@sun-asterisk/sunlint 1.3.39 → 1.3.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (488) hide show
  1. package/config/rules/rules-registry-generated.json +134 -108
  2. package/core/rule-selection-service.js +11 -0
  3. package/docs/GENERATED_FILES_QUICK_REFERENCE.md +96 -0
  4. package/docs/GENERATED_FILE_HANDLING_SUMMARY.md +152 -0
  5. package/docs/skills/CREATE_NEW_DART_RULE.md +161 -14
  6. package/origin-rules/dart-en.md +151 -163
  7. package/package.json +2 -1
  8. package/rules/dart/D002_dispose_resources/config.json +25 -0
  9. package/rules/dart/D003_prefer_widgets_over_methods/config.json +14 -0
  10. package/rules/dart/D004_avoid_shrinkwrap_listview/config.json +13 -0
  11. package/rules/dart/D005_limit_widget_nesting/config.json +13 -0
  12. package/rules/dart/D006_prefer_extracting_large_callbacks/config.json +25 -0
  13. package/rules/dart/D007_prefer_init_first_dispose_last/config.json +10 -0
  14. package/rules/dart/D008_avoid_long_functions/config.json +12 -0
  15. package/rules/dart/D009_limit_function_parameters/config.json +13 -0
  16. package/rules/dart/D010_limit_cyclomatic_complexity/config.json +12 -0
  17. package/rules/dart/D011_prefer_named_parameters/config.json +12 -0
  18. package/rules/dart/D012_prefer_named_boolean_parameters/config.json +9 -0
  19. package/rules/dart/D013_single_public_class/config.json +10 -0
  20. package/rules/dart/D014_unsafe_collection_access/config.json +10 -0
  21. package/rules/dart/D015_copywith_all_parameters/config.json +9 -0
  22. package/rules/dart/D016_project_should_have_tests/config.json +24 -0
  23. package/rules/dart/D017_pubspec_dependencies_review/config.json +23 -0
  24. package/rules/dart/D018_remove_commented_code/config.json +13 -0
  25. package/rules/dart/D019_avoid_single_child_multi_child_widget/config.json +21 -0
  26. package/rules/dart/D020_limit_if_else_branches/config.json +12 -0
  27. package/rules/dart/D021_avoid_negated_boolean_checks/config.json +14 -0
  28. package/rules/dart/D022_use_setstate_correctly/config.json +14 -0
  29. package/rules/dart/D023_avoid_unnecessary_method_overrides/config.json +13 -0
  30. package/rules/dart/D024_avoid_unnecessary_stateful_widget/config.json +9 -0
  31. package/rules/dart/D025_avoid_nested_conditional_expressions/config.json +9 -0
  32. package/skill-assets/sunlint-code-quality/AGENTS.md +80 -0
  33. package/skill-assets/sunlint-code-quality/SKILL.md +176 -0
  34. package/skill-assets/sunlint-code-quality/rules/csharp/C006-verb-noun-functions.md +36 -0
  35. package/skill-assets/sunlint-code-quality/rules/csharp/C013-no-dead-code.md +38 -0
  36. package/skill-assets/sunlint-code-quality/rules/csharp/C014-dependency-injection.md +45 -0
  37. package/skill-assets/sunlint-code-quality/rules/csharp/C017-no-constructor-logic.md +46 -0
  38. package/skill-assets/sunlint-code-quality/rules/csharp/C018-generic-errors.md +38 -0
  39. package/skill-assets/sunlint-code-quality/rules/csharp/C019-error-log-level.md +29 -0
  40. package/skill-assets/sunlint-code-quality/rules/csharp/C020-no-unused-imports.md +30 -0
  41. package/skill-assets/sunlint-code-quality/rules/csharp/C022-no-unused-variables.md +33 -0
  42. package/skill-assets/sunlint-code-quality/rules/csharp/C023-no-duplicate-names.md +36 -0
  43. package/skill-assets/sunlint-code-quality/rules/csharp/C024-centralize-constants.md +33 -0
  44. package/skill-assets/sunlint-code-quality/rules/csharp/C029-catch-log-root-cause.md +40 -0
  45. package/skill-assets/sunlint-code-quality/rules/csharp/C030-custom-error-classes.md +38 -0
  46. package/skill-assets/sunlint-code-quality/rules/csharp/C033-separate-data-access.md +53 -0
  47. package/skill-assets/sunlint-code-quality/rules/csharp/C035-error-context-logging.md +31 -0
  48. package/skill-assets/sunlint-code-quality/rules/csharp/C041-no-hardcoded-secrets.md +25 -0
  49. package/skill-assets/sunlint-code-quality/rules/csharp/C042-boolean-naming.md +27 -0
  50. package/skill-assets/sunlint-code-quality/rules/csharp/C052-controller-parsing.md +41 -0
  51. package/skill-assets/sunlint-code-quality/rules/csharp/C060-superclass-logic.md +33 -0
  52. package/skill-assets/sunlint-code-quality/rules/csharp/C067-no-hardcoded-config.md +24 -0
  53. package/skill-assets/sunlint-code-quality/rules/csharp/S003-open-redirect.md +47 -0
  54. package/skill-assets/sunlint-code-quality/rules/csharp/S004-no-log-credentials.md +28 -0
  55. package/skill-assets/sunlint-code-quality/rules/csharp/S005-server-authorization.md +51 -0
  56. package/skill-assets/sunlint-code-quality/rules/csharp/S006-default-credentials.md +42 -0
  57. package/skill-assets/sunlint-code-quality/rules/csharp/S007-output-encoding.md +36 -0
  58. package/skill-assets/sunlint-code-quality/rules/csharp/S009-approved-crypto.md +37 -0
  59. package/skill-assets/sunlint-code-quality/rules/csharp/S010-csprng.md +32 -0
  60. package/skill-assets/sunlint-code-quality/rules/csharp/S011-encrypted-client-hello.md +36 -0
  61. package/skill-assets/sunlint-code-quality/rules/csharp/S012-secrets-management.md +35 -0
  62. package/skill-assets/sunlint-code-quality/rules/csharp/S013-tls-connections.md +36 -0
  63. package/skill-assets/sunlint-code-quality/rules/csharp/S016-no-sensitive-query-string.md +39 -0
  64. package/skill-assets/sunlint-code-quality/rules/csharp/S017-parameterized-queries.md +47 -0
  65. package/skill-assets/sunlint-code-quality/rules/csharp/S019-email-input-sanitization.md +35 -0
  66. package/skill-assets/sunlint-code-quality/rules/csharp/S020-eval-code-execution.md +56 -0
  67. package/skill-assets/sunlint-code-quality/rules/csharp/S022-context-escaping.md +50 -0
  68. package/skill-assets/sunlint-code-quality/rules/csharp/S023-dynamic-js-encoding.md +34 -0
  69. package/skill-assets/sunlint-code-quality/rules/csharp/S025-server-validation.md +56 -0
  70. package/skill-assets/sunlint-code-quality/rules/csharp/S026-tls-encryption.md +28 -0
  71. package/skill-assets/sunlint-code-quality/rules/csharp/S027-mtls-validation.md +40 -0
  72. package/skill-assets/sunlint-code-quality/rules/csharp/S028-upload-limits.md +50 -0
  73. package/skill-assets/sunlint-code-quality/rules/csharp/S029-csrf-protection.md +42 -0
  74. package/skill-assets/sunlint-code-quality/rules/csharp/S030-directory-browsing.md +26 -0
  75. package/skill-assets/sunlint-code-quality/rules/csharp/S031-secure-cookie-flag.md +35 -0
  76. package/skill-assets/sunlint-code-quality/rules/csharp/S032-httponly-cookie.md +31 -0
  77. package/skill-assets/sunlint-code-quality/rules/csharp/S033-samesite-cookie.md +36 -0
  78. package/skill-assets/sunlint-code-quality/rules/csharp/S034-host-prefix-cookie.md +31 -0
  79. package/skill-assets/sunlint-code-quality/rules/csharp/S035-app-hostnames.md +26 -0
  80. package/skill-assets/sunlint-code-quality/rules/csharp/S036-internal-file-paths.md +36 -0
  81. package/skill-assets/sunlint-code-quality/rules/csharp/S037-anti-cache-headers.md +33 -0
  82. package/skill-assets/sunlint-code-quality/rules/csharp/S039-tls-certificate-validation.md +41 -0
  83. package/skill-assets/sunlint-code-quality/rules/csharp/S041-logout-invalidation.md +36 -0
  84. package/skill-assets/sunlint-code-quality/rules/csharp/S042-long-lived-sessions.md +47 -0
  85. package/skill-assets/sunlint-code-quality/rules/csharp/S044-critical-changes-reauth.md +45 -0
  86. package/skill-assets/sunlint-code-quality/rules/csharp/S045-brute-force-protection.md +48 -0
  87. package/skill-assets/sunlint-code-quality/rules/csharp/S047-oauth-csrf-protection.md +53 -0
  88. package/skill-assets/sunlint-code-quality/rules/csharp/S048-oauth-redirect-validation.md +37 -0
  89. package/skill-assets/sunlint-code-quality/rules/csharp/S049-auth-code-expiry.md +33 -0
  90. package/skill-assets/sunlint-code-quality/rules/csharp/S050-token-entropy.md +33 -0
  91. package/skill-assets/sunlint-code-quality/rules/csharp/S051-password-length.md +35 -0
  92. package/skill-assets/sunlint-code-quality/rules/csharp/S052-otp-entropy.md +26 -0
  93. package/skill-assets/sunlint-code-quality/rules/csharp/S053-generic-error-messages.md +32 -0
  94. package/skill-assets/sunlint-code-quality/rules/csharp/S054-no-default-admin.md +31 -0
