@sun-asterisk/sunlint 1.3.39 → 1.3.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/config/rules/rules-registry-generated.json +134 -108
- package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
- package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
- package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
- package/origin-rules/dart-en.md +151 -163
- package/package.json +2 -1
- package/rules/dart/D002_dispose_resources/config.json +25 -0
- package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
- package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
- package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
- package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
- package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
- package/rules/dart/D008_avoid_long_functions/config.json +12 -0
- package/rules/dart/D009_limit_function_parameters/config.json +13 -0
- package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
- package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
- package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
- package/rules/dart/D013_single_public_class/config.json +10 -0
- package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
- package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
- package/rules/dart/D016_project_should_have_tests/config.json +24 -0
- package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
- package/rules/dart/D018_remove_commented_code/config.json +13 -0
- package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
- package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
- package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
- package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
- package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
- package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
- package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
- package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
- package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
- package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
- package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
- package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
- package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
- package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
- package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
- package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
- package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
- package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
- package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
- package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
- package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
- package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
- package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
- package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
- package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
- package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
- package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
- package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
- package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
- package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
- package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
- package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
- package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
- package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
- package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
- package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
- package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
- package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
- package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
- package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
- package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
- package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
- package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
- package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
- package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
- package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
- package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
- package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
- package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
- package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
- package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
- package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
- package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
- package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
- package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
- package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
- package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
- package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
- package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
- package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Support 12-64 Character Passwords
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: enables secure passphrase usage
|
|
5
|
+
tags: password, length, passphrase, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Support 12-64 Character Passwords
|
|
9
|
+
|
|
10
|
+
Allow users to use long passphrases.
|
|
11
|
+
|
|
12
|
+
**Configuration:**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
services.Configure<IdentityOptions>(options =>
|
|
16
|
+
{
|
|
17
|
+
options.Password.RequiredLength = 12;
|
|
18
|
+
options.Password.RequireDigit = true;
|
|
19
|
+
options.Password.RequireLowercase = true;
|
|
20
|
+
options.Password.RequireNonAlphanumeric = true;
|
|
21
|
+
options.Password.RequireUppercase = true;
|
|
22
|
+
});
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
**Validation:**
|
|
26
|
+
|
|
27
|
+
```csharp
|
|
28
|
+
public class RegisterModel
|
|
29
|
+
{
|
|
30
|
+
[StringLength(100, MinimumLength = 12)]
|
|
31
|
+
public string Password { get; set; }
|
|
32
|
+
}
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
**Tools:** ASP.NET Identity
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: OTPs Must Have 20-bit Entropy Minimum
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: prevents OTP brute-forcing
|
|
5
|
+
tags: otp, entropy, authentication, 2fa, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## OTPs Must Have 20-bit Entropy Minimum
|
|
9
|
+
|
|
10
|
+
Use CSPRNG for OTP generation.
|
|
11
|
+
|
|
12
|
+
**Incorrect (Random):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
var otp = new Random().Next(1000, 9999);
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
**Correct (CSPRNG):**
|
|
19
|
+
|
|
20
|
+
```csharp
|
|
21
|
+
// 6 digits
|
|
22
|
+
int otp = RandomNumberGenerator.GetInt32(0, 1000000);
|
|
23
|
+
string otpString = otp.ToString("D6");
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
**Tools:** Roslyn Analyzers
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Return Generic Error Messages
|
|
3
|
+
impact: HIGH
|
|
4
|
+
impactDescription: prevents information disclosure
|
|
5
|
+
tags: error-messages, information-disclosure, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Return Generic Error Messages
|
|
9
|
+
|
|
10
|
+
Don't leak stack traces or internal details to users.
|
|
11
|
+
|
|
12
|
+
**Incorrect (Dev Exception Page in Prod):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
// Startup.cs
|
|
16
|
+
app.UseDeveloperExceptionPage(); // Dangerous in Prod
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
**Correct (Generic Error Handler):**
|
|
20
|
+
|
|
21
|
+
```csharp
|
|
22
|
+
if (env.IsDevelopment())
|
|
23
|
+
{
|
|
24
|
+
app.UseDeveloperExceptionPage();
|
|
25
|
+
}
|
|
26
|
+
else
|
|
27
|
+
{
|
|
28
|
+
app.UseExceptionHandler("/Error");
|
|
29
|
+
}
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
**Tools:** ASP.NET Core Middleware
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Avoid Default Admin/Root Accounts
|
|
3
|
+
impact: HIGH
|
|
4
|
+
impactDescription: prevents easy initial access by attackers
|
|
5
|
+
tags: admin, default-accounts, credentials, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Avoid Default Admin/Root Accounts
|
|
9
|
+
|
|
10
|
+
Do not seed default admin accounts with known passwords.
