@sun-asterisk/sunlint 1.3.39 → 1.3.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (422) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  3. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  4. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  5. package/origin-rules/dart-en.md +151 -163
  6. package/package.json +2 -1
  7. package/rules/dart/D002_dispose_resources/config.json +25 -0
  8. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  9. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  10. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  11. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  12. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  13. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  14. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  15. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  16. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  17. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  18. package/rules/dart/D013_single_public_class/config.json +10 -0
  19. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  20. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  21. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  22. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  23. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  24. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  25. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  26. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  27. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  28. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  29. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  30. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  31. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  32. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  33. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  98. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  99. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  100. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  101. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  102. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  103. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  104. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  105. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  106. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  107. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  108. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  109. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  110. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  111. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  112. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  113. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  114. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  115. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  116. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  117. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  118. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  119. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  120. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  121. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  122. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  123. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  124. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  125. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  127. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  128. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  129. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  130. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  131. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  132. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  133. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  134. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  136. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  137. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  138. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  139. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  140. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  141. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  143. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  144. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  145. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  146. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  148. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  149. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  150. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  151. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  152. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  153. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  154. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  155. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  156. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  157. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  158. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  159. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  160. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  161. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  162. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  163. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  164. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  165. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  166. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  167. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  168. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  169. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  170. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  171. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  172. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  173. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  174. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  175. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  176. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  177. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  178. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  179. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  180. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  181. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  182. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  183. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  184. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  185. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  186. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  187. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  188. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  189. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  190. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  191. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  192. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  193. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  194. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  195. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  196. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  197. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  198. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  199. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  200. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  201. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  202. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  203. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  204. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  205. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  206. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  207. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  208. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  209. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  210. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  211. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  212. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  213. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  214. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  215. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  216. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  217. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  218. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  219. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  220. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  221. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  222. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  223. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  224. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  225. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  226. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  227. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  228. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  229. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  230. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  231. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  232. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  233. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  234. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  235. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  236. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  237. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  238. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  239. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  240. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  241. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  242. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  243. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  244. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  245. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  246. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  247. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  248. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  249. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  250. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  251. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  252. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  253. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  254. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  255. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  256. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  257. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  259. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  260. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  261. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  262. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  263. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  264. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  265. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  266. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  268. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  269. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  270. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  271. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  272. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  273. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  274. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  275. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  276. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  277. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  278. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  279. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  280. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  281. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  282. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  283. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  284. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  285. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  286. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  287. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  288. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  289. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  290. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  291. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  292. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  293. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  294. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  295. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  296. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  297. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  298. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  299. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  300. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  301. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  302. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  303. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  304. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  305. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  306. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  307. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  308. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  309. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  310. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  311. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  312. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  313. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  314. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  315. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  316. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  317. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  318. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  319. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  320. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  321. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  322. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  323. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  324. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  325. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  326. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  327. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  328. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  329. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  330. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  331. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  332. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  333. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  334. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  335. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  336. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  337. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  338. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  339. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  340. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  341. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  342. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  343. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  344. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  345. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  346. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  347. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  348. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  349. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  350. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  351. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  352. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  353. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  354. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  355. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  356. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  357. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  358. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  359. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  360. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  361. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  362. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  363. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  364. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  365. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  366. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  367. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  368. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  369. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  370. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  371. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  372. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  373. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  374. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  375. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  376. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  377. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  378. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  379. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  380. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  381. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  382. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  383. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  384. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  385. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  386. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  387. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  388. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  389. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  390. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  391. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  392. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  393. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  394. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  395. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  396. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  397. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  398. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  399. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  400. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  401. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  402. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  403. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  404. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  405. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  406. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  407. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  408. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  409. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  410. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  411. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  412. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  413. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  414. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  415. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  416. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  417. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  418. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  419. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  420. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  421. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  422. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md ADDED
@@ -0,0 +1,50 @@
1
+ ---
2
+ title: All Catch Blocks Must Log Root Cause
3
+ impact: HIGH
4
+ impactDescription: enables debugging and incident response
5
+ tags: error-handling, logging, debugging, observability, quality, kotlin
6
+ ---
7
+
8
+ ## All Catch Blocks Must Log Root Cause
9
+
10
+ Silent failures make debugging impossible. Without proper logging, you cannot trace issues in production.