  95. package/skill-assets/sunlint-code-quality/rules/csharp/S055-content-type-validation.md +44 -0
  96. package/skill-assets/sunlint-code-quality/rules/csharp/S056-log-injection.md +33 -0
  97. package/skill-assets/sunlint-code-quality/rules/csharp/S057-synchronized-time.md +27 -0
  98. package/skill-assets/sunlint-code-quality/rules/csharp/S058-ssrf-protection.md +54 -0
  99. package/skill-assets/sunlint-code-quality/rules/go/C006-verb-noun-functions.md +45 -0
  100. package/skill-assets/sunlint-code-quality/rules/go/C013-no-dead-code.md +48 -0
  101. package/skill-assets/sunlint-code-quality/rules/go/C014-dependency-injection.md +85 -0
  102. package/skill-assets/sunlint-code-quality/rules/go/C017-no-constructor-logic.md +67 -0
  103. package/skill-assets/sunlint-code-quality/rules/go/C018-generic-errors.md +63 -0
  104. package/skill-assets/sunlint-code-quality/rules/go/C019-error-log-level.md +50 -0
  105. package/skill-assets/sunlint-code-quality/rules/go/C020-no-unused-imports.md +45 -0
  106. package/skill-assets/sunlint-code-quality/rules/go/C022-no-unused-variables.md +34 -0
  107. package/skill-assets/sunlint-code-quality/rules/go/C023-no-duplicate-names.md +41 -0
  108. package/skill-assets/sunlint-code-quality/rules/go/C024-centralize-constants.md +55 -0
  109. package/skill-assets/sunlint-code-quality/rules/go/C029-catch-log-root-cause.md +56 -0
  110. package/skill-assets/sunlint-code-quality/rules/go/C030-custom-error-classes.md +69 -0
  111. package/skill-assets/sunlint-code-quality/rules/go/C033-separate-data-access.md +68 -0
  112. package/skill-assets/sunlint-code-quality/rules/go/C035-error-context-logging.md +48 -0
  113. package/skill-assets/sunlint-code-quality/rules/go/C041-no-hardcoded-secrets.md +45 -0
  114. package/skill-assets/sunlint-code-quality/rules/go/C042-boolean-naming.md +42 -0
  115. package/skill-assets/sunlint-code-quality/rules/go/C052-controller-parsing.md +62 -0
  116. package/skill-assets/sunlint-code-quality/rules/go/C060-superclass-logic.md +60 -0
  117. package/skill-assets/sunlint-code-quality/rules/go/C067-no-hardcoded-config.md +51 -0
  118. package/skill-assets/sunlint-code-quality/rules/go/S003-open-redirect.md +80 -0
  119. package/skill-assets/sunlint-code-quality/rules/go/S004-no-log-credentials.md +66 -0
  120. package/skill-assets/sunlint-code-quality/rules/go/S005-server-authorization.md +55 -0
  121. package/skill-assets/sunlint-code-quality/rules/go/S006-default-credentials.md +47 -0
  122. package/skill-assets/sunlint-code-quality/rules/go/S007-output-encoding.md +50 -0
  123. package/skill-assets/sunlint-code-quality/rules/go/S009-approved-crypto.md +63 -0
  124. package/skill-assets/sunlint-code-quality/rules/go/S010-csprng.md +53 -0
  125. package/skill-assets/sunlint-code-quality/rules/go/S011-encrypted-client-hello.md +34 -0
  126. package/skill-assets/sunlint-code-quality/rules/go/S012-secrets-management.md +49 -0
  127. package/skill-assets/sunlint-code-quality/rules/go/S013-tls-connections.md +61 -0
  128. package/skill-assets/sunlint-code-quality/rules/go/S016-no-sensitive-query-string.md +42 -0
  129. package/skill-assets/sunlint-code-quality/rules/go/S017-parameterized-queries.md +36 -0
  130. package/skill-assets/sunlint-code-quality/rules/go/S019-email-input-sanitization.md +44 -0
  131. package/skill-assets/sunlint-code-quality/rules/go/S020-eval-code-execution.md +47 -0
  132. package/skill-assets/sunlint-code-quality/rules/go/S022-context-escaping.md +49 -0
  133. package/skill-assets/sunlint-code-quality/rules/go/S023-dynamic-js-encoding.md +51 -0
  134. package/skill-assets/sunlint-code-quality/rules/go/S025-server-validation.md +57 -0
  135. package/skill-assets/sunlint-code-quality/rules/go/S026-tls-encryption.md +46 -0
  136. package/skill-assets/sunlint-code-quality/rules/go/S027-mtls-validation.md +52 -0
  137. package/skill-assets/sunlint-code-quality/rules/go/S028-upload-limits.md +58 -0
  138. package/skill-assets/sunlint-code-quality/rules/go/S029-csrf-protection.md +53 -0
  139. package/skill-assets/sunlint-code-quality/rules/go/S030-directory-browsing.md +53 -0
  140. package/skill-assets/sunlint-code-quality/rules/go/S031-secure-cookie-flag.md +48 -0
  141. package/skill-assets/sunlint-code-quality/rules/go/S032-httponly-cookie.md +42 -0
  142. package/skill-assets/sunlint-code-quality/rules/go/S033-samesite-cookie.md +49 -0
  143. package/skill-assets/sunlint-code-quality/rules/go/S034-host-prefix-cookie.md +44 -0
  144. package/skill-assets/sunlint-code-quality/rules/go/S035-app-hostnames.md +50 -0
  145. package/skill-assets/sunlint-code-quality/rules/go/S036-internal-file-paths.md +56 -0
  146. package/skill-assets/sunlint-code-quality/rules/go/S037-anti-cache-headers.md +43 -0
  147. package/skill-assets/sunlint-code-quality/rules/go/S039-tls-certificate-validation.md +41 -0
  148. package/skill-assets/sunlint-code-quality/rules/go/S041-logout-invalidation.md +46 -0
  149. package/skill-assets/sunlint-code-quality/rules/go/S042-long-lived-sessions.md +58 -0
  150. package/skill-assets/sunlint-code-quality/rules/go/S044-critical-changes-reauth.md +53 -0
  151. package/skill-assets/sunlint-code-quality/rules/go/S045-brute-force-protection.md +55 -0
  152. package/skill-assets/sunlint-code-quality/rules/go/S047-oauth-csrf-protection.md +51 -0
  153. package/skill-assets/sunlint-code-quality/rules/go/S048-oauth-redirect-validation.md +58 -0
  154. package/skill-assets/sunlint-code-quality/rules/go/S049-auth-code-expiry.md +52 -0
  155. package/skill-assets/sunlint-code-quality/rules/go/S050-token-entropy.md +53 -0
  156. package/skill-assets/sunlint-code-quality/rules/go/S051-password-length.md +49 -0
  157. package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md +48 -0
  158. package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md +51 -0
  159. package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md +43 -0
  160. package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md +52 -0
  161. package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md +40 -0
  162. package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md +40 -0
  163. package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md +70 -0
  164. package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md +36 -0
  165. package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md +175 -0
  166. package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md +42 -0
  167. package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md +39 -0
  168. package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md +28 -0
  169. package/skill-assets/sunlint-code-quality/rules/java/C019-error-log-level.md +34 -0
  170. package/skill-assets/sunlint-code-quality/rules/java/C020-no-unused-imports.md +34 -0
  171. package/skill-assets/sunlint-code-quality/rules/java/C022-no-unused-variables.md +31 -0
  172. package/skill-assets/sunlint-code-quality/rules/java/C023-no-duplicate-names.md +37 -0
  173. package/skill-assets/sunlint-code-quality/rules/java/C024-centralize-constants.md +36 -0
  174. package/skill-assets/sunlint-code-quality/rules/java/C029-catch-log-root-cause.md +42 -0
  175. package/skill-assets/sunlint-code-quality/rules/java/C030-custom-error-classes.md +50 -0
  176. package/skill-assets/sunlint-code-quality/rules/java/C033-separate-data-access.md +46 -0
  177. package/skill-assets/sunlint-code-quality/rules/java/C035-error-context-logging.md +38 -0
  178. package/skill-assets/sunlint-code-quality/rules/java/C041-no-hardcoded-secrets.md +34 -0
  179. package/skill-assets/sunlint-code-quality/rules/java/C042-boolean-naming.md +27 -0
  180. package/skill-assets/sunlint-code-quality/rules/java/C052-controller-parsing.md +39 -0
  181. package/skill-assets/sunlint-code-quality/rules/java/C060-superclass-logic.md +32 -0
  182. package/skill-assets/sunlint-code-quality/rules/java/C067-no-hardcoded-config.md +31 -0
  183. package/skill-assets/sunlint-code-quality/rules/java/S003-open-redirect.md +38 -0
  184. package/skill-assets/sunlint-code-quality/rules/java/S004-no-log-credentials.md +36 -0
  185. package/skill-assets/sunlint-code-quality/rules/java/S005-server-authorization.md +53 -0
  186. package/skill-assets/sunlint-code-quality/rules/java/S006-default-credentials.md +39 -0