|
|
11
|
+
|
|
12
|
+
**Incorrect:**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
// Seeding
|
|
16
|
+
if (!users.Any())
|
|
17
|
+
{
|
|
18
|
+
userManager.CreateAsync(new User("admin"), "Admin123!");
|
|
19
|
+
}
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
**Correct:**
|
|
23
|
+
|
|
24
|
+
```csharp
|
|
25
|
+
// Require setup via UI or CLI, or use random password printed to logs on first startup
|
|
26
|
+
var pwd = GenerateRandomPassword();
|
|
27
|
+
logger.LogInformation("Generated Admin Password: {Pwd}", pwd);
|
|
28
|
+
userManager.CreateAsync(new User("admin"), pwd);
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**Tools:** Manual Review
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Validate Content-Type In REST Services
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: prevents content-type confusion attacks
|
|
5
|
+
tags: rest, content-type, validation, api, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Validate Content-Type In REST Services
|
|
9
|
+
|
|
10
|
+
Ensure your API only accepts expected content types to avoid parsing vulnerabilities.
|
|
11
|
+
|
|
12
|
+
**Incorrect (accepting anything):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
[HttpPost]
|
|
16
|
+
public IActionResult Upload(IFormFile file)
|
|
17
|
+
{
|
|
18
|
+
// No check on Content-Type or file signature
|
|
19
|
+
}
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
**Correct (strict validation):**
|
|
23
|
+
|
|
24
|
+
```csharp
|
|
25
|
+
[HttpPost]
|
|
26
|
+
[Consumes("application/json")] // Force valid Content-Type
|
|
27
|
+
public IActionResult UpdateData([FromBody] DataModel model)
|
|
28
|
+
{
|
|
29
|
+
return Ok();
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
// Manual check for files
|
|
33
|
+
public IActionResult Upload(IFormFile file)
|
|
34
|
+
{
|
|
35
|
+
if (file.ContentType != "image/png" && file.ContentType != "image/jpeg")
|
|
36
|
+
{
|
|
37
|
+
return BadRequest("Invalid Content-Type");
|
|
38
|
+
}
|
|
39
|
+
// Also validate file signature/magic numbers!
|
|
40
|
+
return Ok();
|
|
41
|
+
}
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
**Tools:** Roslyn Analyzers, SonarQube
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Protect Against Log Injection
|
|
3
|
+
impact: HIGH
|
|
4
|
+
impactDescription: prevents log forging and exploitation
|
|
5
|
+
tags: logging, injection, sanitization, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Protect Against Log Injection
|
|
9
|
+
|
|
10
|
+
Attackers can inject newlines to forge log entries or confuse monitoring systems.
|
|
11
|
+
|
|
12
|
+
**Incorrect (raw logging):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
_logger.LogInformation("User logged in: " + username);
|
|
16
|
+
// Attacker: "admin\n[ERROR] System failure"
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
**Correct (structured logging or sanitization):**
|
|
20
|
+
|
|
21
|
+
```csharp
|
|
22
|
+
// Structured Logging (Serilog/MEL) - Safe by default as it treats data as properties
|
|
23
|
+
_logger.LogInformation("User logged in: {Username}", username);
|
|
24
|
+
|
|
25
|
+
// If using simple text logging, sanitize
|
|
26
|
+
string SanitizeLog(string input)
|
|
27
|
+
{
|
|
28
|
+
return input.Replace("\n", "_").Replace("\r", "_");
|
|
29
|
+
}
|
|
30
|
+
_logger.LogInformation($"User logged in: {SanitizeLog(username)}");
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
**Tools:** Serilog, Roslyn Analyzers, SonarQube
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Use Synchronized Time (UTC) In Logs
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: enables accurate incident correlation
|
|
5
|
+
tags: logging, time, utc, synchronization, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Use Synchronized Time (UTC) In Logs
|
|
9
|
+
|
|
10
|
+
Always use UTC time for logs and database records.
|
|
11
|
+
|
|
12
|
+
**Incorrect (local time):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
_logger.LogInformation("Action at {Time}", DateTime.Now); // Depends on server timezone
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
**Correct (UTC):**
|
|
19
|
+
|
|
20
|
+
```csharp
|
|
21
|
+
_logger.LogInformation("Action at {Time}", DateTime.UtcNow);
|
|
22
|
+
|
|
23
|
+
// Configure Serilog to output UTC
|
|
24
|
+
// .WriteTo.Console(outputTemplate: "{Timestamp:u} ...")