11
+
12
+ **Incorrect (silent or minimal logging):**
13
+
14
+ ```kotlin
15
+ try {
16
+ processPayment(order)
17
+ } catch (e: Exception) {
18
+ // Empty catch - silent failure!
19
+ }
20
+
21
+ try {
22
+ saveUser(user)
23
+ } catch (e: Exception) {
24
+ return null // No logging, no context
25
+ }
26
+ ```
27
+
28
+ **Correct (comprehensive error logging):**
29
+
30
+ ```kotlin
31
+ try {
32
+ processPayment(order)
33
+ } catch (error: Exception) {
34
+ logger.error("Payment processing failed", error) {
35
+ payload("orderId" to order.id)
36
+ payload("userId" to order.userId)
37
+ payload("amount" to order.amount)
38
+ }
39
+ throw PaymentFailedException("Payment could not be processed", error)
40
+ }
41
+ ```
42
+
43
+ **Log context should include:**
44
+ - Error message and stack trace
45
+ - Relevant entity IDs (order, user, etc.)
46
+ - Request/correlation ID
47
+ - Input that caused the error
48
+ - Timing information
49
+
50
+ **Tools:** Static analyzer, detekt, PR review
package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md ADDED
@@ -0,0 +1,72 @@
1
+ ---
2
+ title: Use Custom Error Classes
3
+ impact: HIGH
4
+ impactDescription: enables proper error categorization, structured logging, and precise handling
5
+ tags: error-handling, custom-errors, exceptions, patterns, quality, kotlin
6
+ ---
7
+
8
+ ## Use Custom Error Classes
9
+
10
+ Custom exception classes enable structured error handling, meaningful categorization, and better observability. They allow the application to provide clear diagnostic information and programmatic error codes.
11
+
12
+ **Incorrect (generic exceptions):**
13
+
14
+ ```kotlin
15
+ throw Exception("User not found")
16
+ throw RuntimeException("Invalid input")
17
+ throw IllegalStateException("Database connection failed")
18
+ ```
19
+
20
+ **Correct (custom exception hierarchy):**
21
+
22
+ ```kotlin
23
+ // Base application exception
24
+ open class AppException(
25
+ val code: String,
26
+ override val message: String,
27
+ val statusCode: Int = 500,
28
+ val context: Map<String, Any?>? = null,
29
+ cause: Throwable? = null
30
+ ) : RuntimeException(message, cause)
31
+
32
+ // Specific domain exceptions
33
+ class UserNotFoundException(userId: String) : AppException(
34
+ code = "USER_NOT_FOUND",
35
+ message = "User $userId not found",
36
+ statusCode = 404,
37
+ context = mapOf("userId" to userId)
38
+ )
39
+
40
+ class ValidationException(field: String, message: String) : AppException(
41
+ code = "VALIDATION_ERROR",
42
+ message = message,
43
+ statusCode = 400,
44
+ context = mapOf("field" to field)
45
+ )
46
+
47
+ // Usage
48
+ throw UserNotFoundException(userId)
49
+ ```
50
+
51
+ **Using Sealed Classes for Error Handling (Functional Style):**
52
+
53
+ ```kotlin
54
+ sealed class Result<out T> {
55
+ data class Success<out T>(val data: T) : Result<T>()
56
+ data class Failure(val error: AppException) : Result<Nothing>()
57
+ }
58
+
59
+ // Logic returning a result instead of throwing
60
+ fun findUser(id: String): Result<User> {
61
+ val user = db.find(id)
62
+ return user?.let { Result.Success(it) } ?: Result.Failure(UserNotFoundException(id))
63
+ }
64
+ ```
65
+
66
+ **Benefits:**
67
+ - Type-safe error handling logic.
68
+ - Structured context for logging systems (ELK, Sentry).
69
+ - Automatic mapping to API response formats.
70
+ - Clearer domain modeling.
71
+
72
+ **Tools:** detekt (TooGenericExceptionThrown), Manual Review, PR rules
package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md ADDED
@@ -0,0 +1,69 @@
1
+ ---
2
+ title: Separate Processing And Data Access
3
+ impact: HIGH
4
+ impactDescription: enables testable business logic and better maintenance
5
+ tags: separation, repository, service, architecture, quality, kotlin
6
+ ---
7
+
8
+ ## Separate Processing And Data Access
9
+
10
+ Mixing business logic with raw database queries or data access logic creates tight coupling. This makes testing difficult (requiring a database) and makes the code harder to maintain and refactor.