  187. package/skill-assets/sunlint-code-quality/rules/java/S007-output-encoding.md +49 -0
  188. package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md +40 -0
  189. package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md +36 -0
  190. package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md +27 -0
  191. package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md +34 -0
  192. package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md +40 -0
  193. package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md +36 -0
  194. package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md +47 -0
  195. package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md +32 -0
  196. package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md +45 -0
  197. package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md +28 -0
  198. package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md +28 -0
  199. package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md +58 -0
  200. package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md +57 -0
  201. package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md +26 -0
  202. package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md +35 -0
  203. package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md +35 -0
  204. package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md +38 -0
  205. package/skill-assets/sunlint-code-quality/rules/java/S031-secure-cookie-flag.md +38 -0
  206. package/skill-assets/sunlint-code-quality/rules/java/S032-httponly-cookie.md +31 -0
  207. package/skill-assets/sunlint-code-quality/rules/java/S033-samesite-cookie.md +42 -0
  208. package/skill-assets/sunlint-code-quality/rules/java/S034-host-prefix-cookie.md +35 -0
  209. package/skill-assets/sunlint-code-quality/rules/java/S035-app-hostnames.md +23 -0
  210. package/skill-assets/sunlint-code-quality/rules/java/S036-internal-file-paths.md +39 -0
  211. package/skill-assets/sunlint-code-quality/rules/java/S037-anti-cache-headers.md +37 -0
  212. package/skill-assets/sunlint-code-quality/rules/java/S039-tls-certificate-validation.md +43 -0
  213. package/skill-assets/sunlint-code-quality/rules/java/S041-logout-invalidation.md +53 -0
  214. package/skill-assets/sunlint-code-quality/rules/java/S042-long-lived-sessions.md +36 -0
  215. package/skill-assets/sunlint-code-quality/rules/java/S044-critical-changes-reauth.md +28 -0
  216. package/skill-assets/sunlint-code-quality/rules/java/S045-brute-force-protection.md +38 -0
  217. package/skill-assets/sunlint-code-quality/rules/java/S047-oauth-csrf-protection.md +33 -0
  218. package/skill-assets/sunlint-code-quality/rules/java/S048-oauth-redirect-validation.md +25 -0
  219. package/skill-assets/sunlint-code-quality/rules/java/S049-auth-code-expiry.md +23 -0
  220. package/skill-assets/sunlint-code-quality/rules/java/S050-token-entropy.md +20 -0
  221. package/skill-assets/sunlint-code-quality/rules/java/S051-password-length.md +20 -0
  222. package/skill-assets/sunlint-code-quality/rules/java/S052-otp-entropy.md +23 -0
  223. package/skill-assets/sunlint-code-quality/rules/java/S053-generic-error-messages.md +21 -0
  224. package/skill-assets/sunlint-code-quality/rules/java/S054-no-default-admin.md +16 -0
  225. package/skill-assets/sunlint-code-quality/rules/java/S055-content-type-validation.md +36 -0
  226. package/skill-assets/sunlint-code-quality/rules/java/S056-log-injection.md +38 -0
  227. package/skill-assets/sunlint-code-quality/rules/java/S057-synchronized-time.md +35 -0
  228. package/skill-assets/sunlint-code-quality/rules/java/S058-ssrf-protection.md +56 -0
  229. package/skill-assets/sunlint-code-quality/rules/kotlin/C006-verb-noun-functions.md +45 -0
  230. package/skill-assets/sunlint-code-quality/rules/kotlin/C013-no-dead-code.md +49 -0
  231. package/skill-assets/sunlint-code-quality/rules/kotlin/C014-dependency-injection.md +64 -0
  232. package/skill-assets/sunlint-code-quality/rules/kotlin/C017-no-constructor-logic.md +68 -0
  233. package/skill-assets/sunlint-code-quality/rules/kotlin/C018-generic-errors.md +46 -0
  234. package/skill-assets/sunlint-code-quality/rules/kotlin/C019-error-log-level.md +50 -0
  235. package/skill-assets/sunlint-code-quality/rules/kotlin/C020-no-unused-imports.md +44 -0
  236. package/skill-assets/sunlint-code-quality/rules/kotlin/C022-no-unused-variables.md +39 -0
  237. package/skill-assets/sunlint-code-quality/rules/kotlin/C023-no-duplicate-names.md +47 -0
  238. package/skill-assets/sunlint-code-quality/rules/kotlin/C024-centralize-constants.md +58 -0
  239. package/skill-assets/sunlint-code-quality/rules/kotlin/C029-catch-log-root-cause.md +50 -0
  240. package/skill-assets/sunlint-code-quality/rules/kotlin/C030-custom-error-classes.md +72 -0
  241. package/skill-assets/sunlint-code-quality/rules/kotlin/C033-separate-data-access.md +69 -0
  242. package/skill-assets/sunlint-code-quality/rules/kotlin/C035-error-context-logging.md +47 -0
  243. package/skill-assets/sunlint-code-quality/rules/kotlin/C041-no-hardcoded-secrets.md +47 -0
  244. package/skill-assets/sunlint-code-quality/rules/kotlin/C042-boolean-naming.md +42 -0
  245. package/skill-assets/sunlint-code-quality/rules/kotlin/C052-controller-parsing.md +71 -0
  246. package/skill-assets/sunlint-code-quality/rules/kotlin/C060-superclass-logic.md +60 -0
  247. package/skill-assets/sunlint-code-quality/rules/kotlin/C067-no-hardcoded-config.md +51 -0
  248. package/skill-assets/sunlint-code-quality/rules/kotlin/S003-open-redirect.md +66 -0
  249. package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md +59 -0
  250. package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md +75 -0
  251. package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md +49 -0
  252. package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md +62 -0
  253. package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md +51 -0
  254. package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md +61 -0
  255. package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md +48 -0
  256. package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md +53 -0
  257. package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md +61 -0
  258. package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md +51 -0
  259. package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md +41 -0
  260. package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md +50 -0
  261. package/skill-assets/sunlint-code-quality/rules/kotlin/S020-eval-code-execution.md +57 -0
  262. package/skill-assets/sunlint-code-quality/rules/kotlin/S022-context-escaping.md +58 -0
  263. package/skill-assets/sunlint-code-quality/rules/kotlin/S023-dynamic-js-encoding.md +57 -0
  264. package/skill-assets/sunlint-code-quality/rules/kotlin/S025-server-validation.md +59 -0
  265. package/skill-assets/sunlint-code-quality/rules/kotlin/S026-tls-encryption.md +50 -0
  266. package/skill-assets/sunlint-code-quality/rules/kotlin/S027-mtls-validation.md +60 -0
  267. package/skill-assets/sunlint-code-quality/rules/kotlin/S028-upload-limits.md +67 -0
  268. package/skill-assets/sunlint-code-quality/rules/kotlin/S029-csrf-protection.md +57 -0
  269. package/skill-assets/sunlint-code-quality/rules/kotlin/S030-directory-browsing.md +50 -0
  270. package/skill-assets/sunlint-code-quality/rules/kotlin/S031-secure-cookie-flag.md +51 -0
  271. package/skill-assets/sunlint-code-quality/rules/kotlin/S032-httponly-cookie.md +49 -0
  272. package/skill-assets/sunlint-code-quality/rules/kotlin/S033-samesite-cookie.md +54 -0
  273. package/skill-assets/sunlint-code-quality/rules/kotlin/S034-host-prefix-cookie.md +50 -0
  274. package/skill-assets/sunlint-code-quality/rules/kotlin/S035-app-hostnames.md +59 -0
  275. package/skill-assets/sunlint-code-quality/rules/kotlin/S036-internal-file-paths.md +61 -0
  276. package/skill-assets/sunlint-code-quality/rules/kotlin/S037-anti-cache-headers.md +58 -0
  277. package/skill-assets/sunlint-code-quality/rules/kotlin/S039-tls-certificate-validation.md +62 -0
  278. package/skill-assets/sunlint-code-quality/rules/kotlin/S041-logout-invalidation.md +71 -0
