031] Symbol-based analysis: ${violations.length} violations`
             );
           }
+
+          const finalViolations = Array.from(violationMap.values());
+          return finalViolations; // Return deduplicated violations with filePath
         } else {
           if (process.env.SUNLINT_DEBUG) {
-            console.log(`🔧 [S031] Source file not found, falling back...`);
+            console.log(`⚠️ [S031] Source file not found in project`);
           }
         }
       } catch (error) {
-        console.warn(`⚠ [S031] Symbol analysis failed:`, error.message);
+        console.warn(`⚠️ [S031] Symbol analysis failed: ${error.message}`);
       }
-    }
-
-    // 2. Try Regex-based analysis (fallback or additional)
-    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
-      try {
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(`🔧 [S031] Trying regex-based analysis...`);
-        }
-        const regexViolations = await this.regexAnalyzer.analyze(filePath);
-
-        // Add to violation map with deduplication
-        regexViolations.forEach((violation) => {
-          // Create a cookie-specific key to allow multiple violations for same cookie at different locations
-          const cookieName = this.extractCookieName(violation.message) || "";
-          const key = `cookie:${cookieName}:line:${violation.line}:secure`;
-          if (!violationMap.has(key)) {
-            violationMap.set(key, violation);
-          }
-        });
-
-        if (process.env.SUNLINT_DEBUG) {
-          console.log(
-            `🔧 [S031] Regex analysis completed: ${regexViolations.length} violations`
-          );
-        }
-      } catch (error) {
-        console.warn(`⚠ [S031] Regex analysis failed:`, error.message);
+    } else {
+      if (process.env.SUNLINT_DEBUG) {
+        console.log(`🔄 [S031] Symbol analysis conditions check:`);
+        console.log(`  - semanticEngine: ${!!this.semanticEngine}`);
+        console.log(
+          `  - semanticEngine.project: ${!!this.semanticEngine?.project}`
+        );
+        console.log(
+          `  - semanticEngine.initialized: ${this.semanticEngine?.initialized}`
+        );
+        console.log(`🔄 [S031] Symbol analysis unavailable`);
       }
     }
 
-    // Convert Map values to array and add filePath to each violation
-    const finalViolations = Array.from(violationMap.values()).map(
-      (violation) => ({
-        ...violation,
-        filePath: filePath,
-        file: filePath, // Also add 'file' for compatibility
-      })
-    );
-
     if (process.env.SUNLINT_DEBUG) {
-      console.log(
-        `🔧 [S031] File analysis completed: ${finalViolations.length} unique violations`
-      );
+      console.log(`🔧 [S031] Analysis completed: ${violationMap.size} violations`);
     }
-
-    return finalViolations;
+    return Array.from(violationMap.values());
   }
 
   /**
-   * Extract cookie name from violation message for better deduplication
+   * Methods for compatibility with different engine invocation patterns
    */
-  extractCookieName(message) {
-    try {
-      const match = message.match(
-        /Session cookie "([^"]+)"|Session cookie from "([^"]+)"/
-      );
-      return match ? match[1] || match[2] : "";
-    } catch (error) {
-      return "";
-    }
+  async analyzeFileWithSymbols(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
   }
 
-  /**
-   * Clean up resources
+  async analyzeWithSemantics(filePath, options = {}) {
+    return this.analyzeFile(filePath, options);
+  }
 
+  /**
+   * Get analyzer metadata
    */
-  cleanup() {
-    if (this.symbolAnalyzer?.cleanup) {
-      this.symbolAnalyzer.cleanup();
-    }
-    if (this.regexAnalyzer?.cleanup) {
-      this.regexAnalyzer.cleanup();
-    }
+  getMetadata() {
+    return {
+      rule: "S031",
+      name: "Set Secure flag for Session Cookies",
+      category: "security",
+      type: "symbol-based",
+      description:
+        "Uses symbol-based analysis to detect session cookies missing Secure flag",
+    };
   }
 }
 

