@sun-asterisk/sunlint 1.3.35 → 1.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (103) hide show
  1. package/cli.js +33 -0
  2. package/config/rules/enhanced-rules-registry.json +354 -98
  3. package/config/rules/rules-registry-generated.json +197 -171
  4. package/core/architecture-integration.js +115 -17
  5. package/core/cli-action-handler.js +110 -26
  6. package/core/cli-program.js +14 -3
  7. package/core/github-annotate-service.js +62 -0
  8. package/core/impact-integration.js +309 -176
  9. package/core/init-command.js +227 -0
  10. package/core/output-service.js +53 -5
  11. package/core/summary-report-service.js +46 -0
  12. package/core/unified-rule-registry.js +2 -1
  13. package/engines/eslint-engine.js +6 -0
  14. package/engines/impact/core/detectors/database-detector.js +1 -1
  15. package/engines/impact/core/detectors/endpoint-detector.js +1 -1
  16. package/engines/impact/core/report-generator.js +235 -73
  17. package/origin-rules/security-en.md +470 -282
  18. package/package.json +1 -1
  19. package/rules/security/S001_backend_auth_communications/dart/analyzer.js +44 -0
  20. package/rules/security/S001_backend_auth_communications/index.js +87 -0
  21. package/rules/security/S001_backend_auth_communications/typescript/analyzer.js +164 -0
  22. package/rules/security/S002_os_command_injection/dart/analyzer.js +44 -0
  23. package/rules/security/S002_os_command_injection/index.js +87 -0
  24. package/rules/security/S002_os_command_injection/typescript/analyzer.js +194 -0
  25. package/rules/security/S008_svg_content_validation/dart/analyzer.js +44 -0
  26. package/rules/security/S008_svg_content_validation/index.js +87 -0
  27. package/rules/security/S008_svg_content_validation/typescript/analyzer.js +216 -0
  28. package/rules/security/S018_no_sensitive_browser_storage/dart/analyzer.js +44 -0
  29. package/rules/security/S018_no_sensitive_browser_storage/index.js +86 -0
  30. package/rules/security/S018_no_sensitive_browser_storage/typescript/analyzer.js +193 -0
  31. package/rules/security/S021_referrer_policy/dart/analyzer.js +44 -0
  32. package/rules/security/S021_referrer_policy/index.js +86 -0
  33. package/rules/security/S021_referrer_policy/typescript/analyzer.js +183 -0
  34. package/rules/security/S023_no_json_injection/config.json +133 -44
  35. package/rules/security/S023_no_json_injection/dart/analyzer.js +7 -6
  36. package/rules/security/S023_no_json_injection/typescript/analyzer.js +402 -126
  37. package/rules/security/S023_no_json_injection/typescript/ast-analyzer.js +571 -154
  38. package/rules/security/S026_tls_all_connections/config.json +30 -0
  39. package/rules/security/S026_tls_all_connections/typescript/analyzer.js +339 -0
  40. package/rules/security/S027_mtls_certificate_validation/config.json +30 -0
  41. package/rules/security/S027_mtls_certificate_validation/typescript/analyzer.js +225 -0
  42. package/rules/security/S035_separate_app_hostnames/config.json +28 -0
  43. package/rules/security/S035_separate_app_hostnames/typescript/analyzer.js +186 -0
  44. package/rules/security/S036_lfi_rfi_protection/config.json +2 -2
  45. package/rules/security/S039_tls_certificate_validation/config.json +29 -0
  46. package/rules/security/S039_tls_certificate_validation/typescript/analyzer.js +229 -0
  47. package/rules/security/S046_jwt_algorithm_allowlist/config.json +28 -0
  48. package/rules/security/S046_jwt_algorithm_allowlist/dart/analyzer.js +44 -0
  49. package/rules/security/S046_jwt_algorithm_allowlist/index.js +87 -0
  50. package/rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js +235 -0
  51. package/rules/security/S047_oauth_pkce_protection/config.json +31 -0
  52. package/rules/security/S047_oauth_pkce_protection/dart/analyzer.js +44 -0
  53. package/rules/security/S047_oauth_pkce_protection/index.js +86 -0
  54. package/rules/security/S047_oauth_pkce_protection/typescript/analyzer.js +78 -0
  55. package/rules/security/S048_oauth_redirect_uri_validation/config.json +30 -0
  56. package/rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js +278 -0
  57. package/rules/security/S049_short_validity_tokens/typescript/config.json +10 -3
  58. package/rules/security/S050_reference_tokens_entropy/config.json +28 -0
  59. package/rules/security/S050_reference_tokens_entropy/dart/analyzer.js +45 -0
  60. package/rules/security/S050_reference_tokens_entropy/index.js +86 -0
  61. package/rules/security/S050_reference_tokens_entropy/typescript/analyzer.js +74 -0
  62. package/rules/security/S053_generic_error_messages/config.json +28 -0
  63. package/rules/security/S053_generic_error_messages/dart/analyzer.js +45 -0