  279. package/skill-assets/sunlint-code-quality/rules/kotlin/S042-long-lived-sessions.md +57 -0
  280. package/skill-assets/sunlint-code-quality/rules/kotlin/S044-critical-changes-reauth.md +64 -0
  281. package/skill-assets/sunlint-code-quality/rules/kotlin/S045-brute-force-protection.md +64 -0
  282. package/skill-assets/sunlint-code-quality/rules/kotlin/S047-oauth-csrf-protection.md +74 -0
  283. package/skill-assets/sunlint-code-quality/rules/kotlin/S048-oauth-redirect-validation.md +61 -0
  284. package/skill-assets/sunlint-code-quality/rules/kotlin/S049-auth-code-expiry.md +70 -0
  285. package/skill-assets/sunlint-code-quality/rules/kotlin/S050-token-entropy.md +65 -0
  286. package/skill-assets/sunlint-code-quality/rules/kotlin/S051-password-length.md +52 -0
  287. package/skill-assets/sunlint-code-quality/rules/kotlin/S052-otp-entropy.md +55 -0
  288. package/skill-assets/sunlint-code-quality/rules/kotlin/S053-generic-error-messages.md +66 -0
  289. package/skill-assets/sunlint-code-quality/rules/kotlin/S054-no-default-admin.md +57 -0
  290. package/skill-assets/sunlint-code-quality/rules/kotlin/S055-content-type-validation.md +58 -0
  291. package/skill-assets/sunlint-code-quality/rules/kotlin/S056-log-injection.md +47 -0
  292. package/skill-assets/sunlint-code-quality/rules/kotlin/S057-synchronized-time.md +49 -0
  293. package/skill-assets/sunlint-code-quality/rules/kotlin/S058-ssrf-protection.md +69 -0
  294. package/skill-assets/sunlint-code-quality/rules/php/C006-verb-noun-functions.md +46 -0
  295. package/skill-assets/sunlint-code-quality/rules/php/C013-no-dead-code.md +53 -0
  296. package/skill-assets/sunlint-code-quality/rules/php/C014-dependency-injection.md +71 -0
  297. package/skill-assets/sunlint-code-quality/rules/php/C017-no-constructor-logic.md +68 -0
  298. package/skill-assets/sunlint-code-quality/rules/php/C018-generic-errors.md +50 -0
  299. package/skill-assets/sunlint-code-quality/rules/php/C019-error-log-level.md +54 -0
  300. package/skill-assets/sunlint-code-quality/rules/php/C020-no-unused-imports.md +55 -0
  301. package/skill-assets/sunlint-code-quality/rules/php/C022-no-unused-variables.md +51 -0
  302. package/skill-assets/sunlint-code-quality/rules/php/C023-no-duplicate-names.md +61 -0
  303. package/skill-assets/sunlint-code-quality/rules/php/C024-centralize-constants.md +60 -0
  304. package/skill-assets/sunlint-code-quality/rules/php/C029-catch-log-root-cause.md +57 -0
  305. package/skill-assets/sunlint-code-quality/rules/php/C030-custom-error-classes.md +62 -0
  306. package/skill-assets/sunlint-code-quality/rules/php/C033-separate-data-access.md +79 -0
  307. package/skill-assets/sunlint-code-quality/rules/php/C035-error-context-logging.md +54 -0
  308. package/skill-assets/sunlint-code-quality/rules/php/C041-no-hardcoded-secrets.md +59 -0
  309. package/skill-assets/sunlint-code-quality/rules/php/C042-boolean-naming.md +52 -0
  310. package/skill-assets/sunlint-code-quality/rules/php/C052-controller-parsing.md +66 -0
  311. package/skill-assets/sunlint-code-quality/rules/php/C060-superclass-logic.md +54 -0
  312. package/skill-assets/sunlint-code-quality/rules/php/C067-no-hardcoded-config.md +55 -0
  313. package/skill-assets/sunlint-code-quality/rules/php/S003-open-redirect.md +60 -0
  314. package/skill-assets/sunlint-code-quality/rules/php/S004-no-log-credentials.md +67 -0
  315. package/skill-assets/sunlint-code-quality/rules/php/S005-server-authorization.md +57 -0
  316. package/skill-assets/sunlint-code-quality/rules/php/S006-default-credentials.md +61 -0
  317. package/skill-assets/sunlint-code-quality/rules/php/S007-output-encoding.md +61 -0
  318. package/skill-assets/sunlint-code-quality/rules/php/S009-approved-crypto.md +53 -0
  319. package/skill-assets/sunlint-code-quality/rules/php/S010-csprng.md +47 -0
  320. package/skill-assets/sunlint-code-quality/rules/php/S011-encrypted-client-hello.md +41 -0
  321. package/skill-assets/sunlint-code-quality/rules/php/S012-secrets-management.md +60 -0
  322. package/skill-assets/sunlint-code-quality/rules/php/S013-tls-connections.md +67 -0
  323. package/skill-assets/sunlint-code-quality/rules/php/S016-no-sensitive-query-string.md +61 -0
  324. package/skill-assets/sunlint-code-quality/rules/php/S017-parameterized-queries.md +44 -0
  325. package/skill-assets/sunlint-code-quality/rules/php/S019-email-input-sanitization.md +54 -0
  326. package/skill-assets/sunlint-code-quality/rules/php/S020-eval-code-execution.md +57 -0
  327. package/skill-assets/sunlint-code-quality/rules/php/S022-context-escaping.md +58 -0
  328. package/skill-assets/sunlint-code-quality/rules/php/S023-dynamic-js-encoding.md +62 -0
  329. package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md +63 -0
  330. package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md +48 -0
  331. package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md +62 -0
  332. package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md +60 -0
  333. package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md +65 -0
  334. package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md +40 -0
  335. package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md +55 -0
  336. package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md +54 -0
  337. package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md +52 -0
  338. package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md +49 -0
  339. package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md +49 -0
  340. package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md +56 -0
  341. package/skill-assets/sunlint-code-quality/rules/php/S037-anti-cache-headers.md +56 -0
  342. package/skill-assets/sunlint-code-quality/rules/php/S039-tls-certificate-validation.md +54 -0
  343. package/skill-assets/sunlint-code-quality/rules/php/S041-logout-invalidation.md +63 -0
  344. package/skill-assets/sunlint-code-quality/rules/php/S042-long-lived-sessions.md +57 -0
  345. package/skill-assets/sunlint-code-quality/rules/php/S044-critical-changes-reauth.md +71 -0
  346. package/skill-assets/sunlint-code-quality/rules/php/S045-brute-force-protection.md +67 -0
  347. package/skill-assets/sunlint-code-quality/rules/php/S047-oauth-csrf-protection.md +72 -0
  348. package/skill-assets/sunlint-code-quality/rules/php/S048-oauth-redirect-validation.md +54 -0
  349. package/skill-assets/sunlint-code-quality/rules/php/S049-auth-code-expiry.md +71 -0
  350. package/skill-assets/sunlint-code-quality/rules/php/S050-token-entropy.md +58 -0
  351. package/skill-assets/sunlint-code-quality/rules/php/S051-password-length.md +59 -0
  352. package/skill-assets/sunlint-code-quality/rules/php/S052-otp-entropy.md +45 -0
  353. package/skill-assets/sunlint-code-quality/rules/php/S053-generic-error-messages.md +59 -0
  354. package/skill-assets/sunlint-code-quality/rules/php/S054-no-default-admin.md +62 -0
  355. package/skill-assets/sunlint-code-quality/rules/php/S055-content-type-validation.md +58 -0
  356. package/skill-assets/sunlint-code-quality/rules/php/S056-log-injection.md +48 -0
  357. package/skill-assets/sunlint-code-quality/rules/php/S057-synchronized-time.md +52 -0
  358. package/skill-assets/sunlint-code-quality/rules/php/S058-ssrf-protection.md +65 -0
  359. package/skill-assets/sunlint-code-quality/rules/python/C006-verb-noun-functions.md +30 -0
  360. package/skill-assets/sunlint-code-quality/rules/python/C013-no-dead-code.md +24 -0
  361. package/skill-assets/sunlint-code-quality/rules/python/C014-dependency-injection.md +68 -0
  362. package/skill-assets/sunlint-code-quality/rules/python/C017-no-constructor-logic.md +30 -0
  363. package/skill-assets/sunlint-code-quality/rules/python/C018-generic-errors.md +25 -0
  364. package/skill-assets/sunlint-code-quality/rules/python/C019-error-log-level.md +26 -0
  365. package/skill-assets/sunlint-code-quality/rules/python/C020-no-unused-imports.md +28 -0
  366. package/skill-assets/sunlint-code-quality/rules/python/C022-no-unused-variables.md +24 -0
  367. package/skill-assets/sunlint-code-quality/rules/python/C023-no-duplicate-names.md +27 -0
  368. package/skill-assets/sunlint-code-quality/rules/python/C024-centralize-constants.md +27 -0