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
**Tools:** Roslyn Analyzers, SonarQube
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Protect Against SSRF Attacks
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: prevents internal network access from user input
|
|
5
|
+
tags: ssrf, url, network, internal, security, csharp
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Protect Against SSRF Attacks
|
|
9
|
+
|
|
10
|
+
Server-Side Request Forgery occurs when the server fetches a URL provided by the attacker.
|
|
11
|
+
|
|
12
|
+
**Incorrect (fetching user URL):**
|
|
13
|
+
|
|
14
|
+
```csharp
|
|
15
|
+
public async Task<string> FetchUrl(string url)
|
|
16
|
+
{
|
|
17
|
+
using var client = new HttpClient();
|
|
18
|
+
return await client.GetStringAsync(url); // Attacker can access internal metadata/localhost
|
|
19
|
+
}
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
**Correct (validation):**
|
|
23
|
+
|
|
24
|
+
```csharp
|
|
25
|
+
public async Task<string> SafeFetchUrl(string inputUrl)
|
|
26
|
+
{
|
|
27
|
+
if (!Uri.TryCreate(inputUrl, UriKind.Absolute, out var uri))
|
|
28
|
+
throw new ArgumentException("Invalid URL");
|
|
29
|
+
|
|
30
|
+
if (uri.Scheme != "http" && uri.Scheme != "https")
|
|
31
|
+
throw new ArgumentException("Invalid Scheme");
|
|
32
|
+
|
|
33
|
+
// Block non-standard ports
|
|
34
|
+
if (!uri.IsDefaultPort) throw new ArgumentException("Port not allowed");
|
|
35
|
+
|
|
36
|
+
// Resolve IP and check blocklist (simplified)
|
|
37
|
+
var ipAddresses = await Dns.GetHostAddressesAsync(uri.DnsSafeHost);
|
|
38
|
+
foreach (var ip in ipAddresses)
|
|
39
|
+
{
|
|
40
|
+
if (IsPrivateIp(ip)) throw new Exception("SSRF Detected: Private IP");
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
using var client = new HttpClient();
|
|
44
|
+
return await client.GetStringAsync(uri);
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
private bool IsPrivateIp(IPAddress ip)
|
|
48
|
+
{
|
|
49
|
+
// Check for 127.0.0.1, 10.x.x.x, 192.168.x.x, etc.
|
|
50
|
+
return IPAddress.IsLoopback(ip) || ip.ToString().StartsWith("10.") || ip.ToString().StartsWith("192.168.");
|
|
51
|
+
}
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
**Tools:** Security Code Scan, SonarQube
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Function Names Verb-Noun Pattern
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: improves code readability and maintainability
|
|
5
|
+
tags: readability, naming, best-practice, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Function Names Verb-Noun Pattern
|
|
9
|
+
|
|
10
|
+
Method names should clearly state what they do. Following a `verbNoun` pattern (camelCase) makes the code more intuitive and easier to scan.
|
|
11
|
+
|
|
12
|
+
**Incorrect (vague or reverse naming):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
public void userData(User user) { ... }
|
|
16
|
+
public List<User> usersGet() { ... }
|
|
17
|
+
public void process() { ... }
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
**Correct (verb-noun naming):**
|
|
21
|
+
|
|
22
|
+
```java
|
|
23
|
+
public void saveUser(User user) { ... }
|
|
24
|
+
public List<User> getAllUsers() { ... }
|
|
25
|
+
public void processPayment() { ... }
|
|
26
|
+
public boolean isValidEmail(String email) { ... }
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
**Common Verbs:**
|
|
30
|
+
- `get` / `find`: Retrieve data.
