@sun-asterisk/sunlint 1.3.36 → 1.3.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (113) hide show
  1. package/cli.js +34 -0
  2. package/config/rules/enhanced-rules-registry.json +387 -98
  3. package/config/rules/rules-registry-generated.json +202 -174
  4. package/config/rules-summary.json +1 -1
  5. package/core/architecture-integration.js +115 -17
  6. package/core/cli-action-handler.js +103 -28
  7. package/core/cli-program.js +7 -2
  8. package/core/github-annotate-service.js +62 -0
  9. package/core/impact-integration.js +31 -16
  10. package/core/init-command.js +261 -0
  11. package/core/output-service.js +64 -10
  12. package/core/performance-optimizer.js +1 -1
  13. package/core/summary-report-service.js +46 -0
  14. package/core/unified-rule-registry.js +4 -3
  15. package/docs/DART_RULE_EXECUTION_FLOW.md +1 -1
  16. package/docs/REGISTRY_GENERATION_DIAGRAM.md +289 -0
  17. package/docs/REGISTRY_GENERATION_FLOW.md +486 -0
  18. package/docs/skills/CREATE_NEW_DART_RULE.md +932 -0
  19. package/engines/eslint-engine.js +6 -0
  20. package/engines/heuristic-engine.js +23 -10
  21. package/engines/impact/core/detectors/database-detector.js +1 -1
  22. package/engines/impact/core/detectors/endpoint-detector.js +1 -1
  23. package/engines/impact/core/report-generator.js +235 -73
  24. package/origin-rules/dart-en.md +4 -4
  25. package/origin-rules/security-en.md +470 -282
  26. package/package.json +1 -1
  27. package/rules/dart/D001_recommended_lint_rules/config.json +134 -0
  28. package/rules/index.js +6 -4
  29. package/rules/security/S001_backend_auth_communications/dart/analyzer.js +44 -0
  30. package/rules/security/S001_backend_auth_communications/index.js +87 -0
  31. package/rules/security/S001_backend_auth_communications/typescript/analyzer.js +164 -0
  32. package/rules/security/S002_os_command_injection/dart/analyzer.js +44 -0
  33. package/rules/security/S002_os_command_injection/index.js +87 -0
  34. package/rules/security/S002_os_command_injection/typescript/analyzer.js +194 -0
  35. package/rules/security/S008_svg_content_validation/dart/analyzer.js +44 -0
  36. package/rules/security/S008_svg_content_validation/index.js +87 -0
  37. package/rules/security/S008_svg_content_validation/typescript/analyzer.js +216 -0
  38. package/rules/security/S018_no_sensitive_browser_storage/dart/analyzer.js +44 -0
  39. package/rules/security/S018_no_sensitive_browser_storage/index.js +86 -0
  40. package/rules/security/S018_no_sensitive_browser_storage/typescript/analyzer.js +193 -0
  41. package/rules/security/S021_referrer_policy/dart/analyzer.js +44 -0
  42. package/rules/security/S021_referrer_policy/index.js +86 -0
  43. package/rules/security/S021_referrer_policy/typescript/analyzer.js +183 -0
  44. package/rules/security/S023_no_json_injection/config.json +133 -44
  45. package/rules/security/S023_no_json_injection/dart/analyzer.js +7 -6
  46. package/rules/security/S023_no_json_injection/typescript/analyzer.js +402 -126
  47. package/rules/security/S023_no_json_injection/typescript/ast-analyzer.js +571 -154
  48. package/rules/security/S026_tls_all_connections/config.json +30 -0
  49. package/rules/security/S026_tls_all_connections/typescript/analyzer.js +339 -0
  50. package/rules/security/S027_mtls_certificate_validation/config.json +30 -0
  51. package/rules/security/S027_mtls_certificate_validation/typescript/analyzer.js +225 -0
  52. package/rules/security/S035_separate_app_hostnames/config.json +28 -0
  53. package/rules/security/S035_separate_app_hostnames/typescript/analyzer.js +186 -0
  54. package/rules/security/S036_lfi_rfi_protection/config.json +2 -2
  55. package/rules/security/S039_tls_certificate_validation/config.json +29 -0
  56. package/rules/security/S039_tls_certificate_validation/typescript/analyzer.js +229 -0
  57. package/rules/security/S046_jwt_algorithm_allowlist/config.json +28 -0
  58. package/rules/security/S046_jwt_algorithm_allowlist/dart/analyzer.js +44 -0
  59. package/rules/security/S046_jwt_algorithm_allowlist/index.js +87 -0
  60. package/rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js +235 -0
  61. package/rules/security/S047_oauth_pkce_protection/config.json +31 -0
  62. package/rules/security/S047_oauth_pkce_protection/dart/analyzer.js +44 -0
  63. package/rules/security/S047_oauth_pkce_protection/index.js +86 -0
  64. package/rules/security/S047_oauth_pkce_protection/typescript/analyzer.js +78 -0
  65. package/rules/security/S048_oauth_redirect_uri_validation/config.json +30 -0
  66. package/rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js +278 -0
  67. package/rules/security/S049_short_validity_tokens/typescript/config.json +10 -3
  68. package/rules/security/S050_reference_tokens_entropy/config.json +28 -0
  69. package/rules/security/S050_reference_tokens_entropy/dart/analyzer.js +45 -0