  369. package/skill-assets/sunlint-code-quality/rules/python/C029-catch-log-root-cause.md +61 -0
  370. package/skill-assets/sunlint-code-quality/rules/python/C030-custom-error-classes.md +28 -0
  371. package/skill-assets/sunlint-code-quality/rules/python/C033-separate-data-access.md +53 -0
  372. package/skill-assets/sunlint-code-quality/rules/python/C035-error-context-logging.md +26 -0
  373. package/skill-assets/sunlint-code-quality/rules/python/C041-no-hardcoded-secrets.md +23 -0
  374. package/skill-assets/sunlint-code-quality/rules/python/C042-boolean-naming.md +24 -0
  375. package/skill-assets/sunlint-code-quality/rules/python/C052-controller-parsing.md +34 -0
  376. package/skill-assets/sunlint-code-quality/rules/python/C060-superclass-logic.md +26 -0
  377. package/skill-assets/sunlint-code-quality/rules/python/C067-no-hardcoded-config.md +22 -0
  378. package/skill-assets/sunlint-code-quality/rules/python/S003-open-redirect.md +16 -0
  379. package/skill-assets/sunlint-code-quality/rules/python/S004-no-log-credentials.md +16 -0
  380. package/skill-assets/sunlint-code-quality/rules/python/S005-server-authorization.md +16 -0
  381. package/skill-assets/sunlint-code-quality/rules/python/S006-default-credentials.md +16 -0
  382. package/skill-assets/sunlint-code-quality/rules/python/S007-output-encoding.md +16 -0
  383. package/skill-assets/sunlint-code-quality/rules/python/S009-approved-crypto.md +16 -0
  384. package/skill-assets/sunlint-code-quality/rules/python/S010-csprng.md +16 -0
  385. package/skill-assets/sunlint-code-quality/rules/python/S011-encrypted-client-hello.md +16 -0
  386. package/skill-assets/sunlint-code-quality/rules/python/S012-secrets-management.md +16 -0
  387. package/skill-assets/sunlint-code-quality/rules/python/S013-tls-connections.md +16 -0
  388. package/skill-assets/sunlint-code-quality/rules/python/S016-no-sensitive-query-string.md +16 -0
  389. package/skill-assets/sunlint-code-quality/rules/python/S017-parameterized-queries.md +51 -0
  390. package/skill-assets/sunlint-code-quality/rules/python/S019-email-input-sanitization.md +16 -0
  391. package/skill-assets/sunlint-code-quality/rules/python/S020-eval-code-execution.md +51 -0
  392. package/skill-assets/sunlint-code-quality/rules/python/S022-context-escaping.md +16 -0
  393. package/skill-assets/sunlint-code-quality/rules/python/S023-dynamic-js-encoding.md +16 -0
  394. package/skill-assets/sunlint-code-quality/rules/python/S025-server-validation.md +16 -0
  395. package/skill-assets/sunlint-code-quality/rules/python/S026-tls-encryption.md +16 -0
  396. package/skill-assets/sunlint-code-quality/rules/python/S027-mtls-validation.md +16 -0
  397. package/skill-assets/sunlint-code-quality/rules/python/S028-upload-limits.md +16 -0
  398. package/skill-assets/sunlint-code-quality/rules/python/S029-csrf-protection.md +16 -0
  399. package/skill-assets/sunlint-code-quality/rules/python/S030-directory-browsing.md +16 -0
  400. package/skill-assets/sunlint-code-quality/rules/python/S031-secure-cookie-flag.md +16 -0
  401. package/skill-assets/sunlint-code-quality/rules/python/S032-httponly-cookie.md +16 -0
  402. package/skill-assets/sunlint-code-quality/rules/python/S033-samesite-cookie.md +16 -0
  403. package/skill-assets/sunlint-code-quality/rules/python/S034-host-prefix-cookie.md +16 -0
  404. package/skill-assets/sunlint-code-quality/rules/python/S035-app-hostnames.md +16 -0
  405. package/skill-assets/sunlint-code-quality/rules/python/S036-internal-file-paths.md +50 -0
  406. package/skill-assets/sunlint-code-quality/rules/python/S037-anti-cache-headers.md +16 -0
  407. package/skill-assets/sunlint-code-quality/rules/python/S039-tls-certificate-validation.md +16 -0
  408. package/skill-assets/sunlint-code-quality/rules/python/S041-logout-invalidation.md +16 -0
  409. package/skill-assets/sunlint-code-quality/rules/python/S042-long-lived-sessions.md +16 -0
  410. package/skill-assets/sunlint-code-quality/rules/python/S044-critical-changes-reauth.md +16 -0
  411. package/skill-assets/sunlint-code-quality/rules/python/S045-brute-force-protection.md +16 -0
  412. package/skill-assets/sunlint-code-quality/rules/python/S047-oauth-csrf-protection.md +16 -0
  413. package/skill-assets/sunlint-code-quality/rules/python/S048-oauth-redirect-validation.md +16 -0
  414. package/skill-assets/sunlint-code-quality/rules/python/S049-auth-code-expiry.md +16 -0
  415. package/skill-assets/sunlint-code-quality/rules/python/S050-token-entropy.md +16 -0
  416. package/skill-assets/sunlint-code-quality/rules/python/S051-password-length.md +16 -0
  417. package/skill-assets/sunlint-code-quality/rules/python/S052-otp-entropy.md +16 -0
  418. package/skill-assets/sunlint-code-quality/rules/python/S053-generic-error-messages.md +16 -0
  419. package/skill-assets/sunlint-code-quality/rules/python/S054-no-default-admin.md +16 -0
  420. package/skill-assets/sunlint-code-quality/rules/python/S055-content-type-validation.md +16 -0
  421. package/skill-assets/sunlint-code-quality/rules/python/S056-log-injection.md +16 -0
  422. package/skill-assets/sunlint-code-quality/rules/python/S057-synchronized-time.md +16 -0
  423. package/skill-assets/sunlint-code-quality/rules/python/S058-ssrf-protection.md +57 -0
  424. package/skill-assets/sunlint-code-quality/rules/typescript/C006-verb-noun-functions.md +45 -0
  425. package/skill-assets/sunlint-code-quality/rules/typescript/C013-no-dead-code.md +51 -0
  426. package/skill-assets/sunlint-code-quality/rules/typescript/C014-dependency-injection.md +69 -0
  427. package/skill-assets/sunlint-code-quality/rules/typescript/C017-no-constructor-logic.md +60 -0
  428. package/skill-assets/sunlint-code-quality/rules/typescript/C018-generic-errors.md +47 -0
  429. package/skill-assets/sunlint-code-quality/rules/typescript/C019-error-log-level.md +50 -0
  430. package/skill-assets/sunlint-code-quality/rules/typescript/C020-no-unused-imports.md +55 -0
  431. package/skill-assets/sunlint-code-quality/rules/typescript/C022-no-unused-variables.md +59 -0
  432. package/skill-assets/sunlint-code-quality/rules/typescript/C023-no-duplicate-names.md +58 -0
  433. package/skill-assets/sunlint-code-quality/rules/typescript/C024-centralize-constants.md +56 -0
  434. package/skill-assets/sunlint-code-quality/rules/typescript/C029-catch-log-root-cause.md +53 -0
  435. package/skill-assets/sunlint-code-quality/rules/typescript/C030-custom-error-classes.md +60 -0
  436. package/skill-assets/sunlint-code-quality/rules/typescript/C033-separate-data-access.md +69 -0
  437. package/skill-assets/sunlint-code-quality/rules/typescript/C035-error-context-logging.md +50 -0
  438. package/skill-assets/sunlint-code-quality/rules/typescript/C041-no-hardcoded-secrets.md +47 -0
  439. package/skill-assets/sunlint-code-quality/rules/typescript/C042-boolean-naming.md +42 -0
  440. package/skill-assets/sunlint-code-quality/rules/typescript/C052-controller-parsing.md +64 -0
  441. package/skill-assets/sunlint-code-quality/rules/typescript/C060-superclass-logic.md +67 -0
  442. package/skill-assets/sunlint-code-quality/rules/typescript/C067-no-hardcoded-config.md +52 -0
  443. package/skill-assets/sunlint-code-quality/rules/typescript/S003-open-redirect.md +76 -0
  444. package/skill-assets/sunlint-code-quality/rules/typescript/S004-no-log-credentials.md +71 -0
  445. package/skill-assets/sunlint-code-quality/rules/typescript/S005-server-authorization.md +68 -0
  446. package/skill-assets/sunlint-code-quality/rules/typescript/S006-default-credentials.md +69 -0
  447. package/skill-assets/sunlint-code-quality/rules/typescript/S007-output-encoding.md +60 -0
  448. package/skill-assets/sunlint-code-quality/rules/typescript/S009-approved-crypto.md +53 -0
  449. package/skill-assets/sunlint-code-quality/rules/typescript/S010-csprng.md +53 -0
  450. package/skill-assets/sunlint-code-quality/rules/typescript/S011-encrypted-client-hello.md +45 -0
  451. package/skill-assets/sunlint-code-quality/rules/typescript/S012-secrets-management.md +47 -0
  452. package/skill-assets/sunlint-code-quality/rules/typescript/S013-tls-connections.md +70 -0
  453. package/skill-assets/sunlint-code-quality/rules/typescript/S016-no-sensitive-query-string.md +53 -0