|
|
31
|
+
- `save` / `create` / `update`: Modify data.
|
|
32
|
+
- `is` / `has`: Boolean checks.
|
|
33
|
+
- `validate`: Check constraints.
|
|
34
|
+
- `calculate`: Perform computations.
|
|
35
|
+
|
|
36
|
+
**Tools:** Checkstyle, IntelliJ Inspections, Manual Review
|
|
@@ -0,0 +1,175 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Do Not Commit Dead Code
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: reduces codebase clutter and potential for bugs
|
|
5
|
+
tags: readability, clean-code, maintainability, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Do Not Commit Dead Code
|
|
9
|
+
|
|
10
|
+
Dead code (commented-out code, unused methods, unreachable branches) increases technical debt and makes the codebase harder to maintain and understand.
|
|
11
|
+
|
|
12
|
+
**Incorrect (commented code or unreachable blocks):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
public void calculate() {
|
|
16
|
+
int x = 10;
|
|
17
|
+
// int y = 20; // DEAD CODE
|
|
18
|
+
// if (x > 5) { ... } // DEAD CODE
|
|
19
|
+
System.out.println(x);
|
|
20
|
+
}
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
**Correct (clean code):**
|
|
24
|
+
|
|
25
|
+
```java
|
|
26
|
+
public void calculate() {
|
|
27
|
+
int x = 10;
|
|
28
|
+
System.out.println(x);
|
|
29
|
+
}
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
**Tools:** IntelliJ Inspections, PMD, SonarQube (S1144), Checkstyle
|
|
33
|
+
---
|
|
34
|
+
title: Use Dependency Injection
|
|
35
|
+
impact: HIGH
|
|
36
|
+
impactDescription: improves testability and decouples components
|
|
37
|
+
tags: dependency-injection, spring, testing, java
|
|
38
|
+
---
|
|
39
|
+
|
|
40
|
+
## Use Dependency Injection
|
|
41
|
+
|
|
42
|
+
Hardcoding dependencies (using `new`) makes components tightly coupled and difficult to test. Dependency Injection (DI) allows the framework to manage object lifecycles and permits easy mocking during unit tests.
|
|
43
|
+
|
|
44
|
+
**Incorrect (tight coupling):**
|
|
45
|
+
|
|
46
|
+
```java
|
|
47
|
+
public class UserService {
|
|
48
|
+
private final UserRepository repo = new UserRepository(); // VULNERABLE to tight coupling
|
|
49
|
+
|
|
50
|
+
public void save(User user) {
|
|
51
|
+
repo.save(user);
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
**Correct (constructor injection):**
|
|
57
|
+
|
|
58
|
+
```java
|
|
59
|
+
@Service
|
|
60
|
+
public class UserService {
|
|
61
|
+
private final UserRepository repo;
|
|
62
|
+
|
|
63
|
+
// SECURE: Dependency is injected via constructor
|
|
64
|
+
public UserService(UserRepository repo) {
|
|
65
|
+
this.repo = repo;
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
public void save(User user) {
|
|
69
|
+
repo.save(user);
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
**Tools:** Spring Framework, Dagger, Guice, SonarQube (S3306)
|
|
75
|
+
---
|
|
76
|
+
title: No Business Logic In Constructors
|
|
77
|
+
impact: MEDIUM
|
|
78
|
+
impactDescription: prevents side effects during object instantiation and improves testability
|
|
79
|
+
tags: clean-code, best-practice, java
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## No Business Logic In Constructors
|
|
83
|
+
|
|
84
|
+
Constructors should only be used for initialized fields. Performing business logic (database calls, network requests) inside a constructor makes the object hard to test and can lead to unexpected side effects during initialization.