package/rules/security/S031_secure_session_cookies/regex-based-analyzer.js

@@ -1,296 +0,0 @@
-/**
- * S031 Regex-Based Analyzer - Set Secure flag for Session Cookies
- * Fallback analysis using regex patterns
-
- */
-
-const fs = require("fs");
-
-class S031RegexBasedAnalyzer {
-  constructor(semanticEngine = null) {
-    this.semanticEngine = semanticEngine;
-    this.ruleId = "S031";
-    this.category = "security";
-
-    // Session cookie indicators
-    this.sessionIndicators = [
-      "session",
-      "sessionid",
-      "sessid",
-      "jsessionid",
-      "phpsessid",
-      "asp.net_sessionid",
-      "connect.sid",
-      "auth",
-      "token",
-      "jwt",
-      "csrf",
-    ];
-
-    // Regex patterns for cookie detection
-    this.cookiePatterns = [
-      // Express/Node.js patterns
-      /res\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-      /response\.cookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-      /\.setCookie\s*\(\s*['"`]([^'"`]+)['"`]\s*,([^)]+)\)/gi,
-
-      // Set-Cookie header patterns
-      /setHeader\s*\(\s*['"`]Set-Cookie['"`]\s*,\s*['"`]([^'"`]+)['"`]\s*\)/gi,
-      /writeHead\s*\([^,]*,\s*{[^}]*['"`]Set-Cookie['"`]\s*:\s*['"`]([^'"`]+)['"`]/gi,
-
-      // Document.cookie assignments
-      /document\.cookie\s*=\s*['"`]([^'"`]+)['"`]/gi,
-
-      // Session middleware patterns
-      /session\s*\(\s*{([^}]+)}/gi,
-      /\.use\s*\(\s*session\s*\(\s*{([^}]+)}/gi,
-    ];
-  }
-
-  /**
-   * Initialize analyzer
-
-   */
-  async initialize(semanticEngine) {
-    this.semanticEngine = semanticEngine;
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔧 [S031] Regex-based analyzer initialized`);
-    }
-  }
-
-  /**
-   * Check if file should be skipped (test files)
-   */
-  shouldSkipFile(filePath) {
-    const testPatterns = [
-      /\.test\.(ts|tsx|js|jsx)$/,
-      /\.spec\.(ts|tsx|js|jsx)$/,
-      /__tests__\//,
-      /__mocks__\//,
-      /\/tests?\//,
-      /\/fixtures?\//,
-    ];
-    return testPatterns.some((pattern) => pattern.test(filePath));
-  }
-
-  /**
-   * Analyze file content using regex patterns
-
-   */
-  async analyze(filePath) {
-    if (process.env.SUNLINT_DEBUG) {
-      console.log(`🔍 [S031] Regex-based analysis for: ${filePath}`);
-    }
-
-    // Skip test files
-    if (this.shouldSkipFile(filePath)) {
-      if (process.env.SUNLINT_DEBUG) {
-        console.log(`⏭ [S031] Skipping test file: ${filePath}`);
-      }
-      return [];
-    }
-
-    let content;
-    try {
-      content = fs.readFileSync(filePath, "utf8");
-    } catch (error) {
-      if (process.env.SUNLINT_DEBUG) {
-        console.error(`❌ [S031] File read error:`, error);
-      }
-      throw error;
-    }
-
-    const violations = [];
-    const lines = content.split("\n");
-
-    // Check each pattern
-    for (const pattern of this.cookiePatterns) {
-      this.checkPattern(pattern, content, lines, violations, filePath);
-    }
-
-    // Check for custom cookie utilities (e.g., StorageUtils.setCookie)
-    this.checkCustomCookieUtilities(content, lines, violations, filePath);
-
-    return violations;
-  }
-
-  /**
-   * Check specific regex pattern for violations
-
-   */
-  checkPattern(pattern, content, lines, violations, filePath) {
-    let match;
-    pattern.lastIndex = 0; // Reset regex state
-
-    while ((match = pattern.exec(content)) !== null) {
-      const matchText = match[0];
-      const cookieName = match[1] || "";
-      const cookieOptions = match[2] || match[1] || "";
-
-      // Check if this is a session cookie
-      if (!this.isSessionCookie(cookieName, matchText)) {
-        continue;
-      }
-
-      // Check if secure flag is present
-      if (!this.hasSecureFlag(cookieOptions, matchText)) {
-        const lineNumber = this.getLineNumber(content, match.index);
-
-        this.addViolation(
-          matchText,
-          lineNumber,
-          violations,
-          `Session cookie "${cookieName || "unknown"}" missing Secure flag`
-        );
-      }
-    }
-  }
-
-  /**
-   * Check if cookie name or context indicates session cookie
-
-   */
-  isSessionCookie(cookieName, matchText) {
-    const textToCheck = (cookieName + " " + matchText).toLowerCase();
-    return this.sessionIndicators.some((indicator) =>
-      textToCheck.includes(indicator.toLowerCase())
-    );
-  }
-
-  /**
-   * Check if secure flag is present in cookie options