  454. package/skill-assets/sunlint-code-quality/rules/typescript/S017-parameterized-queries.md +55 -0
  455. package/skill-assets/sunlint-code-quality/rules/typescript/S019-email-input-sanitization.md +56 -0
  456. package/skill-assets/sunlint-code-quality/rules/typescript/S020-eval-code-execution.md +58 -0
  457. package/skill-assets/sunlint-code-quality/rules/typescript/S022-context-escaping.md +48 -0
  458. package/skill-assets/sunlint-code-quality/rules/typescript/S023-dynamic-js-encoding.md +52 -0
  459. package/skill-assets/sunlint-code-quality/rules/typescript/S025-server-validation.md +62 -0
  460. package/skill-assets/sunlint-code-quality/rules/typescript/S026-tls-encryption.md +47 -0
  461. package/skill-assets/sunlint-code-quality/rules/typescript/S027-mtls-validation.md +50 -0
  462. package/skill-assets/sunlint-code-quality/rules/typescript/S028-upload-limits.md +65 -0
  463. package/skill-assets/sunlint-code-quality/rules/typescript/S029-csrf-protection.md +62 -0
  464. package/skill-assets/sunlint-code-quality/rules/typescript/S030-directory-browsing.md +52 -0
  465. package/skill-assets/sunlint-code-quality/rules/typescript/S031-secure-cookie-flag.md +48 -0
  466. package/skill-assets/sunlint-code-quality/rules/typescript/S032-httponly-cookie.md +36 -0
  467. package/skill-assets/sunlint-code-quality/rules/typescript/S033-samesite-cookie.md +46 -0
  468. package/skill-assets/sunlint-code-quality/rules/typescript/S034-host-prefix-cookie.md +50 -0
  469. package/skill-assets/sunlint-code-quality/rules/typescript/S035-app-hostnames.md +49 -0
  470. package/skill-assets/sunlint-code-quality/rules/typescript/S036-internal-file-paths.md +53 -0
  471. package/skill-assets/sunlint-code-quality/rules/typescript/S037-anti-cache-headers.md +52 -0
  472. package/skill-assets/sunlint-code-quality/rules/typescript/S039-tls-certificate-validation.md +51 -0
  473. package/skill-assets/sunlint-code-quality/rules/typescript/S041-logout-invalidation.md +58 -0
  474. package/skill-assets/sunlint-code-quality/rules/typescript/S042-long-lived-sessions.md +55 -0
  475. package/skill-assets/sunlint-code-quality/rules/typescript/S044-critical-changes-reauth.md +69 -0
  476. package/skill-assets/sunlint-code-quality/rules/typescript/S045-brute-force-protection.md +59 -0
  477. package/skill-assets/sunlint-code-quality/rules/typescript/S047-oauth-csrf-protection.md +60 -0
  478. package/skill-assets/sunlint-code-quality/rules/typescript/S048-oauth-redirect-validation.md +59 -0
  479. package/skill-assets/sunlint-code-quality/rules/typescript/S049-auth-code-expiry.md +73 -0
  480. package/skill-assets/sunlint-code-quality/rules/typescript/S050-token-entropy.md +48 -0
  481. package/skill-assets/sunlint-code-quality/rules/typescript/S051-password-length.md +60 -0
  482. package/skill-assets/sunlint-code-quality/rules/typescript/S052-otp-entropy.md +49 -0
  483. package/skill-assets/sunlint-code-quality/rules/typescript/S053-generic-error-messages.md +61 -0
  484. package/skill-assets/sunlint-code-quality/rules/typescript/S054-no-default-admin.md +64 -0
  485. package/skill-assets/sunlint-code-quality/rules/typescript/S055-content-type-validation.md +64 -0
  486. package/skill-assets/sunlint-code-quality/rules/typescript/S056-log-injection.md +48 -0
  487. package/skill-assets/sunlint-code-quality/rules/typescript/S057-synchronized-time.md +57 -0
  488. package/skill-assets/sunlint-code-quality/rules/typescript/S058-ssrf-protection.md +63 -0
package/skill-assets/sunlint-code-quality/rules/go/S052-otp-entropy.md ADDED
@@ -0,0 +1,48 @@
1
+ ---
2
+ title: OTPs Must Have 20-bit Entropy Minimum
3
+ impact: MEDIUM
4
+ impactDescription: prevents OTP brute-forcing
5
+ tags: otp, entropy, authentication, 2fa, security
6
+ ---
7
+
8
+ ## OTPs Must Have 20-bit Entropy Minimum
9
+
10
+ Low-entropy OTPs (like 4 digits) can be brute-forced easily. 20 bits of entropy requires at least 6 decimal digits.
11
+
12
+ **Incorrect (low entropy OTPs):**
13
+
14
+ ```go
15
+ // 4 digits = ~13 bits entropy
16
+ otp := fmt.Sprintf("%04d", rand.Intn(10000))
17
+ ```
18
+
19
+ **Correct (high entropy OTPs via crypto/rand):**
20
+
21
+ ```go
22
+ import (
23
+ "crypto/rand"
24
+ "math/big"
25
+ )
26
+
27
+ // 6-digit numeric OTP (≈20 bits entropy)
28
+ func GenerateOTP() string {
29
+ max := big.NewInt(1000000)
30
+ n, _ := rand.Int(rand.Reader, max)
31
+ return fmt.Sprintf("%06d", n)
32
+ }
33
+
34
+ // 8-digit for higher security (≈26 bits)
35
+ func GenerateStrongOTP() string {
36
+ max := big.NewInt(100000000)
37
+ n, _ := rand.Int(rand.Reader, max)
38
+ return fmt.Sprintf("%08d", n)
39
+ }
40
+ ```
41
+
42
+ **OTP requirements:**
43
+ - Must use `crypto/rand` (CSPRNG).
44
+ - Minimum 6 digits (20 bits).
45
+ - Short expiration (5-10 minutes).
46
+ - Rate limit verification attempts.
47
+
48
+ **Tools:** Manual Review, Unit Test
package/skill-assets/sunlint-code-quality/rules/go/S053-generic-error-messages.md ADDED
@@ -0,0 +1,51 @@
1
+ ---
2
+ title: Return Generic Error Messages
3
+ impact: HIGH
4
+ impactDescription: prevents information disclosure
5
+ tags: error-messages, information-disclosure, security
6
+ ---
7
+
8
+ ## Return Generic Error Messages
9
+
10
+ Detailed error messages can help attackers understand your system's internals. Return generic messages to end-users.
11
+
12
+ **Incorrect (detailed errors to user):**
13
+
14
+ ```go
15
+ func Handler(w http.ResponseWriter, r *http.Request) {
16
+ err := db.QueryRow("...").Scan(&id)
17
+ if err != nil {
18
+ // Exposes database details!
19
+ http.Error(w, err.Error(), 500)
20
+ return
21
+ }
22
+ }
23
+
24
+ // User enumeration
25
+ if userNotFound {
26
+ http.Error(w, "User john@example.com dose not exist", 404)
27
+ }
28
+ ```
29
+
30
+ **Correct (generic errors with internal logging):**
31
+
32
+ ```go
33
+ func Handler(w http.ResponseWriter, r *http.Request) {
34
+ err := db.QueryRow("...").Scan(&id)
35
+ if err != nil {
36
+ // Log internally
37
+ slog.Error("query failed", "error", err, "request_id", r.Header.Get("X-Request-Id"))
38
+
39
+ // Return generic message
40
+ http.Error(w, "An internal error occurred", 500)
41
+ return
42
+ }
43
+ }
44
+
45
+ // Same message for "user not found" and "wrong password"
46
+ if !userExists || !passwordMatches {
47
+ http.Error(w, "Invalid credentials", 401)
48
+ }
49
+ ```
50
+
51
+ **Tools:** Global Error Middleware, `slog`
package/skill-assets/sunlint-code-quality/rules/go/S054-no-default-admin.md ADDED
@@ -0,0 +1,43 @@
1
+ ---
2
+ title: Avoid Default Admin/Root Accounts
3
+ impact: HIGH
4
+ impactDescription: prevents easy initial access by attackers
5
+ tags: admin, default-accounts, credentials, security
6
+ ---
7
+
8
+ ## Avoid Default Admin/Root Accounts
9
+
10
+ Default accounts with known credentials (e.g., admin/admin) are the first thing attackers check.
11
+
12
+ **Incorrect (default admin in seed):**
13
+
14
+ ```go
15
+ // Seed script
16
+ db.Exec("INSERT INTO users (email, password, role) VALUES ('admin@example.com', 'admin123', 'admin')")
17
+ ```
18
+
19
+ **Correct (secure initial setup):**
20
+
21
+ ```go
22
+ // 1. Setup wizard on first run
23
+ func SetupHandler(w http.ResponseWriter, r *http.Request) {
24
+ if adminExists() {
25
+ http.Error(w, "Setup already done", 403)
26
+ return
27
+ }
28
+ // Form to create first admin...
29
+ }
30
+
31
+ // 2. Or use environment variables for bootstrap
32
+ func BootstrapAdmin() {
33
+ email := os.Getenv("INITIAL_ADMIN_EMAIL")
34
+ pass := os.Getenv("INITIAL_ADMIN_PASSWORD")
35
+
36
+ if pass == "" || len(pass) < 16 {
37
+ log.Fatal("Secure INITIAL_ADMIN_PASSWORD required")
38
+ }
39
+ createAdmin(email, pass)
40
+ }
41
+ ```
42
+
43
+ **Tools:** Security Audit, Configuration Review
package/skill-assets/sunlint-code-quality/rules/go/S055-content-type-validation.md ADDED
@@ -0,0 +1,52 @@
1
+ ---
2
+ title: Validate Content-Type In REST Services
3
+ impact: MEDIUM
4
+ impactDescription: prevents content-type confusion attacks
5
+ tags: rest, content-type, validation, api, security
6
+ ---
7
+
8
+ ## Validate Content-Type In REST Services
9
+
10
+ Accepting unexpected content types can lead to parsing vulnerabilities or bypass security controls.