11
+
12
+ **Incorrect (mixed concerns):**
13
+
14
+ ```kotlin
15
+ class OrderService {
16
+ fun calculateDiscount(userId: String): Double {
17
+ // Business logic mixed with raw SQL or data access
18
+ val user = db.query("SELECT * FROM users WHERE id = ?", userId)
19
+ val orders = db.query("SELECT * FROM orders WHERE user_id = ?", userId)
20
+
21
+ var discount = 0.0
22
+ if (orders.size > 10) discount += 0.05
23
+ if (user.getBoolean("isPremium")) discount += 0.10
24
+
25
+ return discount
26
+ }
27
+ }
28
+ ```
29
+
30
+ **Correct (separated layers using Repository Pattern):**
31
+
32
+ ```kotlin
33
+ // Repository - focus on data mapping and retrieval
34
+ interface UserRepository {
35
+ fun findById(userId: String): User?
36
+ }
37
+
38
+ interface OrderRepository {
39
+ fun findByUserId(userId: String): List<Order>
40
+ }
41
+
42
+ // Service - focus on business rules and orchestration
43
+ class DiscountService(
44
+ private val userRepository: UserRepository,
45
+ private val orderRepository: OrderRepository
46
+ ) {
47
+ fun calculateDiscount(userId: String): Double {
48
+ val user = userRepository.findById(userId)
49
+ val orders = orderRepository.findByUserId(userId)
50
+
51
+ return computeDiscount(user, orders)
52
+ }
53
+
54
+ // Business logic is pure and easily testable
55
+ private fun computeDiscount(user: User?, orders: List<Order>): Double {
56
+ var discount = 0.0
57
+ if (orders.size > 10) discount += 0.05
58
+ if (user?.isPremium == true) discount += 0.10
59
+ return discount
60
+ }
61
+ }
62
+ ```
63
+
64
+ **Benefits:**
65
+ - Business logic can be unit-tested without a database.
66
+ - Data sources can be swapped (e.g., migrating from SQL to NoSQL) without changing business rules.
67
+ - Improved readability and clear separation of concerns.
68
+
69
+ **Tools:** Architectural Review, Code Review, Manual Audit
package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: Log All Relevant Context On Errors
3
+ impact: HIGH
4
+ impactDescription: enables quick debugging and accurate incident response
5
+ tags: error-handling, logging, context, debugging, quality, kotlin
6
+ ---
7
+
8
+ ## Log All Relevant Context On Errors
9
+
10
+ Logs without context are nearly useless for production troubleshooting. Comprehensive context-rich logs allow developers to reconstruct the state that led to an error.
11
+
12
+ **Incorrect (minimal context):**
13
+
14
+ ```kotlin
15
+ logger.error("Error occurred")
16
+ logger.error(exception.message)
17
+ ```
18
+
19
+ **Correct (comprehensive context):**
20
+
21
+ ```kotlin
22
+ logger.error("Failed to process order", exception) {
23
+ // What happened
24
+ payload("errorCode" to exception.code)
25
+
26
+ // Core Business Context
27
+ payload("orderId" to order.id)
28
+ payload("userId" to user.id)
29
+ payload("requestId" to MDC.get("requestId")) // Assuming MDC use
30
+
31
+ // Input/State that caused the issue
32
+ payload("itemsCount" to order.items.size)
33
+ payload("totalAmount" to order.total)
34
+
35
+ // Timing information
36
+ payload("processingTimeMs" to System.currentTimeMillis() - startTime)
37
+ }
38
+ ```
39
+
40
+ **Essential log context should include:**
41
+ - Error details (Exception name, full stack trace).
42
+ - Entity IDs (user ID, order ID, account ID).
43
+ - Coordination IDs (Request ID, Correlation ID, Trace ID).
44
+ - Summarized input data (avoid PII - Personal Identifiable Information).
45
+ - System state hints (environment, version).