  70. package/rules/security/S050_reference_tokens_entropy/index.js +86 -0
  71. package/rules/security/S050_reference_tokens_entropy/typescript/analyzer.js +74 -0
  72. package/rules/security/S053_generic_error_messages/config.json +28 -0
  73. package/rules/security/S053_generic_error_messages/dart/analyzer.js +45 -0
  74. package/rules/security/S053_generic_error_messages/index.js +86 -0
  75. package/rules/security/S053_generic_error_messages/typescript/analyzer.js +80 -0
  76. package/rules/security/S055_content_type_validation/typescript/symbol-based-analyzer.js +64 -2
  77. package/rules/security/S059_disable_debug_mode/config.json +28 -0
  78. package/rules/security/S059_disable_debug_mode/dart/analyzer.js +45 -0
  79. package/rules/security/S059_disable_debug_mode/index.js +86 -0
  80. package/rules/security/S059_disable_debug_mode/typescript/analyzer.js +85 -0
  81. package/rules/security/S060_password_minimum_length/config.json +28 -0
  82. package/rules/security/S060_password_minimum_length/dart/analyzer.js +45 -0
  83. package/rules/security/S060_password_minimum_length/index.js +86 -0
  84. package/rules/security/S060_password_minimum_length/typescript/analyzer.js +78 -0
  85. package/rules/security/S026_json_schema_validation/config.json +0 -27
  86. package/rules/security/S026_json_schema_validation/typescript/analyzer.js +0 -251
  87. package/rules/security/S027_no_hardcoded_secrets/config.json +0 -29
  88. package/rules/security/S027_no_hardcoded_secrets/typescript/analyzer.js +0 -309
  89. package/rules/security/S027_no_hardcoded_secrets/typescript/categories.json +0 -153
  90. package/rules/security/S035_path_session_cookies/config.json +0 -99
  91. package/rules/security/S035_path_session_cookies/typescript/analyzer.js +0 -316
  92. package/rules/security/S035_path_session_cookies/typescript/regex-based-analyzer.js +0 -724
  93. package/rules/security/S035_path_session_cookies/typescript/symbol-based-analyzer.js +0 -373
  94. package/rules/security/S039_no_session_tokens_in_url/config.json +0 -92
  95. package/rules/security/S039_no_session_tokens_in_url/typescript/analyzer.js +0 -262
  96. package/rules/security/S039_no_session_tokens_in_url/typescript/regex-based-analyzer.js +0 -337
  97. package/rules/security/S039_no_session_tokens_in_url/typescript/symbol-based-analyzer.js +0 -443
  98. package/rules/security/S048_no_current_password_in_reset/config.json +0 -48
  99. package/rules/security/S048_no_current_password_in_reset/typescript/analyzer.js +0 -366
  100. /package/rules/security/{S026_json_schema_validation → S026_tls_all_connections}/dart/analyzer.js +0 -0
  101. /package/rules/security/{S026_json_schema_validation → S026_tls_all_connections}/index.js +0 -0
  102. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/dart/analyzer.js +0 -0
  103. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/index.js +0 -0
  104. /package/rules/security/{S027_no_hardcoded_secrets → S027_mtls_certificate_validation}/typescript/categorized-analyzer.js +0 -0
  105. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/dart/analyzer.js +0 -0
  106. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/index.js +0 -0
  107. /package/rules/security/{S035_path_session_cookies → S035_separate_app_hostnames}/typescript/README.md +0 -0
  108. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/dart/analyzer.js +0 -0
  109. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/index.js +0 -0
  110. /package/rules/security/{S039_no_session_tokens_in_url → S039_tls_certificate_validation}/typescript/README.md +0 -0
  111. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/dart/analyzer.js +0 -0
  112. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/index.js +0 -0
  113. /package/rules/security/{S048_no_current_password_in_reset → S048_oauth_redirect_uri_validation}/typescript/README.md +0 -0
package/config/rules/rules-registry-generated.json CHANGED
@@ -1833,8 +1833,8 @@
1833
1833
  ]
1834
1834
  },
1835
1835
  "D001": {
1836
- "name": "Keep parameter names consistent when overriding methods",
1837
- "description": "Maintain consistency between inherited classes",
1836
+ "name": "Recommended Lint Rules Should Be Enabled",
1837
+ "description": "Ensure code quality through standard lint configurations",
1838
1838
  "category": "Common",
1839
1839
  "severity": "major",
1840
1840
  "languages": [
@@ -1848,7 +1848,9 @@
1848
1848
  "code-quality"
1849
1849
  ],
1850
1850
  "tools": [
1851
- "`dart lint` (`avoid_renaming_method_parameters`)"
1851
+ "`dart lint` (flutter_lints",
1852
+ "very_good_analysis",
1853
+ "lints)"
1852
1854
  ],
1853
1855
  "framework": "All",
1854
1856
  "principles": [
@@ -3562,25 +3564,25 @@
3562
3564
  ]
3563
3565
  },
3564
3566
  "S001": {
3565
- "name": "Fail securely when access control errors occur",