11
+
12
+ **Incorrect (accepting any content):**
13
+
14
+ ```go
15
+ func Handler(w http.ResponseWriter, r *http.Request) {
16
+ // No check on Content-Type header
17
+ var data map[string]interface{}
18
+ json.NewDecoder(r.Body).Decode(&data)
19
+ }
20
+ ```
21
+
22
+ **Correct (strict content-type validation):**
23
+
24
+ ```go
25
+ func validateContentType(allowed ...string) func(http.Handler) http.Handler {
26
+ return func(next http.Handler) http.Handler {
27
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
28
+ ct := r.Header.Get("Content-Type")
29
+
30
+ isValid := false
31
+ for _, a := range allowed {
32
+ if strings.Contains(strings.ToLower(ct), strings.ToLower(a)) {
33
+ isValid = true
34
+ break
35
+ }
36
+ }
37
+
38
+ if !isValid {
39
+ http.Error(w, "Unsupported Media Type", http.StatusUnsupportedMediaType)
40
+ return
41
+ }
42
+
43
+ next.ServeHTTP(w, r)
44
+ })
45
+ }
46
+ }
47
+
48
+ // Router usage
49
+ mux.Handle("/api/data", validateContentType("application/json")(http.HandlerFunc(Handler)))
50
+ ```
51
+
52
+ **Tools:** API Gateway, Middleware, OWASP ZAP
package/skill-assets/sunlint-code-quality/rules/go/S056-log-injection.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ title: Protect Against Log Injection
3
+ impact: HIGH
4
+ impactDescription: prevents log forging and exploitation
5
+ tags: logging, injection, sanitization, security
6
+ ---
7
+
8
+ ## Protect Against Log Injection
9
+
10
+ Log injection allows attackers to forge log entries, hide their tracks, or inject malicious control characters.
11
+
12
+ **Incorrect (unsanitized logging):**
13
+
14
+ ```go
15
+ func Handler(w http.ResponseWriter, r *http.Request) {
16
+ user := r.FormValue("user")
17
+ slog.Info("User logged in: " + user)
18
+ // Attacker: "admin\n[ERROR] Payment failed for user: victim"
19
+ }
20
+ ```
21
+
22
+ **Correct (sanitized structured logging):**
23
+
24
+ ```go
25
+ // 1. Use structured logging (automatically handles quotes/escaping in key-value pairs)
26
+ slog.Info("User logged in", "username", sanitizeForLog(user))
27
+
28
+ // 2. Sanitize input
29
+ func sanitizeForLog(input string) string {
30
+ // Replace CRLF/tabs with space
31
+ replacer := strings.NewReplacer("\r", " ", "\n", " ", "\t", " ")
32
+ return replacer.Replace(input)
33
+ }
34
+
35
+ // 3. Recommended: Use JSON logger in production
36
+ logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
37
+ logger.Info("User logged in", "username", user)
38
+ ```
39
+
40
+ **Tools:** `log/slog`, `zap`, `gosec`
package/skill-assets/sunlint-code-quality/rules/go/S057-synchronized-time.md ADDED
@@ -0,0 +1,40 @@
1
+ ---
2
+ title: Use Synchronized Time (UTC) In Logs
3
+ impact: MEDIUM
4
+ impactDescription: enables accurate incident correlation
5
+ tags: logging, time, utc, synchronization, security
6
+ ---
7
+
8
+ ## Use Synchronized Time (UTC) In Logs
9
+
10
+ Inconsistent timestamps across servers/services make incident investigation difficult. Use UTC and ISO 8601 format.
11
+
12
+ **Incorrect (local time/custom formats):**
13
+
14
+ ```go
15
+ // Local time - depends on server TZ
16
+ log.Printf("Event time: %v", time.Now())
17
+
18
+ // Different formats
19
+ fmt.Println(time.Now().Unix())
20
+ fmt.Println(time.Now().Format("2006-01-02"))
21
+ ```
22
+
23
+ **Correct (UTC, ISO 8601):**
24
+
25
+ ```go
26
+ // Use .UTC() and .Format(time.RFC3339)
27
+ slog.Info("User action",
28
+ "timestamp", time.Now().UTC().Format(time.RFC3339Nano),
29
+ "action", "login",
30
+ )
31
+
32
+ // Output: {"timestamp":"2024-01-15T10:30:00.123456Z", "level":"INFO", "message":"User action", "action":"login"}
33
+ ```
34
+
35
+ **Requirements:**
36
+ - Use UTC timezone externally.
37
+ - Use ISO 8601 (RFC 3339) with nanosecond/millisecond precision.
38
+ - Ensure servers are NTP-synchronized.
39
+
40
+ **Tools:** `time` (Standard Library), `slog`, NTP
package/skill-assets/sunlint-code-quality/rules/go/S058-ssrf-protection.md ADDED
@@ -0,0 +1,70 @@
1
+ ---
2
+ title: Protect Against SSRF Attacks
3
+ impact: MEDIUM
4
+ impactDescription: prevents internal network access from user input
5
+ tags: ssrf, url, network, internal, security
6
+ ---
7
+
8
+ ## Protect Against SSRF Attacks
9
+
10
+ SSRF allows attackers to make requests from your server to internal services, local files, or cloud metadata endpoints.
11
+
12
+ **Incorrect (accepting user URLs without validation):**
13
+
14
+ ```go
15
+ func Handler(w http.ResponseWriter, r *http.Request) {
16
+ url := r.URL.Query().Get("url")
17
+ resp, _ := http.Get(url) // Attacker controls URL!
18
+ io.Copy(w, resp.Body)
19
+ }
20
+ // Attacker: ?url=http://169.254.169.254/latest/meta-data/
21
+ ```
22
+
23
+ **Correct (URL validation and IP blocking):**
24
+
25
+ ```go
26
+ import (
27
+ "net"
28
+ "net/url"
29
+ )
30
+
31
+ var allowedHosts = []string{"api.example.com", "cdn.example.com"}
32
+
33
+ func SafeFetch(userURL string) (*http.Response, error) {
34
+ parsed, err := url.Parse(userURL)
35
+ if err != nil {
36
+ return nil, err
37
+ }
38
+
39
+ // 1. Protocol whitelist
40
+ if parsed.Scheme != "http" && parsed.Scheme != "https" {
41
+ return nil, errors.New("protocol not allowed")
42
+ }
43
+
44
+ // 2. Host whitelist
45
+ isAllowed := false
46
+ for _, h := range allowedHosts {
47
+ if parsed.Hostname() == h {
48
+ isAllowed = true
49
+ break
50
+ }
51
+ }
52
+
53
+ // 3. Resolve IP and block internal ranges
54
+ ips, _ := net.LookupIP(parsed.Hostname())
55
+ for _, ip := range ips {
56
+ if ip.IsLoopback() || ip.IsPrivate() || ip.IsUnspecified() {
57
+ return nil, errors.New("internal IP blocked")
58
+ }
59
+ }
60
+
61
+ client := &http.Client{
62
+ CheckRedirect: func(req *http.Request, via []*http.Request) error {
63
+ return http.ErrUseLastResponse // Disable redirects
64
+ },
65
+ }
66
+ return client.Get(userURL)
67
+ }
68
+ ```
69
+
70
+ **Tools:** `net/url`, `net.LookupIP`, `gosec` (G107)
package/skill-assets/sunlint-code-quality/rules/java/C006-verb-noun-functions.md ADDED
@@ -0,0 +1,36 @@
1
+ ---
2
+ title: Function Names Verb-Noun Pattern
3
+ impact: MEDIUM
4
+ impactDescription: improves code readability and maintainability
5
+ tags: readability, naming, best-practice, java
6
+ ---
7
+
8
+ ## Function Names Verb-Noun Pattern
9
+
10
+ Method names should clearly state what they do. Following a `verbNoun` pattern (camelCase) makes the code more intuitive and easier to scan.
11
+
12
+ **Incorrect (vague or reverse naming):**
13
+
14
+ ```java
15
+ public void userData(User user) { ... }
16
+ public List<User> usersGet() { ... }
17
+ public void process() { ... }
18
+ ```
19
+
20
+ **Correct (verb-noun naming):**
21
+
22
+ ```java
23
+ public void saveUser(User user) { ... }
24
+ public List<User> getAllUsers() { ... }
25
+ public void processPayment() { ... }
26
+ public boolean isValidEmail(String email) { ... }
27
+ ```
28
+
29
+ **Common Verbs:**
30
+ - `get` / `find`: Retrieve data.
31
+ - `save` / `create` / `update`: Modify data.
32
+ - `is` / `has`: Boolean checks.
33
+ - `validate`: Check constraints.
34
+ - `calculate`: Perform computations.
35
+
36
+ **Tools:** Checkstyle, IntelliJ Inspections, Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C013-no-dead-code.md ADDED
@@ -0,0 +1,175 @@
1
+ ---
2
+ title: Do Not Commit Dead Code
3
+ impact: MEDIUM
4
+ impactDescription: reduces codebase clutter and potential for bugs
5
+ tags: readability, clean-code, maintainability, java
6
+ ---
7
+
8
+ ## Do Not Commit Dead Code
9
+
10
+ Dead code (commented-out code, unused methods, unreachable branches) increases technical debt and makes the codebase harder to maintain and understand.