  64. package/rules/security/S053_generic_error_messages/index.js +86 -0
  65. package/rules/security/S053_generic_error_messages/typescript/analyzer.js +80 -0
  66. package/rules/security/S055_content_type_validation/typescript/symbol-based-analyzer.js +64 -2
  67. package/rules/security/S059_disable_debug_mode/config.json +28 -0
  68. package/rules/security/S059_disable_debug_mode/dart/analyzer.js +45 -0
  69. package/rules/security/S059_disable_debug_mode/index.js +86 -0
  70. package/rules/security/S059_disable_debug_mode/typescript/analyzer.js +85 -0
  71. package/rules/security/S060_password_minimum_length/config.json +28 -0
  72. package/rules/security/S060_password_minimum_length/dart/analyzer.js +45 -0
  73. package/rules/security/S060_password_minimum_length/index.js +86 -0
  74. package/rules/security/S060_password_minimum_length/typescript/analyzer.js +78 -0
  75. package/rules/security/S026_json_schema_validation/config.json +0 -27
  76. package/rules/security/S026_json_schema_validation/typescript/analyzer.js +0 -251
  77. package/rules/security/S027_no_hardcoded_secrets/config.json +0 -29
  78. package/rules/security/S027_no_hardcoded_secrets/typescript/analyzer.js +0 -309
  79. package/rules/security/S027_no_hardcoded_secrets/typescript/categories.json +0 -153
  80. package/rules/security/S035_path_session_cookies/config.json +0 -99
  81. package/rules/security/S035_path_session_cookies/typescript/analyzer.js +0 -316
  82. package/rules/security/S035_path_session_cookies/typescript/regex-based-analyzer.js +0 -724
  83. package/rules/security/S035_path_session_cookies/typescript/symbol-based-analyzer.js +0 -373
  84. package/rules/security/S039_no_session_tokens_in_url/config.json +0 -92
  85. package/rules/security/S039_no_session_tokens_in_url/typescript/analyzer.js +0 -262
  86. package/rules/security/S039_no_session_tokens_in_url/typescript/regex-based-analyzer.js +0 -337
  87. package/rules/security/S039_no_session_tokens_in_url/typescript/symbol-based-analyzer.js +0 -443
  88. package/rules/security/S048_no_current_password_in_reset/config.json +0 -48
  89. package/rules/security/S048_no_current_password_in_reset/typescript/analyzer.js +0 -366
  90. /package/rules/security/{S026_json_schema_validation → S026_tls_all_connections}/dart/analyzer.js +0 -0
  91. /package/rules/security/{S026_json_schema_validation → S026_tls_all_connections}/index.js +0 -0
  92. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/dart/analyzer.js +0 -0
  93. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/index.js +0 -0
  94. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/typescript/categorized-analyzer.js +0 -0
  95. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/dart/analyzer.js +0 -0
  96. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/index.js +0 -0
  97. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/typescript/README.md +0 -0
  98. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/dart/analyzer.js +0 -0
  99. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/index.js +0 -0
  100. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/typescript/README.md +0 -0
  101. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/dart/analyzer.js +0 -0
  102. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/index.js +0 -0
  103. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/typescript/README.md +0 -0
package/config/rules/rules-registry-generated.json CHANGED
@@ -3562,25 +3562,25 @@
3562
3562
  ]
3563
3563
  },
3564
3564
  "S001": {
3565
- "name": "Fail securely when access control errors occur",
3566
- "description": "Ensure the system does not accidentally grant access when errors occur, helping to reduce the risk of unauthorized access and protect sensitive resources.",
3565
+ "name": "Authenticate backend component communications securely",
3566
+ "description": "Ensure all communications between backend components (APIs, middleware, data layers) are authenticated using secure, short-lived credentials instead of static secrets.",
3567
3567
  "category": "Common",
3568
3568
  "severity": "critical",
3569
3569
  "languages": [
3570
3570
  "All languages"
3571
3571
  ],
3572
- "version": "1.1",
3573
- "status": "draft",
3572
+ "version": "2.0",
3573
+ "status": "activated",
3574
3574
  "tags": [
3575
3575
  "Common",
3576
3576
  "readability",
3577
3577
  "code-quality"
3578
3578
  ],
3579
3579
  "tools": [
3580
- "SonarQube (S4524)",
3581
- "PMD (SecurityCodeGuidelines)",
3582
3580
  "Manual Review",
3583
- "Unit Test"
3581
+ "IAM Policy Audit",
3582
+ "mTLS Scanner",
3583
+ "Secret Rotation Checker"
3584
3584
  ],
3585
3585
  "framework": "All",