46
+
47
+ **Tools:** SLF4J with Logback/Log4j2, Structured Logging (KLogging, Logstash Logback Encoder), Sentry
package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md ADDED
@@ -0,0 +1,47 @@
1
+ ---
2
+ title: No Hardcoded Secrets In Repo
3
+ impact: CRITICAL
4
+ impactDescription: prevents sensitive credential exposure and security breaches
5
+ tags: secrets, credentials, security, git, quality, kotlin
6
+ ---
7
+
8
+ ## No Hardcoded Secrets In Repo
9
+
10
+ Hardcoding sensitive credentials (API keys, DB passwords, private keys) in the source code or configuration files is a major security risk. Once committed, they are visible to anyone with access to the repo and historical versions.
11
+
12
+ **Incorrect (secrets in code):**
13
+
14
+ ```kotlin
15
+ const val STRIPE_API_KEY = "sk_live_abc123"
16
+ val dbPassword = "root_password"
17
+
18
+ // HARDCODED in resource files or code
19
+ val connection = DriverManager.getConnection("jdbc:mysql://localhost/db", "admin", "secret123")
20
+ ```
21
+
22
+ **Correct (environment/secrets manager):**
23
+
24
+ ```kotlin
25
+ // Load from Environment Variables
26
+ val apiKey = System.getenv("API_KEY")
27
+
28
+ // Load from a secure property file (not committed to git)
29
+ val properties = Properties().apply {
30
+ val inputStream = FileInputStream("secrets.properties")
31
+ load(inputStream)
32
+ }
33
+ val dbPassword = properties.getProperty("DB_PASSWORD")
34
+
35
+ // Using a cloud secrets manager (AWS Secrets Manager, GCP Secret Manager, Vault)
36
+ val stripeKey = secretsClient.getSecret("stripe/live-key")
37
+
38
+ // Validate presence at startup
39
+ checkNotNull(apiKey) { "API_KEY environment variable must be set" }
40
+ ```
41
+
42
+ **Protecting Secrets:**
43
+ - Add `.env`, `secrets.properties`, `*.jks`, `*.pem` to `.gitignore`.
44
+ - Use CI/CD secrets for deployment.
45
+ - Avoid printing secrets to log files.
46
+
47
+ **Tools:** Gitleaks, TruffleHog, SonarQube, detekt (HardcodedSecret)
package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ title: Boolean Names Is/Has/Should Prefix
3
+ impact: LOW
4
+ impactDescription: makes conditional logic instantly readable and self-documenting
5
+ tags: naming, booleans, readability, conventions, quality, kotlin
6
+ ---
7
+
8
+ ## Boolean Names Is/Has/Should Prefix
9
+
10
+ Boolean variables and function names should start with a prefix that makes their true/false nature obvious. This improves readability of `if` statements and logical expressions.
11
+
12
+ **Incorrect (unclear boolean names):**
13
+
14
+ ```kotlin
15
+ val active = user.status == "active"
16
+ val admin = checkAdminRole(user)
17
+ val items = cart.isNotEmpty()
18
+ val update = needsRefresh()
19
+ ```
20
+
21
+ **Correct (clear boolean prefixes):**
22
+
23
+ ```kotlin
24
+ val isActive = user.status == "active"
25
+ val isAdmin = checkAdminRole(user)
26
+ val hasItems = cart.isNotEmpty()
27
+ val shouldUpdate = needsRefresh()
28
+ val canEdit = user.hasPermission("edit")
29
+ val willExpire = expirationDate.isBefore(tomorrow)
30
+ ```
31
+
32
+ **Common Boolean Prefixes:**
33
+
34
+ | Prefix | Use Case | Example |
35
+ |--------|----------|---------|
36
+ | `is` | Status or State | `isActive`, `isEmpty`, `isReady` |
37
+ | `has` | Possession or Collection | `hasItems`, `hasPermission`, `hasMetadata` |
38
+ | `should` | Recommendations or Tasks | `shouldRetry`, `shouldSkip`, `shouldNotify` |
39
+ | `can` | Permissions or Capabilities | `canExecute`, `canSubmit`, `canDelete` |
40
+ | `will` | Future State | `willChange`, `willExpire`, `willSync` |
41
+
42
+ **Tools:** detekt, Android Studio Linter (Naming conventions), Code Review
package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md ADDED
@@ -0,0 +1,71 @@
1
+ ---
2
+ title: Separate Data Mapping From Controllers
3
+ impact: MEDIUM
4
+ impactDescription: keeps controllers thin, focused on HTTP concerns, and makes mapping logic reusable
5
+ tags: controller, parsing, transformation, mapping, patterns, quality, kotlin
6
+ ---
7
+
8
+ ## Separate Data Mapping From Controllers
9
+
10
+ Controllers should be thin and only responsible for handling HTTP requests, orchestrating service calls, and returning responses. Complex data transformations or mapping logic should be extracted into separate Mapper classes or Extension functions.