11
+
12
+ **Incorrect (commented code or unreachable blocks):**
13
+
14
+ ```java
15
+ public void calculate() {
16
+ int x = 10;
17
+ // int y = 20; // DEAD CODE
18
+ // if (x > 5) { ... } // DEAD CODE
19
+ System.out.println(x);
20
+ }
21
+ ```
22
+
23
+ **Correct (clean code):**
24
+
25
+ ```java
26
+ public void calculate() {
27
+ int x = 10;
28
+ System.out.println(x);
29
+ }
30
+ ```
31
+
32
+ **Tools:** IntelliJ Inspections, PMD, SonarQube (S1144), Checkstyle
33
+ ---
34
+ title: Use Dependency Injection
35
+ impact: HIGH
36
+ impactDescription: improves testability and decouples components
37
+ tags: dependency-injection, spring, testing, java
38
+ ---
39
+
40
+ ## Use Dependency Injection
41
+
42
+ Hardcoding dependencies (using `new`) makes components tightly coupled and difficult to test. Dependency Injection (DI) allows the framework to manage object lifecycles and permits easy mocking during unit tests.
43
+
44
+ **Incorrect (tight coupling):**
45
+
46
+ ```java
47
+ public class UserService {
48
+ private final UserRepository repo = new UserRepository(); // VULNERABLE to tight coupling
49
+
50
+ public void save(User user) {
51
+ repo.save(user);
52
+ }
53
+ }
54
+ ```
55
+
56
+ **Correct (constructor injection):**
57
+
58
+ ```java
59
+ @Service
60
+ public class UserService {
61
+ private final UserRepository repo;
62
+
63
+ // SECURE: Dependency is injected via constructor
64
+ public UserService(UserRepository repo) {
65
+ this.repo = repo;
66
+ }
67
+
68
+ public void save(User user) {
69
+ repo.save(user);
70
+ }
71
+ }
72
+ ```
73
+
74
+ **Tools:** Spring Framework, Dagger, Guice, SonarQube (S3306)
75
+ ---
76
+ title: No Business Logic In Constructors
77
+ impact: MEDIUM
78
+ impactDescription: prevents side effects during object instantiation and improves testability
79
+ tags: clean-code, best-practice, java
80
+ ---
81
+
82
+ ## No Business Logic In Constructors
83
+
84
+ Constructors should only be used for initialized fields. Performing business logic (database calls, network requests) inside a constructor makes the object hard to test and can lead to unexpected side effects during initialization.
85
+
86
+ **Incorrect (logic in constructor):**
87
+
88
+ ```java
89
+ public class OrderService {
90
+ public OrderService() {
91
+ // VULNERABLE: Side effects during new OrderService()
92
+ loadConfiguration();
93
+ connectToDatabase();
94
+ }
95
+ }
96
+ ```
97
+
98
+ **Correct (separate initialization):**
99
+
100
+ ```java
101
+ public class OrderService {
102
+ public OrderService() {
103
+ // Only simple field assignments
104
+ }
105
+
106
+ @PostConstruct
107
+ public void init() {
108
+ // Business logic or heavy setup here
109
+ }
110
+ }
111
+ ```
112
+
113
+ **Tools:** Manual Review, SonarQube (S1699)
114
+ ---
115
+ title: Do Not Throw Generic Errors
116
+ impact: MEDIUM
117
+ impactDescription: makes error handling difficult for the caller
118
+ tags: error-handling, exceptions, java
119
+ ---
120
+
121
+ ## Do Not Throw Generic Errors
122
+
123
+ Throwing `Exception` or `RuntimeException` provides no context to the caller. Always throw specific, meaningful exceptions.
124
+
125
+ **Incorrect (generic throws):**
126
+
127
+ ```java
128
+ public void findUser(String id) throws Exception {
129
+ if (id == null) throw new Exception("ID missing");
130
+ }
131
+ ```
132
+
133
+ **Correct (specific throws):**
134
+
135
+ ```java
136
+ public void findUser(String id) {
137
+ if (id == null) throw new IllegalArgumentException("User ID cannot be null");
138
+ }
139
+ ```
140
+
141
+ **Tools:** SonarQube (S2221), Manual Review
142
+ ---
143
+ title: Do Not Use Error Log Level For Non-Critical Issues
144
+ impact: MEDIUM
145
+ impactDescription: prevents log noise and ensures relevant alerts
146
+ tags: logging, best-practice, java
147
+ ---
148
+
149
+ ## Do Not Use Error Log Level For Non-Critical Issues
150
+
151
+ The `ERROR` level should be reserved for issues that require immediate developer attention. For expected failures (like invalid user input), use `WARN` or `INFO`.
152
+
153
+ **Incorrect (error for everything):**
154
+
155
+ ```java
156
+ if (user == null) {
157
+ log.error("User not found: {}", id); // Should be WARN or INFO
158
+ }
159
+ ```
160
+
161
+ **Correct (appropriate log levels):**
162
+
163
+ ```java
164
+ if (user == null) {
165
+ log.warn("Attempt to access non-existent user: {}", id);
166
+ }
167
+
168
+ try {
169
+ db.save(data);
170
+ } catch (SQLException e) {
171
+ log.error("Critical database failure", e); // TRUE ERROR
172
+ }
173
+ ```
174
+
175
+ **Tools:** Manual Review
package/skill-assets/sunlint-code-quality/rules/java/C014-dependency-injection.md ADDED
@@ -0,0 +1,42 @@
1
+ ---
2
+ title: Use Dependency Injection
3
+ impact: HIGH
4
+ impactDescription: improves testability and decouples components
5
+ tags: dependency-injection, spring, testing, java
6
+ ---
7
+
8
+ ## Use Dependency Injection
9
+
10
+ Hardcoding dependencies (using `new`) makes components tightly coupled and difficult to test. Dependency Injection (DI) allows the framework to manage object lifecycles and permits easy mocking during unit tests.
11
+
12
+ **Incorrect (tight coupling):**
13
+
14
+ ```java
15
+ public class UserService {
16
+ private final UserRepository repo = new UserRepository(); // VULNERABLE to tight coupling
17
+
18
+ public void save(User user) {
19
+ repo.save(user);
20
+ }
21
+ }
22
+ ```
23
+
24
+ **Correct (constructor injection):**
25
+
26
+ ```java
27
+ @Service
28
+ public class UserService {
29
+ private final UserRepository repo;
30
+
31
+ // SECURE: Dependency is injected via constructor
32
+ public UserService(UserRepository repo) {
33
+ this.repo = repo;
34
+ }
35
+
36
+ public void save(User user) {
37
+ repo.save(user);
38
+ }
39
+ }
40
+ ```
41
+
42
+ **Tools:** Spring Framework, Dagger, Guice, SonarQube (S3306)
package/skill-assets/sunlint-code-quality/rules/java/C017-no-constructor-logic.md ADDED
@@ -0,0 +1,39 @@
1
+ ---
2
+ title: No Business Logic In Constructors
3
+ impact: MEDIUM
4
+ impactDescription: prevents side effects during object instantiation and improves testability
5
+ tags: clean-code, best-practice, java
6
+ ---
7
+
8
+ ## No Business Logic In Constructors
9
+
10
+ Constructors should only be used for initialized fields. Performing business logic (database calls, network requests) inside a constructor makes the object hard to test and can lead to unexpected side effects during initialization.
11
+
12
+ **Incorrect (logic in constructor):**
13
+
14
+ ```java
15
+ public class OrderService {
16
+ public OrderService() {
17
+ // VULNERABLE: Side effects during new OrderService()
18
+ loadConfiguration();
19
+ connectToDatabase();
20
+ }
21
+ }
22
+ ```
23
+
24
+ **Correct (separate initialization):**
25
+
26
+ ```java
27
+ public class OrderService {
28
+ public OrderService() {
29
+ // Only simple field assignments
30
+ }
31
+
32
+ @PostConstruct
33
+ public void init() {
34
+ // Business logic or heavy setup here
35
+ }
36
+ }
37
+ ```
38
+
39
+ **Tools:** Manual Review, SonarQube (S1699)
package/skill-assets/sunlint-code-quality/rules/java/C018-generic-errors.md ADDED
@@ -0,0 +1,28 @@
1
+ ---
2
+ title: Do Not Throw Generic Errors
3
+ impact: MEDIUM
4
+ impactDescription: makes error handling difficult for the caller
5
+ tags: error-handling, exceptions, java
6
+ ---
7
+
8
+ ## Do Not Throw Generic Errors
9
+
10
+ Throwing `Exception` or `RuntimeException` provides no context to the caller. Always throw specific, meaningful exceptions.
11
+
12
+ **Incorrect (generic throws):**
13
+
14
+ ```java
15
+ public void findUser(String id) throws Exception {
16
+ if (id == null) throw new Exception("ID missing");
17
+ }
18
+ ```
19
+
20
+ **Correct (specific throws):**
21
+
22
+ ```java
23
+ public void findUser(String id) {
24
+ if (id == null) throw new IllegalArgumentException("User ID cannot be null");
25
+ }
26
+ ```
27
+
28
+ **Tools:** SonarQube (S2221), Manual Review