3566
- "description": "Ensure the system does not accidentally grant access when errors occur, helping to reduce the risk of unauthorized access and protect sensitive resources.",
3567
+ "name": "Authenticate backend component communications securely",
3568
+ "description": "Ensure all communications between backend components (APIs, middleware, data layers) are authenticated using secure, short-lived credentials instead of static secrets.",
3567
3569
  "category": "Common",
3568
3570
  "severity": "critical",
3569
3571
  "languages": [
3570
3572
  "All languages"
3571
3573
  ],
3572
- "version": "1.1",
3573
- "status": "draft",
3574
+ "version": "2.0",
3575
+ "status": "activated",
3574
3576
  "tags": [
3575
3577
  "Common",
3576
3578
  "readability",
3577
3579
  "code-quality"
3578
3580
  ],
3579
3581
  "tools": [
3580
- "SonarQube (S4524)",
3581
- "PMD (SecurityCodeGuidelines)",
3582
3582
  "Manual Review",
3583
- "Unit Test"
3583
+ "IAM Policy Audit",
3584
+ "mTLS Scanner",
3585
+ "Secret Rotation Checker"
3584
3586
  ],
3585
3587
  "framework": "All",
3586
3588
  "principles": [
@@ -3589,24 +3591,26 @@
3589
3591
  ]
3590
3592
  },
3591
3593
  "S002": {
3592
- "name": "Avoid IDOR vulnerabilities in CRUD operations",
3593
- "description": "Prevent unauthorized access to sensitive data by verifying users' actual access rights, avoiding reliance solely on IDs in URLs.",
3594
+ "name": "Protect against OS command injection",
3595
+ "description": "Prevent OS command injection attacks by ensuring all operating system calls use parameterized queries or proper output encoding.",
3594
3596
  "category": "Common",
3595
3597
  "severity": "critical",
3596
3598
  "languages": [
3597
3599
  "All languages"
3598
3600
  ],
3599
- "version": "1.1",
3600
- "status": "draft",
3601
+ "version": "2.0",
3602
+ "status": "activated",
3601
3603
  "tags": [
3602
3604
  "Common",
3603
3605
  "readability",
3604
3606
  "code-quality"
3605
3607
  ],
3606
3608
  "tools": [
3607
- "SonarQube (S6142",
3608
- "S2076)",
3609
- "Semgrep (custom rule)",
3609
+ "SonarQube (S2076",
3610
+ "S4721)",
3611
+ "Semgrep (command-injection)",
3612
+ "Bandit (B602",
3613
+ "B603)",
3610
3614
  "Manual Review"
3611
3615
  ],
3612
3616
  "framework": "All",
@@ -3668,14 +3672,14 @@
3668
3672
  ]
3669
3673
  },
3670
3674
  "S005": {
3671
- "name": "Do not use Origin header for authentication or access control",
3672
- "description": "Prevent authentication or authorization decisions based on `Origin` header which can be easily spoofed from the client side and is unreliable for security purposes.",
3675
+ "name": "Enforce authorization at trusted service layer",
3676
+ "description": "Ensure authorization rules are enforced at a trusted server-side service layer, not relying on client-side controls that can be manipulated.",
3673
3677
  "category": "Common",
3674
- "severity": "major",
3678
+ "severity": "critical",
3675
3679
  "languages": [
3676
3680
  "All languages"
3677
3681
  ],
3678
- "version": "1.0",
3682
+ "version": "2.0",
3679
3683
  "status": "activated",
3680
3684
  "tags": [
3681
3685
  "Common",
@@ -3684,7 +3688,8 @@
3684
3688
  ],
3685
3689
  "tools": [
3686
3690
  "Manual Review",
3687
- "Semgrep (custom rule)",
3691
+ "Static Analysis",
3692
+ "Penetration Testing",
3688
3693
  "SonarQube (custom rule)"
3689
3694
  ],
3690
3695
  "framework": "All",
@@ -3694,14 +3699,14 @@
3694
3699
  ]
3695
3700
  },
3696
3701
  "S006": {
3697
- "name": "Do not send recovery or activation codes in plaintext",
3698
- "description": "Prevent leakage of verification codes, recovery codes, or activation tokens if email/SMS is intercepted or exposed thereby minimizing the risk of account takeover attacks.",
3702
+ "name": "Do not use default credentials for service authentication",
3703
+ "description": "Ensure service authentication never uses default or well-known credentials that attackers can easily guess or find in documentation.",
3699
3704
  "category": "Common",
3700
- "severity": "major",
3705
+ "severity": "critical",
3701
3706
  "languages": [
3702
3707
  "All languages"
3703
3708
  ],
3704
- "version": "1.0",
3709
+ "version": "2.0",
3705
3710
  "status": "activated",
3706
3711
  "tags": [
3707
3712
  "Common",
@@ -3710,9 +3715,10 @@
3710
3715
  ],
3711
3716
  "tools": [
3712
3717
  "Manual Review",
3713
- "Semgrep (custom rule)",
3714
- "Secret Detection (regex scanner)",
3715
- "SonarQube (custom rule)"
3718
+ "Secret Scanner",
3719
+ "GitLeaks",
3720
+ "TruffleHog",
3721
+ "CI/CD Policy Checks"
3716
3722
  ],
3717
3723
  "framework": "All",
3718
3724
  "principles": [
@@ -3721,14 +3727,14 @@
3721
3727
  ]
3722
3728
  },
3723
3729
  "S007": {
3724
- "name": "Do not store OTP codes in plaintext",
3725