11
+
12
+ **Incorrect (mapping logic in controller):**
13
+
14
+ ```kotlin
15
+ @RestController
16
+ class UserController(private val userService: UserService) {
17
+
18
+ @GetMapping("/users/{id}")
19
+ fun getUser(@PathVariable id: String): ResponseEntity<UserResponse> {
20
+ val user = userService.findById(id) ?: throw NotFoundException()
21
+
22
+ // Complex mapping logic inside controller
23
+ val response = UserResponse(
24
+ id = user.id,
25
+ fullName = "${user.firstName} ${user.lastName}",
26
+ email = user.email.lowercase(),
27
+ formattedDate = user.createdAt.format(DateTimeFormatter.ISO_DATE)
28
+ )
29
+
30
+ return ResponseEntity.ok(response)
31
+ }
32
+ }
33
+ ```
34
+
35
+ **Correct (using Mappers or Extension Functions):**
36
+
37
+ ```kotlin
38
+ // Option 1: Using a dedicated Mapper
39
+ object UserMapper {
40
+ fun toResponse(user: User): UserResponse = UserResponse(
41
+ id = user.id,
42
+ fullName = "${user.firstName} ${user.lastName}",
43
+ email = user.email.lowercase(),
44
+ formattedDate = user.createdAt.format(DateTimeFormatter.ISO_DATE)
45
+ )
46
+ }
47
+
48
+ // Option 2: Using Kotlin Extension Functions
49
+ fun User.toResponse(): UserResponse = UserResponse(
50
+ id = id,
51
+ fullName = "$firstName $lastName",
52
+ email = email.lowercase(),
53
+ formattedDate = createdAt.format(DateTimeFormatter.ISO_DATE)
54
+ )
55
+
56
+ // Clean and focused controller
57
+ @RestController
58
+ class UserController(private val userService: UserService) {
59
+ @GetMapping("/users/{id}")
60
+ fun getUser(@PathVariable id: String): UserResponse {
61
+ return userService.findById(id)?.toResponse() ?: throw NotFoundException()
62
+ }
63
+ }
64
+ ```
65
+
66
+ **Benefits:**
67
+ - **Reusability:** The same mapping logic can be used across multiple controllers or background jobs.
68
+ - **Testability:** Mappers can be unit-tested in isolation without mocking HTTP infrastructure.
69
+ - **Maintainability:** Changes to API formats are centralized.
70
+
71
+ **Tools:** MapStruct, Kotlin Extension Functions, ModelMapper, Architectural Review
package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md ADDED
@@ -0,0 +1,60 @@
1
+ ---
2
+ title: Do Not Ignore Superclass Logic
3
+ impact: HIGH
4
+ impactDescription: ensures proper inheritance behavior and execution of base class contracts
5
+ tags: inheritance, override, superclass, oop, quality, kotlin
6
+ ---
7
+
8
+ ## Do Not Ignore Superclass Logic
9
+
10
+ When overriding methods in Kotlin, it is crucial to call the `super` implementation unless you explicitly intend to replace it entirely. Ignoring superclass logic often leads to missing validations, hooks, or lifecycle events defined in the base class.
11
+
12
+ **Incorrect (ignoring superclass):**
13
+
14
+ ```kotlin
15
+ open class BaseService {
16
+ open fun save(entity: Entity) {
17
+ validate(entity)
18
+ db.save(entity)
19
+ logger.info("Entity saved")
20
+ }
21
+ }
22
+
23
+ class UserService : BaseService() {
24
+ override fun save(user: User) {
25
+ // BUG: Skips validation and logging from the base class!