3586
3586
  "principles": [
@@ -3589,24 +3589,26 @@
3589
3589
  ]
3590
3590
  },
3591
3591
  "S002": {
3592
- "name": "Avoid IDOR vulnerabilities in CRUD operations",
3593
- "description": "Prevent unauthorized access to sensitive data by verifying users' actual access rights, avoiding reliance solely on IDs in URLs.",
3592
+ "name": "Protect against OS command injection",
3593
+ "description": "Prevent OS command injection attacks by ensuring all operating system calls use parameterized queries or proper output encoding.",
3594
3594
  "category": "Common",
3595
3595
  "severity": "critical",
3596
3596
  "languages": [
3597
3597
  "All languages"
3598
3598
  ],
3599
- "version": "1.1",
3600
- "status": "draft",
3599
+ "version": "2.0",
3600
+ "status": "activated",
3601
3601
  "tags": [
3602
3602
  "Common",
3603
3603
  "readability",
3604
3604
  "code-quality"
3605
3605
  ],
3606
3606
  "tools": [
3607
- "SonarQube (S6142",
3608
- "S2076)",
3609
- "Semgrep (custom rule)",
3607
+ "SonarQube (S2076",
3608
+ "S4721)",
3609
+ "Semgrep (command-injection)",
3610
+ "Bandit (B602",
3611
+ "B603)",
3610
3612
  "Manual Review"
3611
3613
  ],
3612
3614
  "framework": "All",
@@ -3668,14 +3670,14 @@
3668
3670
  ]
3669
3671
  },
3670
3672
  "S005": {
3671
- "name": "Do not use Origin header for authentication or access control",
3672
- "description": "Prevent authentication or authorization decisions based on `Origin` header which can be easily spoofed from the client side and is unreliable for security purposes.",
3673
+ "name": "Enforce authorization at trusted service layer",
3674
+ "description": "Ensure authorization rules are enforced at a trusted server-side service layer, not relying on client-side controls that can be manipulated.",
3673
3675
  "category": "Common",
3674
- "severity": "major",
3676
+ "severity": "critical",
3675
3677
  "languages": [
3676
3678
  "All languages"
3677
3679
  ],
3678
- "version": "1.0",
3680
+ "version": "2.0",
3679
3681
  "status": "activated",
3680
3682
  "tags": [
3681
3683
  "Common",
@@ -3684,7 +3686,8 @@
3684
3686
  ],
3685
3687
  "tools": [
3686
3688
  "Manual Review",
3687
- "Semgrep (custom rule)",
3689
+ "Static Analysis",
3690
+ "Penetration Testing",
3688
3691
  "SonarQube (custom rule)"
3689
3692
  ],
3690
3693
  "framework": "All",
@@ -3694,14 +3697,14 @@
3694
3697
  ]
3695
3698
  },
3696
3699
  "S006": {
3697
- "name": "Do not send recovery or activation codes in plaintext",
3698
- "description": "Prevent leakage of verification codes, recovery codes, or activation tokens if email/SMS is intercepted or exposed thereby minimizing the risk of account takeover attacks.",
3700
+ "name": "Do not use default credentials for service authentication",
3701
+ "description": "Ensure service authentication never uses default or well-known credentials that attackers can easily guess or find in documentation.",
3699
3702
  "category": "Common",
3700
- "severity": "major",
3703
+ "severity": "critical",
3701
3704
  "languages": [
3702
3705
  "All languages"
3703
3706
  ],
3704
- "version": "1.0",
3707
+ "version": "2.0",
3705
3708
  "status": "activated",
3706
3709
  "tags": [
3707
3710
  "Common",
@@ -3710,9 +3713,10 @@
3710
3713
  ],
3711
3714
  "tools": [
3712
3715
  "Manual Review",
3713
- "Semgrep (custom rule)",
3714
- "Secret Detection (regex scanner)",
3715
- "SonarQube (custom rule)"
3716
+ "Secret Scanner",
3717
+ "GitLeaks",
3718
+ "TruffleHog",
3719
+ "CI/CD Policy Checks"
3716
3720
  ],
3717
3721
  "framework": "All",
3718
3722
  "principles": [
@@ -3721,14 +3725,14 @@
3721
3725
  ]
3722
3726
  },
3723
3727
  "S007": {
3724
- "name": "Do not store OTP codes in plaintext",
3725
- "description": "Protect the system from OTP reuse attacks if database/logs are accessed without authorization. OTP, magic-links, or reset codes must be treated like passwords – only stored in one-way hashed form, not recoverable.",
3728
+ "name": "Perform output encoding before interpreter use",
3729
+ "description": "Ensure the application performs proper output encoding and escaping as a final step before data is used by the target interpreter, preventing injection attacks.",
3726
3730
  "category": "Common",
3727
3731
  "severity": "major",
3728
3732
  "languages": [
3729
3733
  "All languages"
3730
3734
  ],
3731
- "version": "1.0",
3735
+ "version": "2.0",
3732
3736
  "status": "activated",
3733
3737
  "tags": [
3734
3738
  "Common",
@@ -3736,10 +3740,11 @@
3736
3740
  "code-quality"
3737
3741
  ],
3738
3742
  "tools": [
3739
- "Manual Review",
3740
- "Semgrep (custom rule)",
3741
- "Secret Detection",
3742
- "SonarQube (custom rule)"
3743