|
|
85
|
+
|
|
86
|
+
**Incorrect (logic in constructor):**
|
|
87
|
+
|
|
88
|
+
```java
|
|
89
|
+
public class OrderService {
|
|
90
|
+
public OrderService() {
|
|
91
|
+
// VULNERABLE: Side effects during new OrderService()
|
|
92
|
+
loadConfiguration();
|
|
93
|
+
connectToDatabase();
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
**Correct (separate initialization):**
|
|
99
|
+
|
|
100
|
+
```java
|
|
101
|
+
public class OrderService {
|
|
102
|
+
public OrderService() {
|
|
103
|
+
// Only simple field assignments
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
@PostConstruct
|
|
107
|
+
public void init() {
|
|
108
|
+
// Business logic or heavy setup here
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
**Tools:** Manual Review, SonarQube (S1699)
|
|
114
|
+
---
|
|
115
|
+
title: Do Not Throw Generic Errors
|
|
116
|
+
impact: MEDIUM
|
|
117
|
+
impactDescription: makes error handling difficult for the caller
|
|
118
|
+
tags: error-handling, exceptions, java
|
|
119
|
+
---
|
|
120
|
+
|
|
121
|
+
## Do Not Throw Generic Errors
|
|
122
|
+
|
|
123
|
+
Throwing `Exception` or `RuntimeException` provides no context to the caller. Always throw specific, meaningful exceptions.
|
|
124
|
+
|
|
125
|
+
**Incorrect (generic throws):**
|
|
126
|
+
|
|
127
|
+
```java
|
|
128
|
+
public void findUser(String id) throws Exception {
|
|
129
|
+
if (id == null) throw new Exception("ID missing");
|
|
130
|
+
}
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
**Correct (specific throws):**
|
|
134
|
+
|
|
135
|
+
```java
|
|
136
|
+
public void findUser(String id) {
|
|
137
|
+
if (id == null) throw new IllegalArgumentException("User ID cannot be null");
|
|
138
|
+
}
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
**Tools:** SonarQube (S2221), Manual Review
|
|
142
|
+
---
|
|
143
|
+
title: Do Not Use Error Log Level For Non-Critical Issues
|
|
144
|
+
impact: MEDIUM
|
|
145
|
+
impactDescription: prevents log noise and ensures relevant alerts
|
|
146
|
+
tags: logging, best-practice, java
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
## Do Not Use Error Log Level For Non-Critical Issues
|
|
150
|
+
|
|
151
|
+
The `ERROR` level should be reserved for issues that require immediate developer attention. For expected failures (like invalid user input), use `WARN` or `INFO`.
|
|
152
|
+
|
|
153
|
+
**Incorrect (error for everything):**
|
|
154
|
+
|
|
155
|
+
```java
|
|
156
|
+
if (user == null) {
|
|
157
|
+
log.error("User not found: {}", id); // Should be WARN or INFO
|
|
158
|
+
}
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
**Correct (appropriate log levels):**
|
|
162
|
+
|
|
163
|
+
```java
|
|
164
|
+
if (user == null) {
|
|
165
|
+
log.warn("Attempt to access non-existent user: {}", id);
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
try {
|
|
169
|
+
db.save(data);
|
|
170
|
+
} catch (SQLException e) {
|
|
171
|
+
log.error("Critical database failure", e); // TRUE ERROR
|
|
172
|
+
}
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
**Tools:** Manual Review
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Use Dependency Injection
|
|
3
|
+
impact: HIGH
|
|
4
|
+
impactDescription: improves testability and decouples components
|
|
5
|
+
tags: dependency-injection, spring, testing, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Use Dependency Injection
|
|
9
|
+
|
|
10
|
+
Hardcoding dependencies (using `new`) makes components tightly coupled and difficult to test. Dependency Injection (DI) allows the framework to manage object lifecycles and permits easy mocking during unit tests.
|
|
11
|
+
|
|
12
|
+
**Incorrect (tight coupling):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
public class UserService {
|
|
16
|
+
private final UserRepository repo = new UserRepository(); // VULNERABLE to tight coupling
|
|
17
|
+
|
|
18
|
+
public void save(User user) {
|
|
19
|
+
repo.save(user);
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
**Correct (constructor injection):**
|
|
25
|
+
|
|
26
|
+
```java
|
|
27
|
+
@Service
|
|
28
|
+
public class UserService {
|
|
29
|
+
private final UserRepository repo;
|
|
30
|
+
|
|
31
|
+
// SECURE: Dependency is injected via constructor
|
|
32
|
+
public UserService(UserRepository repo) {
|
|
33
|
+
this.repo = repo;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
public void save(User user) {
|
|
37
|
+
repo.save(user);
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
**Tools:** Spring Framework, Dagger, Guice, SonarQube (S3306)
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: No Business Logic In Constructors
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: prevents side effects during object instantiation and improves testability
|
|
5
|
+
tags: clean-code, best-practice, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## No Business Logic In Constructors
|
|
9
|
+
|
|
10
|
+
Constructors should only be used for initialized fields. Performing business logic (database calls, network requests) inside a constructor makes the object hard to test and can lead to unexpected side effects during initialization.