26
+ db.save(user)
27
+ }
28
+ }
29
+ ```
30
+
31
+ **Correct (calling super):**
32
+
33
+ ```kotlin
34
+ class UserService : BaseService() {
35
+ override fun save(user: User) {
36
+ // Perform user-specific logic
37
+ user.lastModified = Instant.now()
38
+
39
+ // Ensure base class logic (validation, etc.) is executed
40
+ super.save(user)
41
+
42
+ // Add additional post-save logic
43
+ notifyAdmins(user)
44
+ }
45
+ }
46
+ ```
47
+
48
+ **Exception (intentional replacement):**
49
+
50
+ ```kotlin
51
+ class AdminService : BaseService() {
52
+ // Override: Admins bypass standard validation logic
53
+ override fun save(admin: User) {
54
+ // Intentionally skip super.save()
55
+ db.save(admin)
56
+ }
57
+ }
58
+ ```
59
+
60
+ **Tools:** Android Studio / IntelliJ IDEA hints, detekt, Code Review
package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md ADDED
@@ -0,0 +1,51 @@
1
+ ---
2
+ title: Do Not Hardcode Configuration
3
+ impact: HIGH
4
+ impactDescription: enables environment-specific deployments without code changes
5
+ tags: configuration, environment, deployment, quality, kotlin
6
+ ---
7
+
8
+ ## Do Not Hardcode Configuration
9
+
10
+ Configuration values that change between environments (Development, Staging, Production) should never be hardcoded in the source code. Hardcoding necessitates re-compilation and re-deployment for simple configuration changes and risks exposing production settings in lower environments.
11
+
12
+ **Incorrect (hardcoded config):**
13
+
14
+ ```kotlin
15
+ const val API_URL = "https://api.production.sun-asterisk.vn"
16
+ const val TIMEOUT_MS = 5000
17
+ const val MAX_RETRIES = 3
18
+ ```
19
+
20
+ **Correct (externalized configuration):**
21
+
22
+ ```kotlin
23
+ // In Spring Boot: use application.yml/properties with placeholders
24
+ // api.url: ${API_URL:http://localhost:8080}
25
+
26
+ @ConfigurationProperties(prefix = "app")
27
+ data class AppConfig(
28
+ val apiUrl: String,
29
+ val timeoutMs: Int = 5000,
30
+ val maxRetries: Int = 3
31
+ )
32
+
33
+ // In Ktor: use HOCON configuration (application.conf)
34
+ // storage {
35
+ // bucket = ${?STORAGE_BUCKET}
36
+ // }
37
+
38
+ val bucket = environment.config.propertyOrNull("storage.bucket")?.getString()
39
+ ?: "default-dev-bucket"
40
+
41
+ // Manual Environment Access
42
+ val dbUrl = System.getenv("DATABASE_URL") ?: "jdbc:h2:mem:test"
43
+ ```
44
+
45
+ **Best Practices:**
46
+ - Use environment variables for sensitive or environment-specific values.
47
+ - Provide sensible defaults for local development.
48
+ - Validate required configuration values at application startup (fail-fast).
49
+ - Avoid "magic strings" for configuration keys; use typesafe configuration classes.
50
+
51
+ **Tools:** Spring Boot `@ConfigurationProperties`, Ktor `HoconApplicationConfig`, `dotenv-kotlin`, Manual Review
package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md ADDED
@@ -0,0 +1,66 @@
1
+ ---
2
+ title: URL Redirects Must Be In Allow List
3
+ impact: MEDIUM
4
+ impactDescription: prevents open redirect vulnerabilities used in phishing attacks
5
+ tags: redirect, url, allow-list, validation, security, kotlin
6
+ ---
7
+
8
+ ## URL Redirects Must Be In Allow List
9
+
10
+ Open redirect vulnerabilities allow attackers to use your trusted domain to redirect users to malicious sites. This is commonly used in phishing campaigns to make malicious URLs look legitimate.