+ "SonarQube (S5131",
3744
+ "S2076)",
3745
+ "Semgrep (injection rules)",
3746
+ "ESLint",
3747
+ "Manual Review"
3743
3748
  ],
3744
3749
  "framework": "All",
3745
3750
  "principles": [
@@ -3748,42 +3753,41 @@
3748
3753
  ]
3749
3754
  },
3750
3755
  "S008": {
3751
- "name": "Encryption algorithms and parameters must support flexible configuration and upgrades (crypto agility)",
3752
- "description": "Avoid binding the system to outdated cryptographic algorithms or parameters (like MD5, SHA-1, DES...), ensuring easy upgrades when standards change or new vulnerabilities emerge.",
3756
+ "name": "Validate and sanitize SVG content",
3757
+ "description": "Ensure user-supplied SVG (Scalable Vector Graphics) content is validated or sanitized to prevent script injection and other attacks.",
3753
3758
  "category": "Common",
3754
3759
  "severity": "major",
3755
3760
  "languages": [
3756
3761
  "All languages"
3757
3762
  ],
3758
- "version": "1.1",
3759
- "status": "draft",
3763
+ "version": "2.0",
3764
+ "status": "activated",
3760
3765
  "tags": [
3761
3766
  "Common",
3762
3767
  "readability",
3763
3768
  "code-quality"
3764
3769
  ],
3765
3770
  "tools": [
3771
+ "DOMPurify",
3772
+ "svg-sanitizer",
3766
3773
  "Manual Review",
3767
- "Semgrep (custom rule)",
3768
- "Secret Scanners",
3769
- "SonarQube (custom rule)"
3774
+ "CSP Headers"
3770
3775
  ],
3771
3776
  "framework": "All",
3772
3777
  "principles": [
3773
3778
  "CODE_QUALITY",
3774
- "MAINTAINABILITY",
3775
3779
  "SECURITY"
3776
3780
  ]
3777
3781
  },
3778
3782
  "S009": {
3779
- "name": "Do not use insecure encryption modes, padding, or cryptographic algorithms",
3780
- "description": "Prevent security vulnerabilities from using outdated encryption or hash algorithms, insecure padding/encryption modes leading to data exposure, pattern leakage, or padding oracle attacks.",
3783
+ "name": "Use only approved cryptographic algorithms, modes, and hash functions",
3784
+ "description": "Prevent cryptographic vulnerabilities by ensuring only secure block modes, padding schemes, ciphers, and hash functions are used throughout the application.",
3781
3785
  "category": "Common",
3782
3786
  "severity": "major",
3783
3787
  "languages": [
3784
3788
  "All languages"
3785
3789
  ],
3786
- "version": "1.0",
3790
+ "version": "2.0",
3787
3791
  "status": "activated",
3788
3792
  "tags": [
3789
3793
  "Common",
@@ -3830,14 +3834,14 @@
3830
3834
  ]
3831
3835
  },
3832
3836
  "S011": {
3833
- "name": "GUIDs used for security purposes must be generated according to UUID v4 standard with CSPRNG",
3834
- "description": "Prevent guessing, recreation, or exploitation of GUIDs when used as identifiers for sensitive resources, by ensuring GUIDs are generated according to UUID v4 standard with cryptographically secure random number generators (CSPRNG).",
3837
+ "name": "Enable Encrypted Client Hello (ECH) for TLS",
3838
+ "description": "Prevent exposure of sensitive metadata during TLS handshake by enabling Encrypted Client Hello (ECH) to protect Server Name Indication (SNI) and other client hello fields.",
3835
3839
  "category": "Common",
3836
3840
  "severity": "major",
3837
3841
  "languages": [
3838
3842
  "All languages"
3839
3843
  ],
3840
- "version": "1.0",
3844
+ "version": "2.0",
3841
3845
  "status": "activated",
3842
3846
  "tags": [
3843
3847
  "Common",
@@ -3845,26 +3849,25 @@
3845
3849
  "code-quality"
3846
3850
  ],
3847
3851
  "tools": [
3848
- "Manual Review",
3849
- "Semgrep (uuid version rules)",
3850
- "Static Analyzer",
3851
- "SonarQube (custom rule)"
3852
+ "SSL Labs",
3853
+ "testssl.sh",
3854
+ "Browser DevTools",
3855
+ "Manual TLS Config Review"
3852
3856
  ],
3853
3857
  "framework": "All",
3854
3858
  "principles": [
3855
- "CODE_QUALITY",
3856
3859
  "SECURITY"
3857
3860
  ]
3858
3861
  },
3859
3862
  "S012": {
3860
- "name": "Protect secrets and encrypt sensitive data",
3861
- "description": "Protect encryption keys, passwords, access tokens, API keys... from exposure through source code, `.env` files, or logs. Ensure sensitive data is always encrypted and keys are managed securely through Key Vault or HSM.",
3863
+ "name": "Use secrets management solution for backend secrets",
3864
+ "description": "Ensure all backend secrets are securely managed using a dedicated secrets management solution, never stored in source code or build artifacts.",
3862
3865
  "category": "Common",
3863
- "severity": "major",
3866
+ "severity": "critical",
3864
3867
  "languages": [
3865
3868
  "All languages"
3866
3869
  ],
3867
- "version": "1.0",
3870
+ "version": "2.0",
3868
3871
  "status": "activated",
3869
3872
  "tags": [