- "description": "Protect the system from OTP reuse attacks if database/logs are accessed without authorization. OTP, magic-links, or reset codes must be treated like passwords – only stored in one-way hashed form, not recoverable.",
3730
+ "name": "Perform output encoding before interpreter use",
3731
+ "description": "Ensure the application performs proper output encoding and escaping as a final step before data is used by the target interpreter, preventing injection attacks.",
3726
3732
  "category": "Common",
3727
3733
  "severity": "major",
3728
3734
  "languages": [
3729
3735
  "All languages"
3730
3736
  ],
3731
- "version": "1.0",
3737
+ "version": "2.0",
3732
3738
  "status": "activated",
3733
3739
  "tags": [
3734
3740
  "Common",
@@ -3736,10 +3742,11 @@
3736
3742
  "code-quality"
3737
3743
  ],
3738
3744
  "tools": [
3739
- "Manual Review",
3740
- "Semgrep (custom rule)",
3741
- "Secret Detection",
3742
- "SonarQube (custom rule)"
3745
+ "SonarQube (S5131",
3746
+ "S2076)",
3747
+ "Semgrep (injection rules)",
3748
+ "ESLint",
3749
+ "Manual Review"
3743
3750
  ],
3744
3751
  "framework": "All",
3745
3752
  "principles": [
@@ -3748,42 +3755,41 @@
3748
3755
  ]
3749
3756
  },
3750
3757
  "S008": {
3751
- "name": "Encryption algorithms and parameters must support flexible configuration and upgrades (crypto agility)",
3752
- "description": "Avoid binding the system to outdated cryptographic algorithms or parameters (like MD5, SHA-1, DES...), ensuring easy upgrades when standards change or new vulnerabilities emerge.",
3758
+ "name": "Validate and sanitize SVG content",
3759
+ "description": "Ensure user-supplied SVG (Scalable Vector Graphics) content is validated or sanitized to prevent script injection and other attacks.",
3753
3760
  "category": "Common",
3754
3761
  "severity": "major",
3755
3762
  "languages": [
3756
3763
  "All languages"
3757
3764
  ],
3758
- "version": "1.1",
3759
- "status": "draft",
3765
+ "version": "2.0",
3766
+ "status": "activated",
3760
3767
  "tags": [
3761
3768
  "Common",
3762
3769
  "readability",
3763
3770
  "code-quality"
3764
3771
  ],
3765
3772
  "tools": [
3773
+ "DOMPurify",
3774
+ "svg-sanitizer",
3766
3775
  "Manual Review",
3767
- "Semgrep (custom rule)",
3768
- "Secret Scanners",
3769
- "SonarQube (custom rule)"
3776
+ "CSP Headers"
3770
3777
  ],
3771
3778
  "framework": "All",
3772
3779
  "principles": [
3773
3780
  "CODE_QUALITY",
3774
- "MAINTAINABILITY",
3775
3781
  "SECURITY"
3776
3782
  ]
3777
3783
  },
3778
3784
  "S009": {
3779
- "name": "Do not use insecure encryption modes, padding, or cryptographic algorithms",
3780
- "description": "Prevent security vulnerabilities from using outdated encryption or hash algorithms, insecure padding/encryption modes leading to data exposure, pattern leakage, or padding oracle attacks.",
3785
+ "name": "Use only approved cryptographic algorithms, modes, and hash functions",
3786
+ "description": "Prevent cryptographic vulnerabilities by ensuring only secure block modes, padding schemes, ciphers, and hash functions are used throughout the application.",
3781
3787
  "category": "Common",
3782
3788
  "severity": "major",
3783
3789
  "languages": [
3784
3790
  "All languages"
3785
3791
  ],
3786
- "version": "1.0",
3792
+ "version": "2.0",
3787
3793
  "status": "activated",
3788
3794
  "tags": [
3789
3795
  "Common",
@@ -3830,14 +3836,14 @@
3830
3836
  ]
3831
3837
  },
3832
3838
  "S011": {
3833
- "name": "GUIDs used for security purposes must be generated according to UUID v4 standard with CSPRNG",
3834
- "description": "Prevent guessing, recreation, or exploitation of GUIDs when used as identifiers for sensitive resources, by ensuring GUIDs are generated according to UUID v4 standard with cryptographically secure random number generators (CSPRNG).",
3839
+ "name": "Enable Encrypted Client Hello (ECH) for TLS",
3840
+ "description": "Prevent exposure of sensitive metadata during TLS handshake by enabling Encrypted Client Hello (ECH) to protect Server Name Indication (SNI) and other client hello fields.",
3835
3841
  "category": "Common",
3836
3842
  "severity": "major",
3837
3843
  "languages": [
3838
3844
  "All languages"
3839
3845
  ],
3840
- "version": "1.0",
3846
+ "version": "2.0",
3841
3847
  "status": "activated",
3842
3848
  "tags": [
3843
3849
  "Common",
@@ -3845,26 +3851,25 @@
3845
3851
  "code-quality"
3846
3852
  ],
3847
3853
  "tools": [
3848
- "Manual Review",
3849
- "Semgrep (uuid version rules)",
3850
- "Static Analyzer",
3851
- "SonarQube (custom rule)"
3854
+ "SSL Labs",
3855
+ "testssl.sh",
3856
+ "Browser DevTools",
3857
+ "Manual TLS Config Review"
3852
3858
  ],
3853
3859
  "framework": "All",
3854
3860
  "principles": [
3855
- "CODE_QUALITY",
3856
3861
  "SECURITY"
3857
3862
  ]
3858
3863
  },
3859
3864
  "S012": {
3860
- "name": "Protect secrets and encrypt sensitive data",
3861