-   */
-  hasSecureFlag(cookieOptions, fullMatch) {
-    const textToCheck = cookieOptions + " " + fullMatch;
-
-    // Check for secure config references (likely safe)
-    const secureConfigPatterns = [
-      /\bcookieConfig\b/i,
-      /\bsecureConfig\b/i,
-      /\bsafeConfig\b/i,
-      /\bdefaultConfig\b/i,
-      /\.\.\..*config/i, // spread operator with config
-      /config.*secure/i,
-    ];
-
-    // If using a secure config reference, assume it's safe
-    if (secureConfigPatterns.some((pattern) => pattern.test(textToCheck))) {
-      return true;
-    }
-
-    // Check for various secure flag patterns
-    const securePatterns = [
-      /secure\s*:\s*true/i,
-      /secure\s*=\s*true/i,
-      /;\s*secure\s*[;\s]/i,
-      /;\s*secure$/i,
-      /['"`]\s*secure\s*['"`]/i,
-      /"secure"\s*:\s*true/i,
-      /'secure'\s*:\s*true/i,
-      /\bsecure\b/i, // Simple secure keyword
-    ];
-
-    return securePatterns.some((pattern) => pattern.test(textToCheck));
-  }
-
-  /**
-   * Get line number from content position
-
-   */
-  getLineNumber(content, position) {
-    const beforeMatch = content.substring(0, position);
-    return beforeMatch.split("\n").length;
-  }
-
-  /**
-   * Add violation to results
-
-   */
-  addViolation(source, lineNumber, violations, message) {
-    violations.push({
-      ruleId: this.ruleId,
-      source: source.trim(),
-      category: this.category,
-      line: lineNumber,
-      column: 1,
-      message: `Insecure session cookie: ${message}`,
-      severity: "error",
-    });
-  }
-
-  /**
-   * Check for custom cookie utility functions with variable names
-   * Handles cases like: StorageUtils.setCookie(STORAGE_KEY.ACCESS_TOKEN, value)
-   */
-  checkCustomCookieUtilities(content, lines, violations, filePath) {
-    // Pattern to match custom cookie utilities with variable references
-    // Matches: Utils.setCookie(VARIABLE_NAME, value) or Utils.setCookie(VARIABLE_NAME, value, options)
-    const customCookiePattern = /(\w+\.setCookie)\s*\(\s*([A-Z_][A-Z0-9_.]*)\s*,\s*([^,)]+)(?:\s*,\s*([^)]*))?\s*\)/gi;
-
-    let match;
-    customCookiePattern.lastIndex = 0;
-
-    while ((match = customCookiePattern.exec(content)) !== null) {
-      const methodCall = match[1]; // e.g., "StorageUtils.setCookie"
-      const cookieNameVar = match[2]; // e.g., "STORAGE_KEY.ACCESS_TOKEN"
-      const cookieValue = match[3]; // e.g., "response.user?.access_token || ''"
-      const cookieOptions = match[4] || ""; // e.g., options object if present
-      const matchText = match[0];
-
-      // Check if this looks like a session cookie based on variable name or value
-      if (!this.isSessionCookieLikely(cookieNameVar, cookieValue, matchText)) {
-        continue;
-      }
-
-      // Check if secure flag is present in options
-      if (!this.hasSecureFlag(cookieOptions, matchText)) {
-        const lineNumber = this.getLineNumber(content, match.index);
-
-        // Extract a friendly cookie name from the variable
-        const friendlyCookieName = this.extractFriendlyCookieName(cookieNameVar);
-
-        this.addViolation(
-          matchText,
-          lineNumber,
-          violations,
-          `Session cookie from "${friendlyCookieName}" missing Secure flag - add secure flag to options`
-        );
-      }
-    }
-  }
-
-  /**
-   * Check if cookie variable name or value suggests it's a session cookie
-   */
-  isSessionCookieLikely(varName, value, matchText) {
-    const textToCheck = (varName + " " + value + " " + matchText).toLowerCase();
-
-    // Check against session indicators
-    const isSession = this.sessionIndicators.some((indicator) =>
-      textToCheck.includes(indicator.toLowerCase())
-    );
-
-    // Also check for common patterns like ACCESS_TOKEN, REFRESH_TOKEN, etc.
-    const tokenPatterns = [
-      /access[_-]?token/i,
-      /refresh[_-]?token/i,
-      /auth[_-]?token/i,
-      /id[_-]?token/i,
-      /session/i,
-    ];
-
-    return isSession || tokenPatterns.some(pattern => pattern.test(textToCheck));
-  }
-
-  /**
-   * Extract a friendly cookie name from variable reference
-   * e.g., "STORAGE_KEY.ACCESS_TOKEN" -> "ACCESS_TOKEN"
-   */
-  extractFriendlyCookieName(varName) {
-    // If it has a dot, take the last part
-    const parts = varName.split(".");
-    return parts[parts.length - 1] || varName;
-  }
-}
-
-module.exports = S031RegexBasedAnalyzer;