3870
3873
  "Common",
@@ -3872,15 +3875,16 @@
3872
3875
  "code-quality"
3873
3876
  ],
3874
3877
  "tools": [
3875
- "SonarQube (S2068",
3876
- "S5547)",
3878
+ "Vault",
3879
+ "AWS Secrets Manager",
3880
+ "Azure Key Vault",
3877
3881
  "GitLeaks",
3878
3882
  "TruffleHog",
3879
- "Semgrep (hardcoded-secrets)",
3880
- "Secret Scanner CI/CD"
3883
+ "HSM"
3881
3884
  ],
3882
3885
  "framework": "All",
3883
3886
  "principles": [
3887
+ "CODE_QUALITY",
3884
3888
  "SECURITY"
3885
3889
  ]
3886
3890
  },
@@ -4022,28 +4026,30 @@
4022
4026
  ]
4023
4027
  },
4024
4028
  "S018": {
4025
- "name": "Prefer Allow List for Input Validation",
4026
- "description": "Ensure all user inputs or external data sources are strictly validated by accepting only known good values. This reduces the risk of attacks like XSS, SQL Injection, and other security issues caused by malformed or unexpected input.",
4029
+ "name": "Do not store sensitive data in browser storage",
4030
+ "description": "Prevent sensitive data exposure by ensuring browser storage mechanisms do not contain sensitive information, except for session tokens.",
4027
4031
  "category": "Common",
4028
4032
  "severity": "major",
4029
4033
  "languages": [
4030
4034
  "All languages"
4031
4035
  ],
4032
- "version": "1.1",
4033
- "status": "draft",
4036
+ "version": "2.0",
4037
+ "status": "activated",
4034
4038
  "tags": [
4035
4039
  "Common",
4036
4040
  "readability",
4037
4041
  "code-quality"
4038
4042
  ],
4039
4043
  "tools": [
4044
+ "Browser DevTools",
4040
4045
  "Static Analysis (Semgrep",
4041
- "SonarQube)",
4042
- "Manual Review",
4043
- "Input Validation Libraries"
4046
+ "ESLint)",
4047
+ "Manual Code Review",
4048
+ "Security Audit"
4044
4049
  ],
4045
4050
  "framework": "All",
4046
4051
  "principles": [
4052
+ "CODE_QUALITY",
4047
4053
  "SECURITY"
4048
4054
  ]
4049
4055
  },
@@ -4100,27 +4106,25 @@
4100
4106
  ]
4101
4107
  },
4102
4108
  "S021": {
4103
- "name": "Sanitize user-generated Markdown, CSS, and XSL content",
4104
- "description": "Prevent script injection via user-generated content in Markdown, CSS, or XSL.",
4109
+ "name": "Set Referrer-Policy to prevent sensitive data leakage",
4110
+ "description": "Prevent leakage of sensitive URL data (path, query parameters, hostname) to third-party services via the `Referer` HTTP header.",
4105
4111
  "category": "Common",
4106
4112
  "severity": "major",
4107
4113
  "languages": [
4108
4114
  "All languages"
4109
4115
  ],
4110
- "version": "1.1",
4111
- "status": "draft",
4116
+ "version": "2.0",
4117
+ "status": "activated",
4112
4118
  "tags": [
4113
4119
  "Common",
4114
4120
  "readability",
4115
4121
  "code-quality"
4116
4122
  ],
4117
4123
  "tools": [
4118
- "DOMPurify",
4119
- "sanitize-html",
4120
- "markdown-it",
4121
- "Bandit (Python)",
4122
- "Manual Review",
4123
- "SonarQube (custom rule)"
4124
+ "Browser DevTools",
4125
+ "Security Headers Scanner",
4126
+ "OWASP ZAP",
4127
+ "Manual Review"
4124
4128
  ],
4125
4129
  "framework": "All",
4126
4130
  "principles": [
@@ -4158,14 +4162,14 @@
4158
4162
  ]
4159
4163
  },
4160
4164
  "S023": {
4161
- "name": "Prevent JSON Injection and JSON eval attacks",
4162
- "description": "Prevent JavaScript execution via unsafe JSON handling or injection attacks.",
4165
+ "name": "Use output encoding when building dynamic JavaScript/JSON",
4166
+ "description": "Prevent JavaScript and JSON injection by applying proper output encoding when dynamically building JavaScript content or JSON data.",
4163
4167
  "category": "Common",
4164
4168
  "severity": "major",
4165
4169
  "languages": [
4166
4170
  "All languages"
4167
4171
  ],
4168
- "version": "1.0",
4172
+ "version": "2.0",
4169
4173
  "status": "activated",
4170
4174
  "tags": [
4171
4175
  "Common",
@@ -4174,10 +4178,9 @@
4174
4178
  ],
4175
4179
  "tools": [
4176
4180
  "ESLint (`no-eval`)",
4177
- "Semgrep (`eval-dynamic`",
4178
- "`json-injection`)",
4179
- "Bandit",
4180
- "SonarQube (S1523)",
4181
+ "Semgrep (json-injection)",
4182
+ "SonarQube (S1523",
4183
+ "S5334)",
4181
4184
  "Manual Review"
4182
4185
  ],
4183
4186
  "framework": "All",
@@ -4240,14 +4243,14 @@
4240
4243
  ]
4241
4244
  },
4242
4245
  "S026": {
4243
- "name": "Apply JSON Schema Validation to input data",
4244
- "description": "Ensure all incoming JSON is fully validated by schema (structure, types, constraints) before processing.",
4246
+ "name": "Use TLS encryption for all inbound and outbound connections",
4247
+ "description": "Ensure all application connections use encrypted TLS protocol, with no fallback to insecure or unencrypted protocols.",
4245
4248
  "category": "Common",