- "description": "Protect encryption keys, passwords, access tokens, API keys... from exposure through source code, `.env` files, or logs. Ensure sensitive data is always encrypted and keys are managed securely through Key Vault or HSM.",
3865
+ "name": "Use secrets management solution for backend secrets",
3866
+ "description": "Ensure all backend secrets are securely managed using a dedicated secrets management solution, never stored in source code or build artifacts.",
3862
3867
  "category": "Common",
3863
- "severity": "major",
3868
+ "severity": "critical",
3864
3869
  "languages": [
3865
3870
  "All languages"
3866
3871
  ],
3867
- "version": "1.0",
3872
+ "version": "2.0",
3868
3873
  "status": "activated",
3869
3874
  "tags": [
3870
3875
  "Common",
@@ -3872,15 +3877,16 @@
3872
3877
  "code-quality"
3873
3878
  ],
3874
3879
  "tools": [
3875
- "SonarQube (S2068",
3876
- "S5547)",
3880
+ "Vault",
3881
+ "AWS Secrets Manager",
3882
+ "Azure Key Vault",
3877
3883
  "GitLeaks",
3878
3884
  "TruffleHog",
3879
- "Semgrep (hardcoded-secrets)",
3880
- "Secret Scanner CI/CD"
3885
+ "HSM"
3881
3886
  ],
3882
3887
  "framework": "All",
3883
3888
  "principles": [
3889
+ "CODE_QUALITY",
3884
3890
  "SECURITY"
3885
3891
  ]
3886
3892
  },
@@ -4022,28 +4028,30 @@
4022
4028
  ]
4023
4029
  },
4024
4030
  "S018": {
4025
- "name": "Prefer Allow List for Input Validation",
4026
- "description": "Ensure all user inputs or external data sources are strictly validated by accepting only known good values. This reduces the risk of attacks like XSS, SQL Injection, and other security issues caused by malformed or unexpected input.",
4031
+ "name": "Do not store sensitive data in browser storage",
4032
+ "description": "Prevent sensitive data exposure by ensuring browser storage mechanisms do not contain sensitive information, except for session tokens.",
4027
4033
  "category": "Common",
4028
4034
  "severity": "major",
4029
4035
  "languages": [
4030
4036
  "All languages"
4031
4037
  ],
4032
- "version": "1.1",
4033
- "status": "draft",
4038
+ "version": "2.0",
4039
+ "status": "activated",
4034
4040
  "tags": [
4035
4041
  "Common",
4036
4042
  "readability",
4037
4043
  "code-quality"
4038
4044
  ],
4039
4045
  "tools": [
4046
+ "Browser DevTools",
4040
4047
  "Static Analysis (Semgrep",
4041
- "SonarQube)",
4042
- "Manual Review",
4043
- "Input Validation Libraries"
4048
+ "ESLint)",
4049
+ "Manual Code Review",
4050
+ "Security Audit"
4044
4051
  ],
4045
4052
  "framework": "All",
4046
4053
  "principles": [
4054
+ "CODE_QUALITY",
4047
4055
  "SECURITY"
4048
4056
  ]
4049
4057
  },
@@ -4100,27 +4108,25 @@
4100
4108
  ]
4101
4109
  },
4102
4110
  "S021": {
4103
- "name": "Sanitize user-generated Markdown, CSS, and XSL content",
4104
- "description": "Prevent script injection via user-generated content in Markdown, CSS, or XSL.",
4111
+ "name": "Set Referrer-Policy to prevent sensitive data leakage",
4112
+ "description": "Prevent leakage of sensitive URL data (path, query parameters, hostname) to third-party services via the `Referer` HTTP header.",
4105
4113
  "category": "Common",
4106
4114
  "severity": "major",
4107
4115
  "languages": [
4108
4116
  "All languages"
4109
4117
  ],
4110
- "version": "1.1",
4111
- "status": "draft",
4118
+ "version": "2.0",
4119
+ "status": "activated",
4112
4120
  "tags": [
4113
4121
  "Common",
4114
4122
  "readability",
4115
4123
  "code-quality"
4116
4124
  ],
4117
4125
  "tools": [
4118
- "DOMPurify",
4119
- "sanitize-html",
4120
- "markdown-it",
4121
- "Bandit (Python)",
4122
- "Manual Review",
4123
- "SonarQube (custom rule)"
4126
+ "Browser DevTools",
4127
+ "Security Headers Scanner",
4128
+ "OWASP ZAP",
4129
+ "Manual Review"
4124
4130
  ],
4125
4131
  "framework": "All",
4126
4132
  "principles": [
@@ -4158,14 +4164,14 @@
4158
4164
  ]
4159
4165
  },
4160
4166
  "S023": {
4161
- "name": "Prevent JSON Injection and JSON eval attacks",
4162
- "description": "Prevent JavaScript execution via unsafe JSON handling or injection attacks.",
4167
+ "name": "Use output encoding when building dynamic JavaScript/JSON",
4168
+ "description": "Prevent JavaScript and JSON injection by applying proper output encoding when dynamically building JavaScript content or JSON data.",
4163
4169
  "category": "Common",
4164
4170
  "severity": "major",
4165
4171
  "languages": [
4166
4172
  "All languages"
4167
4173
  ],
4168
- "version": "1.0",
4174
+ "version": "2.0",
4169
4175
  "status": "activated",
4170
4176
  "tags": [
4171
4177
  "Common",
@@ -4174,10 +4180,9 @@
4174
4180
  ],
4175
4181
  "tools": [
4176
4182
  "ESLint (`no-eval`)",
4177
- "Semgrep (`eval-dynamic`",
4178
- "`json-injection`)",
4179
- "Bandit",
4180
- "SonarQube (S1523)",
4183
+ "Semgrep (json-injection)",
4184
+ "SonarQube (S1523",
4185
+ "S5334)",
4181
4186
  "Manual Review"
4182
4187
  ],
4183
4188