|
|
11
|
+
|
|
12
|
+
**Incorrect (logic in constructor):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
public class OrderService {
|
|
16
|
+
public OrderService() {
|
|
17
|
+
// VULNERABLE: Side effects during new OrderService()
|
|
18
|
+
loadConfiguration();
|
|
19
|
+
connectToDatabase();
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
**Correct (separate initialization):**
|
|
25
|
+
|
|
26
|
+
```java
|
|
27
|
+
public class OrderService {
|
|
28
|
+
public OrderService() {
|
|
29
|
+
// Only simple field assignments
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
@PostConstruct
|
|
33
|
+
public void init() {
|
|
34
|
+
// Business logic or heavy setup here
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
**Tools:** Manual Review, SonarQube (S1699)
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Do Not Throw Generic Errors
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: makes error handling difficult for the caller
|
|
5
|
+
tags: error-handling, exceptions, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Do Not Throw Generic Errors
|
|
9
|
+
|
|
10
|
+
Throwing `Exception` or `RuntimeException` provides no context to the caller. Always throw specific, meaningful exceptions.
|
|
11
|
+
|
|
12
|
+
**Incorrect (generic throws):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
public void findUser(String id) throws Exception {
|
|
16
|
+
if (id == null) throw new Exception("ID missing");
|
|
17
|
+
}
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
**Correct (specific throws):**
|
|
21
|
+
|
|
22
|
+
```java
|
|
23
|
+
public void findUser(String id) {
|
|
24
|
+
if (id == null) throw new IllegalArgumentException("User ID cannot be null");
|
|
25
|
+
}
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
**Tools:** SonarQube (S2221), Manual Review
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Do Not Use Error Log Level For Non-Critical Issues
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: prevents log noise and ensures relevant alerts
|
|
5
|
+
tags: logging, best-practice, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Do Not Use Error Log Level For Non-Critical Issues
|
|
9
|
+
|
|
10
|
+
The `ERROR` level should be reserved for issues that require immediate developer attention. For expected failures (like invalid user input), use `WARN` or `INFO`.
|
|
11
|
+
|
|
12
|
+
**Incorrect (error for everything):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
if (user == null) {
|
|
16
|
+
log.error("User not found: {}", id); // Should be WARN or INFO
|
|
17
|
+
}
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
**Correct (appropriate log levels):**
|
|
21
|
+
|
|
22
|
+
```java
|
|
23
|
+
if (user == null) {
|
|
24
|
+
log.warn("Attempt to access non-existent user: {}", id);
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
try {
|
|
28
|
+
db.save(data);
|
|
29
|
+
} catch (SQLException e) {
|
|
30
|
+
log.error("Critical database failure", e); // TRUE ERROR
|
|
31
|
+
}
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
**Tools:** Manual Review
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Do Not Import Unused Modules
|
|
3
|
+
impact: MEDIUM
|
|
4
|
+
impactDescription: reduces compilation time and avoids namespace pollution
|
|
5
|
+
tags: readability, clean-code, java
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Do Not Import Unused Modules
|
|
9
|
+
|
|
10
|
+
Unused imports clutter the code and can lead to confusion if multiple classes have the same name in different packages.
|
|
11
|
+
|
|
12
|
+
**Incorrect (unused imports):**
|
|
13
|
+
|
|
14
|
+
```java
|
|
15
|
+
import java.util.List;
|
|
16
|
+
import java.util.ArrayList; // UNUSED
|
|
17
|
+
import java.util.stream.Collectors; // UNUSED
|
|
18
|
+
|
|
19
|
+
public class MyClass {
|
|
20
|
+
public void run(List<String> list) { ... }
|
|
21
|
+
}
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
**Correct (clean imports):**
|
|
25
|
+
|
|
26
|
+
```java
|
|
27
|
+
import java.util.List;
|
|
28
|
+
|
|
29
|
+
public class MyClass {
|
|
30
|
+
public void run(List<String> list) { ... }
|
|
31
|
+
}
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
**Tools:** IntelliJ "Optimize Imports", Checkstyle (UnusedImports), PMD
|