4246
- "severity": "major",
4249
+ "severity": "critical",
4247
4250
  "languages": [
4248
4251
  "All languages"
4249
4252
  ],
4250
- "version": "1.0",
4253
+ "version": "2.0",
4251
4254
  "status": "activated",
4252
4255
  "tags": [
4253
4256
  "Common",
@@ -4255,13 +4258,11 @@
4255
4258
  "code-quality"
4256
4259
  ],
4257
4260
  "tools": [
4258
- "AJV",
4259
- "jsonschema",
4260
- "Joi",
4261
- "Pydantic",
4262
- "Hibernate Validator",
4263
- "SonarQube (custom rule)",
4264
- "Manual Review"
4261
+ "SSL Labs",
4262
+ "testssl.sh",
4263
+ "nmap",
4264
+ "Network Traffic Analysis",
4265
+ "Manual Config Review"
4265
4266
  ],
4266
4267
  "framework": "All",
4267
4268
  "principles": [
@@ -4270,14 +4271,14 @@
4270
4271
  ]
4271
4272
  },
4272
4273
  "S027": {
4273
- "name": "Never expose secrets in source code or Git",
4274
- "description": "Prevent leakage of credentials, API keys, tokens, or sensitive config via source code or version control.",
4274
+ "name": "Validate mTLS client certificates before authentication",
4275
+ "description": "Ensure mTLS client certificates are properly validated and trusted before using certificate identity for authentication or authorization decisions.",
4275
4276
  "category": "Common",
4276
- "severity": "major",
4277
+ "severity": "critical",
4277
4278
  "languages": [
4278
4279
  "All languages"
4279
4280
  ],
4280
- "version": "1.0",
4281
+ "version": "2.0",
4281
4282
  "status": "activated",
4282
4283
  "tags": [
4283
4284
  "Common",
@@ -4285,11 +4286,10 @@
4285
4286
  "code-quality"
4286
4287
  ],
4287
4288
  "tools": [
4288
- "GitLeaks",
4289
- "TruffleHog",
4290
- "detect-secrets",
4291
- "git-secrets",
4292
- "SonarQube (custom rule)"
4289
+ "OpenSSL",
4290
+ "mTLS Testing Tools",
4291
+ "Certificate Validator",
4292
+ "Manual Config Review"
4293
4293
  ],
4294
4294
  "framework": "All",
4295
4295
  "principles": [
@@ -4493,14 +4493,14 @@
4493
4493
  ]
4494
4494
  },
4495
4495
  "S035": {
4496
- "name": "Set the `Path` attribute for Session Cookies to limit access scope",
4497
- "description": "Reduce the risk of session cookie leaks or abuse across multiple apps under the same domain (e.g., `/app1` and `/app2`) by limiting cookie scope via the `Path` attribute.",
4496
+ "name": "Host separate applications on different hostnames",
4497
+ "description": "Leverage same-origin policy restrictions by hosting separate applications on different hostnames to isolate resources, cookies, and prevent cross-application attacks.",
4498
4498
  "category": "Common",
4499
4499
  "severity": "major",
4500
4500
  "languages": [
4501
4501
  "All languages"
4502
4502
  ],
4503
- "version": "1.0",
4503
+ "version": "2.0",
4504
4504
  "status": "activated",
4505
4505
  "tags": [
4506
4506
  "Common",
@@ -4508,11 +4508,9 @@
4508
4508
  "code-quality"
4509
4509
  ],
4510
4510
  "tools": [
4511
- "Static Analysis",
4512
- "Manual Review",
4513
- "Chrome DevTools",
4514
- "Postman",
4515
- "SonarQube (custom rule)"
4511
+ "Manual Architecture Review",
4512
+ "DNS Configuration Audit",
4513
+ "Browser DevTools"
4516
4514
  ],
4517
4515
  "framework": "All",
4518
4516
  "principles": [
@@ -4521,14 +4519,14 @@
4521
4519
  ]
4522
4520
  },
4523
4521
  "S036": {
4524
- "name": "Prevent LFI and RFI using path validation and allow-lists",
4525
- "description": "Block Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks where attackers access sensitive files (e.g., `/etc/passwd`, `C:\\Windows\\system32`) or execute code from external URLs.",
4522
+ "name": "Use internal data for file paths, validate user filenames strictly",
4523
+ "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by using internally generated file paths instead of user-submitted filenames, with strict validation when user input is unavoidable.",
4526
4524
  "category": "Common",
4527
- "severity": "major",
4525
+ "severity": "critical",
4528
4526
  "languages": [
4529
4527
  "All languages"
4530
4528
  ],
4531
- "version": "1.0",
4529
+ "version": "2.0",
4532
4530
  "status": "activated",
4533
4531
  "tags": [
4534
4532
  "Common",
@@ -4539,8 +4537,8 @@
4539
4537
  "Static Analysis",
4540
4538
  "OWASP ZAP",
4541
4539
  "Burp Suite",
4542
- "Manual Review",
4543
- "SonarQube (custom rule)"
4540
+ "Semgrep (path-traversal)",
4541
+ "Manual Review"
4544
4542
  ],
4545
4543
  "framework": "All",
4546
4544
  "principles": [
@@ -4604,14 +4602,14 @@
4604
4602
  ]
4605
4603
  },
4606
4604
  "S039": {
4607
- "name": "Never transmit Session Tokens via URL parameters",
4608
- "description": "Prevent session hijacking by ensuring session tokens are not stored in browser history, server logs, proxy logs, or leaked via Referrer headers.",