  "framework": "All",
@@ -4240,14 +4245,14 @@
4240
4245
  ]
4241
4246
  },
4242
4247
  "S026": {
4243
- "name": "Apply JSON Schema Validation to input data",
4244
- "description": "Ensure all incoming JSON is fully validated by schema (structure, types, constraints) before processing.",
4248
+ "name": "Use TLS encryption for all inbound and outbound connections",
4249
+ "description": "Ensure all application connections use encrypted TLS protocol, with no fallback to insecure or unencrypted protocols.",
4245
4250
  "category": "Common",
4246
- "severity": "major",
4251
+ "severity": "critical",
4247
4252
  "languages": [
4248
4253
  "All languages"
4249
4254
  ],
4250
- "version": "1.0",
4255
+ "version": "2.0",
4251
4256
  "status": "activated",
4252
4257
  "tags": [
4253
4258
  "Common",
@@ -4255,13 +4260,11 @@
4255
4260
  "code-quality"
4256
4261
  ],
4257
4262
  "tools": [
4258
- "AJV",
4259
- "jsonschema",
4260
- "Joi",
4261
- "Pydantic",
4262
- "Hibernate Validator",
4263
- "SonarQube (custom rule)",
4264
- "Manual Review"
4263
+ "SSL Labs",
4264
+ "testssl.sh",
4265
+ "nmap",
4266
+ "Network Traffic Analysis",
4267
+ "Manual Config Review"
4265
4268
  ],
4266
4269
  "framework": "All",
4267
4270
  "principles": [
@@ -4270,14 +4273,14 @@
4270
4273
  ]
4271
4274
  },
4272
4275
  "S027": {
4273
- "name": "Never expose secrets in source code or Git",
4274
- "description": "Prevent leakage of credentials, API keys, tokens, or sensitive config via source code or version control.",
4276
+ "name": "Validate mTLS client certificates before authentication",
4277
+ "description": "Ensure mTLS client certificates are properly validated and trusted before using certificate identity for authentication or authorization decisions.",
4275
4278
  "category": "Common",
4276
- "severity": "major",
4279
+ "severity": "critical",
4277
4280
  "languages": [
4278
4281
  "All languages"
4279
4282
  ],
4280
- "version": "1.0",
4283
+ "version": "2.0",
4281
4284
  "status": "activated",
4282
4285
  "tags": [
4283
4286
  "Common",
@@ -4285,11 +4288,10 @@
4285
4288
  "code-quality"
4286
4289
  ],
4287
4290
  "tools": [
4288
- "GitLeaks",
4289
- "TruffleHog",
4290
- "detect-secrets",
4291
- "git-secrets",
4292
- "SonarQube (custom rule)"
4291
+ "OpenSSL",
4292
+ "mTLS Testing Tools",
4293
+ "Certificate Validator",
4294
+ "Manual Config Review"
4293
4295
  ],
4294
4296
  "framework": "All",
4295
4297
  "principles": [
@@ -4493,14 +4495,14 @@
4493
4495
  ]
4494
4496
  },
4495
4497
  "S035": {
4496
- "name": "Set the `Path` attribute for Session Cookies to limit access scope",
4497
- "description": "Reduce the risk of session cookie leaks or abuse across multiple apps under the same domain (e.g., `/app1` and `/app2`) by limiting cookie scope via the `Path` attribute.",
4498
+ "name": "Host separate applications on different hostnames",
4499
+ "description": "Leverage same-origin policy restrictions by hosting separate applications on different hostnames to isolate resources, cookies, and prevent cross-application attacks.",
4498
4500
  "category": "Common",
4499
4501
  "severity": "major",
4500
4502
  "languages": [
4501
4503
  "All languages"
4502
4504
  ],
4503
- "version": "1.0",
4505
+ "version": "2.0",
4504
4506
  "status": "activated",
4505
4507
  "tags": [
4506
4508
  "Common",
@@ -4508,11 +4510,9 @@
4508
4510
  "code-quality"
4509
4511
  ],
4510
4512
  "tools": [
4511
- "Static Analysis",
4512
- "Manual Review",
4513
- "Chrome DevTools",
4514
- "Postman",
4515
- "SonarQube (custom rule)"
4513
+ "Manual Architecture Review",
4514
+ "DNS Configuration Audit",
4515
+ "Browser DevTools"
4516
4516
  ],
4517
4517
  "framework": "All",
4518
4518
  "principles": [
@@ -4521,14 +4521,14 @@
4521
4521
  ]
4522
4522
  },
4523
4523
  "S036": {
4524
- "name": "Prevent LFI and RFI using path validation and allow-lists",
4525
- "description": "Block Local File Inclusion (LFI) and Remote File Inclusion (RFI) attacks where attackers access sensitive files (e.g., `/etc/passwd`, `C:\\Windows\\system32`) or execute code from external URLs.",
4524
+ "name": "Use internal data for file paths, validate user filenames strictly",
4525
+ "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by using internally generated file paths instead of user-submitted filenames, with strict validation when user input is unavoidable.",
4526
4526
  "category": "Common",
4527
- "severity": "major",
4527
+ "severity": "critical",
4528
4528
  "languages": [
4529
4529
  "All languages"
4530
4530
  ],
4531
- "version": "1.0",
4531
+ "version": "2.0",
4532
4532
  "status": "activated",
4533
4533
  "tags": [
4534
4534
  "Common",
@@ -4539,8 +4539,8 @@
4539
4539
  "Static Analysis",
4540
4540
  "OWASP ZAP",
4541
4541
  "Burp Suite",
4542
- "Manual Review",
4543
- "SonarQube (custom rule)"
4542
+ "Semgrep (path-traversal)",