11
+
12
+ **Incorrect (unvalidated redirect URL):**
13
+
14
+ ```kotlin
15
+ // Open redirect vulnerability
16
+ @GetMapping("/redirect")
17
+ fun redirect(request: HttpServletRequest, response: HttpServletResponse) {
18
+ val url = request.getParameter("url")
19
+ response.sendRedirect(url) // Attacker: ?url=https://evil.com
20
+ }
21
+
22
+ // Partial validation (bypassable)
23
+ if (url.contains("sun-asterisk.vn")) {
24
+ response.sendRedirect(url) // Bypass: https://attacker.com?sun-asterisk.vn
25
+ }
26
+ ```
27
+
28
+ **Correct (allow list or relative path validation):**
29
+
30
+ ```kotlin
31
+ import java.net.URI
32
+
33
+ private val ALLOWED_HOSTS = setOf("sun-asterisk.vn", "app.sun-asterisk.vn")
34
+
35
+ @GetMapping("/redirect")
36
+ fun safeRedirect(@RequestParam url: String, response: HttpServletResponse) {
37
+ try {
38
+ val uri = URI(url)
39
+ val host = uri.host
40
+
41
+ // 1. Validate against allow list (for absolute URLs)
42
+ if (host != null && !ALLOWED_HOSTS.contains(host)) {
43
+ throw SecurityException("Host not allowed")
44
+ }
45
+
46
+ // 2. Or enforce relative paths only (safe for internal navigation)
47
+ if (host == null) {
48
+ if (!url.startsWith("/") || url.startsWith("//")) {
49
+ throw SecurityException("Invalid relative path")
50
+ }
51
+ }
52
+
53
+ response.sendRedirect(url)
54
+ } catch (e: Exception) {
55
+ response.sendError(400, "Invalid URL")
56
+ }
57
+ }
58
+ ```
59
+
60
+ **Security Best Practices:**
61
+ - Prefer relative URLs over absolute URLs for internal redirects.
62
+ - If absolute URLs are required, strictly validate the `host` against an allow list.
63
+ - Reject URLs that use the `//` shorthand (protocol-relative) to avoid cross-domain redirects.
64
+ - Display a transition page for redirects to external unlisted sites.
65
+
66
+ **Tools:** SonarQube (S5144, S1134), Semgrep, Manual Security Audit
package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md ADDED
@@ -0,0 +1,59 @@
1
+ ---
2
+ title: Do Not Log Credentials Or Tokens
3
+ impact: HIGH
4
+ impactDescription: prevents sensitive credential exposure in monitoring systems
5
+ tags: logging, credentials, tokens, secrets, security, kotlin
6
+ ---
7
+
8
+ ## Do Not Log Credentials Or Tokens
9
+
10
+ Logging systems are often less protected than core databases. Credentials or tokens in logs can be harvested by attackers or accidentally exposed to unauthorized personnel.
11
+
12
+ **Incorrect (logging sensitive data):**
13
+
14
+ ```kotlin
15
+ // Logging passwords
16
+ logger.info("Login attempt for user: {}, password: {}", user.username, user.password) // NEVER!
17
+
18
+ // Logging full request headers
19
+ logger.debug("Request headers: {}", request.headers)
20
+ // Authorization header contains Bearer tokens!
21
+
22
+ // Logging raw request body
23
+ logger.info("Incoming request body: {}", request.body())
24
+ // May contain passwords, credit card numbers, or PII
25
+ ```
26
+
27
+ **Correct (sanitized logging):**
28
+
29
+ ```kotlin
30
+ // Omit sensitive fields
31
+ logger.info("Login attempt for user: {}", user.username)
32
+
33
+ // Sanitize or mask headers
34
+ val safeHeaders = request.headers.toMutableMap().mapValues { (key, value) ->
35
+ if (key.equals("Authorization", ignoreCase = true) || key.equals("Cookie", ignoreCase = true)) {
36
+ "[REDACTED]"
37
+ } else {
38
+ value
39
+ }
40
+ }
41
+ logger.debug("Request headers: {}", safeHeaders)
42
+
43
+ // Use a data sanitizer for objects
44
+ fun sanitize(data: Map<String, Any?>): Map<String, Any?> {
45
+ val sensitiveKeys = setOf("password", "token", "secret", "credit_card", "cvv")
46
+ return data.mapValues { (key, value) ->
47
+ if (sensitiveKeys.any { key.contains(it, ignoreCase = true) }) "[REDACTED]" else value
48
+ }
49
+ }
50
+ ```
51
+
52
+ **Sensitive Data strictly forbidden in logs:**
53
+ - Passwords (raw or encrypted).
54
+ - Authentication tokens (JWT, OAuth tokens, API Keys).
55
+ - Session IDs and Cookies.
56
+ - Payment information (Credit Card, CVV).
57
+ - Personal IDs (SSN, National ID).
58
+
59
+ **Tools:** Logback mask pattern, SonarQube, Manual Security Audit, Sentry Data Scrubbing