4605
+ "name": "TLS clients must validate server certificates",
4606
+ "description": "Ensure TLS clients validate certificates received from servers before establishing secure communication to prevent MITM attacks.",
4609
4607
  "category": "Common",
4610
- "severity": "major",
4608
+ "severity": "critical",
4611
4609
  "languages": [
4612
4610
  "All languages"
4613
4611
  ],
4614
- "version": "1.0",
4612
+ "version": "2.0",
4615
4613
  "status": "activated",
4616
4614
  "tags": [
4617
4615
  "Common",
@@ -4619,14 +4617,14 @@
4619
4617
  "code-quality"
4620
4618
  ],
4621
4619
  "tools": [
4620
+ "SSL Labs",
4621
+ "testssl.sh",
4622
4622
  "Static Analysis",
4623
- "Manual Review",
4624
- "Burp Suite",
4625
- "Postman",
4626
- "SonarQube (custom rule)"
4623
+ "Manual Code Review"
4627
4624
  ],
4628
4625
  "framework": "All",
4629
4626
  "principles": [
4627
+ "CODE_QUALITY",
4630
4628
  "SECURITY"
4631
4629
  ]
4632
4630
  },
@@ -4639,7 +4637,7 @@
4639
4637
  "All languages"
4640
4638
  ],
4641
4639
  "version": "1.1",
4642
- "status": "draft",
4640
+ "status": "activated",
4643
4641
  "tags": [
4644
4642
  "Common",
4645
4643
  "readability",
@@ -4722,7 +4720,7 @@
4722
4720
  "All languages"
4723
4721
  ],
4724
4722
  "version": "1.1",
4725
- "status": "draft",
4723
+ "status": "activated",
4726
4724
  "tags": [
4727
4725
  "Common",
4728
4726
  "readability",
@@ -4795,25 +4793,25 @@
4795
4793
  ]
4796
4794
  },
4797
4795
  "S046": {
4798
- "name": "Notify users of critical account changes",
4799
- "description": "Alert users to sensitive actions to detect potential compromise and allow timely intervention.",
4796
+ "name": "Use algorithm allowlist for self-contained tokens",
4797
+ "description": "Prevent algorithm confusion and downgrade attacks by restricting token signing/verification to an explicit allowlist of algorithms.",
4800
4798
  "category": "Common",
4801
- "severity": "major",
4799
+ "severity": "critical",
4802
4800
  "languages": [
4803
4801
  "All languages"
4804
4802
  ],
4805
- "version": "1.1",
4806
- "status": "draft",
4803
+ "version": "2.0",
4804
+ "status": "activated",
4807
4805
  "tags": [
4808
4806
  "Common",
4809
4807
  "readability",
4810
4808
  "code-quality"
4811
4809
  ],
4812
4810
  "tools": [
4813
- "Manual Review",
4814
- "Security Test",
4815
- "Notification Audit",
4816
- "SonarQube (custom rule)"
4811
+ "JWT Debugger",
4812
+ "Static Analysis",
4813
+ "Manual Code Review",
4814
+ "Security Test"
4817
4815
  ],
4818
4816
  "framework": "All",
4819
4817
  "principles": [
@@ -4822,14 +4820,14 @@
4822
4820
  ]
4823
4821
  },
4824
4822
  "S047": {
4825
- "name": "Secure temporary passwords and activation codes",
4826
- "description": "Ensure that temporary passwords and activation codes are secure, unpredictable, single-use, and time-limited.",
4823
+ "name": "Protect OAuth code flow against CSRF attacks",
4824
+ "description": "Prevent browser-based CSRF attacks that could trigger unauthorized OAuth token requests by implementing PKCE or state parameter validation.",
4827
4825
  "category": "Common",
4828
4826
  "severity": "major",
4829
4827
  "languages": [
4830
4828
  "All languages"
4831
4829
  ],
4832
- "version": "1.0",
4830
+ "version": "2.0",
4833
4831
  "status": "activated",
4834
4832
  "tags": [
4835
4833
  "Common",
@@ -4837,10 +4835,9 @@
4837
4835
  "code-quality"
4838
4836
  ],
4839
4837
  "tools": [
4840
- "Manual Review",
4841
- "Static Analysis",
4842
- "Audit Flow",
4843
- "SonarQube (custom rule)"
4838
+ "OAuth Security Testing",
4839
+ "Manual Code Review",
4840
+ "OWASP ZAP"
4844
4841
  ],
4845
4842
  "framework": "All",
4846
4843
  "principles": [
@@ -4849,14 +4846,14 @@
4849
4846
  ]
4850
4847
  },
4851
4848
  "S048": {
4852
- "name": "Do not expose current password during reset flow",
4853
- "description": "Ensure the current user password is never revealed or sent in any step of the password reset process.",
4849
+ "name": "Validate OAuth redirect URIs with exact string comparison",
4850
+ "description": "Prevent OAuth redirect attacks by validating redirect URIs against a client-specific allowlist using exact string comparison, not pattern matching.",
4854
4851
  "category": "Common",
4855
- "severity": "major",
4852
+ "severity": "critical",
4856
4853
  "languages": [
4857
4854
  "All languages"
4858
4855
  ],
4859
- "version": "1.0",
4856
+ "version": "2.0",
4860
4857
  "status": "activated",
4861
4858
  "tags": [
4862
4859
  "Common",
@@ -4864,12 +4861,13 @@
4864
4861
  "code-quality"
4865
4862
  ],
4866
4863
  "tools": [
4867
- "Manual Review",
4868