4543
+ "Manual Review"
4544
4544
  ],
4545
4545
  "framework": "All",
4546
4546
  "principles": [
@@ -4604,14 +4604,14 @@
4604
4604
  ]
4605
4605
  },
4606
4606
  "S039": {
4607
- "name": "Never transmit Session Tokens via URL parameters",
4608
- "description": "Prevent session hijacking by ensuring session tokens are not stored in browser history, server logs, proxy logs, or leaked via Referrer headers.",
4607
+ "name": "TLS clients must validate server certificates",
4608
+ "description": "Ensure TLS clients validate certificates received from servers before establishing secure communication to prevent MITM attacks.",
4609
4609
  "category": "Common",
4610
- "severity": "major",
4610
+ "severity": "critical",
4611
4611
  "languages": [
4612
4612
  "All languages"
4613
4613
  ],
4614
- "version": "1.0",
4614
+ "version": "2.0",
4615
4615
  "status": "activated",
4616
4616
  "tags": [
4617
4617
  "Common",
@@ -4619,14 +4619,14 @@
4619
4619
  "code-quality"
4620
4620
  ],
4621
4621
  "tools": [
4622
+ "SSL Labs",
4623
+ "testssl.sh",
4622
4624
  "Static Analysis",
4623
- "Manual Review",
4624
- "Burp Suite",
4625
- "Postman",
4626
- "SonarQube (custom rule)"
4625
+ "Manual Code Review"
4627
4626
  ],
4628
4627
  "framework": "All",
4629
4628
  "principles": [
4629
+ "CODE_QUALITY",
4630
4630
  "SECURITY"
4631
4631
  ]
4632
4632
  },
@@ -4639,7 +4639,7 @@
4639
4639
  "All languages"
4640
4640
  ],
4641
4641
  "version": "1.1",
4642
- "status": "draft",
4642
+ "status": "activated",
4643
4643
  "tags": [
4644
4644
  "Common",
4645
4645
  "readability",
@@ -4722,7 +4722,7 @@
4722
4722
  "All languages"
4723
4723
  ],
4724
4724
  "version": "1.1",
4725
- "status": "draft",
4725
+ "status": "activated",
4726
4726
  "tags": [
4727
4727
  "Common",
4728
4728
  "readability",
@@ -4795,25 +4795,25 @@
4795
4795
  ]
4796
4796
  },
4797
4797
  "S046": {
4798
- "name": "Notify users of critical account changes",
4799
- "description": "Alert users to sensitive actions to detect potential compromise and allow timely intervention.",
4798
+ "name": "Use algorithm allowlist for self-contained tokens",
4799
+ "description": "Prevent algorithm confusion and downgrade attacks by restricting token signing/verification to an explicit allowlist of algorithms.",
4800
4800
  "category": "Common",
4801
- "severity": "major",
4801
+ "severity": "critical",
4802
4802
  "languages": [
4803
4803
  "All languages"
4804
4804
  ],
4805
- "version": "1.1",
4806
- "status": "draft",
4805
+ "version": "2.0",
4806
+ "status": "activated",
4807
4807
  "tags": [
4808
4808
  "Common",
4809
4809
  "readability",
4810
4810
  "code-quality"
4811
4811
  ],
4812
4812
  "tools": [
4813
- "Manual Review",
4814
- "Security Test",
4815
- "Notification Audit",
4816
- "SonarQube (custom rule)"
4813
+ "JWT Debugger",
4814
+ "Static Analysis",
4815
+ "Manual Code Review",
4816
+ "Security Test"
4817
4817
  ],
4818
4818
  "framework": "All",
4819
4819
  "principles": [
@@ -4822,14 +4822,14 @@
4822
4822
  ]
4823
4823
  },
4824
4824
  "S047": {
4825
- "name": "Secure temporary passwords and activation codes",
4826
- "description": "Ensure that temporary passwords and activation codes are secure, unpredictable, single-use, and time-limited.",
4825
+ "name": "Protect OAuth code flow against CSRF attacks",
4826
+ "description": "Prevent browser-based CSRF attacks that could trigger unauthorized OAuth token requests by implementing PKCE or state parameter validation.",
4827
4827
  "category": "Common",
4828
4828
  "severity": "major",
4829
4829
  "languages": [
4830
4830
  "All languages"
4831
4831
  ],
4832
- "version": "1.0",
4832
+ "version": "2.0",
4833
4833
  "status": "activated",
4834
4834
  "tags": [
4835
4835
  "Common",
@@ -4837,10 +4837,9 @@
4837
4837
  "code-quality"
4838
4838
  ],
4839
4839
  "tools": [
4840
- "Manual Review",
4841
- "Static Analysis",
4842
- "Audit Flow",
4843
- "SonarQube (custom rule)"
4840
+ "OAuth Security Testing",
4841
+ "Manual Code Review",
4842
+ "OWASP ZAP"
4844
4843
  ],
4845
4844
  "framework": "All",
4846
4845
  "principles": [
@@ -4849,14 +4848,14 @@
4849
4848
  ]
4850
4849
  },
4851
4850
  "S048": {
4852
- "name": "Do not expose current password during reset flow",
4853
- "description": "Ensure the current user password is never revealed or sent in any step of the password reset process.",
4851
+ "name": "Validate OAuth redirect URIs with exact string comparison",
4852
+ "description": "Prevent OAuth redirect attacks by validating redirect URIs against a client-specific allowlist using exact string comparison, not pattern matching.",
4854
4853
  "category": "Common",
4855
- "severity": "major",
4854
+ "severity": "critical",
4856
4855
  "languages": [
4857
4856
  "All languages"
4858
4857
  ],
4859
- "version": "1.0",
4858
+ "version": "2.0",
4860
4859
  "status": "activated",