- "Penetration Test",
4869
- "SonarQube (custom rule)"
4864
+ "OAuth Security Testing",
4865
+ "Manual Config Review",
4866
+ "Penetration Testing"
4870
4867
  ],
4871
4868
  "framework": "All",
4872
4869
  "principles": [
4870
+ "CODE_QUALITY",
4873
4871
  "SECURITY"
4874
4872
  ]
4875
4873
  },
@@ -4900,14 +4898,14 @@
4900
4898
  ]
4901
4899
  },
4902
4900
  "S050": {
4903
- "name": "Session tokens must have minimum 64-bit entropy and use secure algorithms",
4904
- "description": "Prevent attackers from predicting or forging session tokens by ensuring sufficient length, entropy, and cryptographic safety.",
4901
+ "name": "Reference tokens must be unique with 128-bit entropy using CSPRNG",
4902
+ "description": "Ensure reference tokens (session tokens, opaque tokens) are unpredictable and resistant to brute-force attacks by using cryptographically secure generation.",
4905
4903
  "category": "Common",
4906
4904
  "severity": "major",
4907
4905
  "languages": [
4908
4906
  "All languages"
4909
4907
  ],
4910
- "version": "1.0",
4908
+ "version": "2.0",
4911
4909
  "status": "activated",
4912
4910
  "tags": [
4913
4911
  "Common",
@@ -4915,9 +4913,10 @@
4915
4913
  "code-quality"
4916
4914
  ],
4917
4915
  "tools": [
4918
- "Manual Review",
4919
4916
  "Static Analysis",
4920
- "SonarQube (custom rule)"
4917
+ "Security Audit",
4918
+ "CSPRNG Verification",
4919
+ "Manual Code Review"
4921
4920
  ],
4922
4921
  "framework": "All",
4923
4922
  "principles": [
@@ -4980,14 +4979,14 @@
4980
4979
  ]
4981
4980
  },
4982
4981
  "S053": {
4983
- "name": "Only use secure OTP algorithms like HOTP/TOTP",
4984
- "description": "Ensure OTPs are secure against spoofing and replay attacks by using safe, standard algorithms.",
4982
+ "name": "Return generic error messages, hide internal details",
4983
+ "description": "Prevent exposure of sensitive internal system data by returning generic error messages to consumers when unexpected or security-sensitive errors occur.",
4985
4984
  "category": "Common",
4986
4985
  "severity": "major",
4987
4986
  "languages": [
4988
4987
  "All languages"
4989
4988
  ],
4990
- "version": "1.0",
4989
+ "version": "2.0",
4991
4990
  "status": "activated",
4992
4991
  "tags": [
4993
4992
  "Common",
@@ -4995,10 +4994,10 @@
4995
4994
  "code-quality"
4996
4995
  ],
4997
4996
  "tools": [
4998
- "Manual Review",
4999
- "Unit Test",
5000
4997
  "Static Analysis",
5001
- "SonarQube (custom rule)"
4998
+ "Penetration Testing",
4999
+ "Error Response Audit",
5000
+ "Manual Code Review"
5002
5001
  ],
5003
5002
  "framework": "All",
5004
5003
  "principles": [
@@ -5140,29 +5139,56 @@
5140
5139
  ]
5141
5140
  },
5142
5141
  "S059": {
5143
- "name": "Configure Allow List for server-side outbound requests",
5144
- "description": "Reduce risks from the server making outbound requests to untrusted systems (SSRF, malicious downloads, data leaks).",
5142
+ "name": "Disable debug modes in production environments",
5143
+ "description": "Prevent exposure of debugging features and information leakage by ensuring all debug modes are disabled in production environments.",
5145
5144
  "category": "Common",
5146
5145
  "severity": "major",
5147
5146
  "languages": [
5148
5147
  "All languages"
5149
5148
  ],
5150
- "version": "1.1",
5151
- "status": "draft",
5149
+ "version": "2.0",
5150
+ "status": "activated",
5152
5151
  "tags": [
5153
5152
  "Common",
5154
5153
  "readability",
5155
5154
  "code-quality"
5156
5155
  ],
5157
5156
  "tools": [
5158
- "Manual Config Review",
5159
- "Firewall/Proxy Logs",
5160
- "CloudTrail",
5161
- "Burp Suite Test",
5162
- "SonarQube (custom rule)"
5157
+ "Configuration Audit",
5158
+ "Penetration Testing",
5159
+ "OWASP ZAP",
5160
+ "Environment Checker"
5161
+ ],
5162
+ "framework": "All",
5163
+ "principles": [
5164
+ "CODE_QUALITY",
5165
+ "SECURITY"
5166
+ ]
5167
+ },
5168
+ "S060": {
5169
+ "name": "Enforce minimum password length of 8 characters, recommend 15+",
5170
+ "description": "Ensure user-set passwords meet minimum length requirements to provide adequate security against brute-force and dictionary attacks.",
5171
+ "category": "Common",
5172
+ "severity": "major",
5173
+ "languages": [
5174
+ "All languages"
5175
+ ],
5176
+ "version": "2.0",
5177
+ "status": "activated",
5178
+ "tags": [
5179
+ "Common",
5180
+ "readability",
5181
+ "code-quality"
5182
+ ],
5183
+ "tools": [
5184
+ "Static Analysis",
5185
+ "Unit Test",
5186
+ "Password Strength Libraries (zxcvbn)",
5187
+ "Manual Review"
5163
5188
  ],
5164
5189
  "framework": "All",
5165
5190
  "principles": [
5191
+ "CODE_QUALITY",
5166
5192
  "SECURITY"
5167
5193
  ]
5168
5194
  },