4861
4860
  "tags": [
4862
4861
  "Common",
@@ -4864,12 +4863,13 @@
4864
4863
  "code-quality"
4865
4864
  ],
4866
4865
  "tools": [
4867
- "Manual Review",
4868
- "Penetration Test",
4869
- "SonarQube (custom rule)"
4866
+ "OAuth Security Testing",
4867
+ "Manual Config Review",
4868
+ "Penetration Testing"
4870
4869
  ],
4871
4870
  "framework": "All",
4872
4871
  "principles": [
4872
+ "CODE_QUALITY",
4873
4873
  "SECURITY"
4874
4874
  ]
4875
4875
  },
@@ -4900,14 +4900,14 @@
4900
4900
  ]
4901
4901
  },
4902
4902
  "S050": {
4903
- "name": "Session tokens must have minimum 64-bit entropy and use secure algorithms",
4904
- "description": "Prevent attackers from predicting or forging session tokens by ensuring sufficient length, entropy, and cryptographic safety.",
4903
+ "name": "Reference tokens must be unique with 128-bit entropy using CSPRNG",
4904
+ "description": "Ensure reference tokens (session tokens, opaque tokens) are unpredictable and resistant to brute-force attacks by using cryptographically secure generation.",
4905
4905
  "category": "Common",
4906
4906
  "severity": "major",
4907
4907
  "languages": [
4908
4908
  "All languages"
4909
4909
  ],
4910
- "version": "1.0",
4910
+ "version": "2.0",
4911
4911
  "status": "activated",
4912
4912
  "tags": [
4913
4913
  "Common",
@@ -4915,9 +4915,10 @@
4915
4915
  "code-quality"
4916
4916
  ],
4917
4917
  "tools": [
4918
- "Manual Review",
4919
4918
  "Static Analysis",
4920
- "SonarQube (custom rule)"
4919
+ "Security Audit",
4920
+ "CSPRNG Verification",
4921
+ "Manual Code Review"
4921
4922
  ],
4922
4923
  "framework": "All",
4923
4924
  "principles": [
@@ -4980,14 +4981,14 @@
4980
4981
  ]
4981
4982
  },
4982
4983
  "S053": {
4983
- "name": "Only use secure OTP algorithms like HOTP/TOTP",
4984
- "description": "Ensure OTPs are secure against spoofing and replay attacks by using safe, standard algorithms.",
4984
+ "name": "Return generic error messages, hide internal details",
4985
+ "description": "Prevent exposure of sensitive internal system data by returning generic error messages to consumers when unexpected or security-sensitive errors occur.",
4985
4986
  "category": "Common",
4986
4987
  "severity": "major",
4987
4988
  "languages": [
4988
4989
  "All languages"
4989
4990
  ],
4990
- "version": "1.0",
4991
+ "version": "2.0",
4991
4992
  "status": "activated",
4992
4993
  "tags": [
4993
4994
  "Common",
@@ -4995,10 +4996,10 @@
4995
4996
  "code-quality"
4996
4997
  ],
4997
4998
  "tools": [
4998
- "Manual Review",
4999
- "Unit Test",
5000
4999
  "Static Analysis",
5001
- "SonarQube (custom rule)"
5000
+ "Penetration Testing",
5001
+ "Error Response Audit",
5002
+ "Manual Code Review"
5002
5003
  ],
5003
5004
  "framework": "All",
5004
5005
  "principles": [
@@ -5140,29 +5141,56 @@
5140
5141
  ]
5141
5142
  },
5142
5143
  "S059": {
5143
- "name": "Configure Allow List for server-side outbound requests",
5144
- "description": "Reduce risks from the server making outbound requests to untrusted systems (SSRF, malicious downloads, data leaks).",
5144
+ "name": "Disable debug modes in production environments",
5145
+ "description": "Prevent exposure of debugging features and information leakage by ensuring all debug modes are disabled in production environments.",
5145
5146
  "category": "Common",
5146
5147
  "severity": "major",
5147
5148
  "languages": [
5148
5149
  "All languages"
5149
5150
  ],
5150
- "version": "1.1",
5151
- "status": "draft",
5151
+ "version": "2.0",
5152
+ "status": "activated",
5152
5153
  "tags": [
5153
5154
  "Common",
5154
5155
  "readability",
5155
5156
  "code-quality"
5156
5157
  ],
5157
5158
  "tools": [
5158
- "Manual Config Review",
5159
- "Firewall/Proxy Logs",
5160
- "CloudTrail",
5161
- "Burp Suite Test",
5162
- "SonarQube (custom rule)"
5159
+ "Configuration Audit",
5160
+ "Penetration Testing",
5161
+ "OWASP ZAP",
5162
+ "Environment Checker"
5163
+ ],
5164
+ "framework": "All",
5165
+ "principles": [
5166
+ "CODE_QUALITY",
5167
+ "SECURITY"
5168
+ ]
5169
+ },
5170
+ "S060": {
5171
+ "name": "Enforce minimum password length of 8 characters, recommend 15+",
5172
+ "description": "Ensure user-set passwords meet minimum length requirements to provide adequate security against brute-force and dictionary attacks.",
5173
+ "category": "Common",
5174
+ "severity": "major",
5175
+ "languages": [
5176
+ "All languages"
5177
+ ],
5178
+ "version": "2.0",
5179
+ "status": "activated",
5180
+ "tags": [
5181
+ "Common",
5182
+ "readability",
5183
+ "code-quality"
5184
+ ],
5185
+ "tools": [
5186
+ "Static Analysis",
5187
+ "Unit Test",
5188
+ "Password Strength Libraries (zxcvbn)",
5189
+ "Manual Review"
5163
5190
  ],
5164
5191
  "framework": "All",
5165
5192
  "principles": [
5193
+ "CODE_QUALITY",
5166
5194
  "SECURITY"
5167
5195
  ]
5168
5196
  },