@sun-asterisk/sunlint 1.3.4 → 1.3.5

package/config/rules/enhanced-rules-registry.json

@@ -703,17 +703,51 @@
         }
       }
     },
+    "S024": {
+      "name": "Protect against XPath Injection and XML External Entity (XXE)",
+      "description": "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S024_xpath_xxe_protection/analyzer.js",
+      "config": "./rules/security/S024_xpath_xxe_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "xpath", "xxe", "xml", "injection", "owasp"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S024_xpath_xxe_protection/analyzer.js"]
+      }
+    },
     "S025": {
-      "name": "Server Side Input Validation",
-      "description": "Require server-side input validation",
+      "name": "Always validate client-side data on the server",
+      "description": "Ensure all client-side data is validated on the server. Client-side validation is not sufficient for security as it can be bypassed by attackers. Server-side validation is mandatory for data integrity and security.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s025",
+      "analyzer": "./rules/security/S025_server_side_validation/analyzer.js",
+      "config": "./rules/security/S025_server_side_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "validation", "server-side"]
+      "tags": ["security", "validation", "server-side", "owasp", "input-validation"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S025_server_side_validation/analyzer.js"]
+      }
     },
     "S026": {
       "name": "JSON Schema Validation",
@@ -1301,6 +1335,28 @@
         "eslint": ["@typescript-eslint/naming-convention", "camelcase"]
       }
     },
+    "C067": {
+      "name": "No Hardcoded Configuration",
+      "description": "Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.",
+      "category": "configuration",
+      "severity": "warning",
+      "languages": ["typescript", "javascript", "dart", "kotlin"],
+      "analyzer": "./rules/common/C067_no_hardcoded_config/analyzer.js",
+      "config": "./rules/common/C067_no_hardcoded_config/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["configuration", "hardcode", "environment", "maintainability", "security"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast"],
+        "accuracy": {
+          "ast": 90
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/common/C067_no_hardcoded_config/analyzer.js"]
+      }
+    },
     "C072": {
       "id": "C072",
       "name": "Single Test Behavior",
@@ -1771,6 +1827,7 @@
         "S020",
         "S022",
         "S023",
+        "S024",
         "S025",
         "S026",
         "S027",
@@ -1889,9 +1946,9 @@
   "metadata": {
     "version": "1.1.7",
     "lastUpdated": "2025-08-25",
-    "totalRules": 97,
+    "totalRules": 98,
     "qualityRules": 33,
-    "securityRules": 49,
+    "securityRules": 50,
     "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,

package/core/config-preset-resolver.js

@@ -10,9 +10,14 @@ class ConfigPresetResolver {
   constructor() {
     this.presetMap = {
       '@sun/sunlint/recommended': 'config/presets/recommended.json',
-      '@sun/sunlint/strict': 'config/presets/strict.json',
+      '@sun/sunlint/security': 'config/presets/security.json',
+      '@sun/sunlint/quality': 'config/presets/quality.json',
       '@sun/sunlint/beginner': 'config/presets/beginner.json',
-      '@sun/sunlint/ci': 'config/presets/ci.json'
+      '@sun/sunlint/ci': 'config/presets/ci.json',
+      '@sun/sunlint/strict': 'config/presets/strict.json',
+      '@sun/sunlint/maintainability': 'config/presets/maintainability.json',
+      '@sun/sunlint/performance': 'config/presets/performance.json',
+      '@sun/sunlint/all': 'config/presets/all.json'
     };
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.4",
+  "version": "1.3.5",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C067_no_hardcoded_config/analyzer.js

@@ -0,0 +1,95 @@
+// rules/common/C067_no_hardcoded_config/analyzer.js
+const C067SymbolBasedAnalyzer = require('./symbol-based-analyzer.js');
+
+class C067Analyzer {
+  constructor(semanticEngine = null) {
+    this.ruleId = 'C067';
+    this.ruleName = 'No Hardcoded Configuration';
+    this.description = 'Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.';
+    this.semanticEngine = semanticEngine;
+    this.verbose = false;
+    
+    // Use symbol-based only for accuracy
+    this.symbolAnalyzer = new C067SymbolBasedAnalyzer(semanticEngine);
+  }
+
+  async initialize(semanticEngine = null) {
+    if (semanticEngine) {
+      this.semanticEngine = semanticEngine;
+    }
+    this.verbose = semanticEngine?.verbose || false;
+    await this.symbolAnalyzer.initialize(semanticEngine);
+  }
+
+  // Main analyze method required by heuristic engine
+  async analyze(files, language, options = {}) {
+    const violations = [];
+    
+    for (const filePath of files) {
+      if (options.verbose) {
+        console.log(`[DEBUG] 🎯 C067: Analyzing ${filePath.split('/').pop()}`);
+      }
+      
+      try {
+        const fileViolations = await this.analyzeFileBasic(filePath, options);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`C067: Skipping ${filePath}: ${error.message}`);
+      }
+    }
+    
+    return violations;
+  }
+
+  async analyzeFileBasic(filePath, options = {}) {
+    try {
+      // Try semantic engine first, fallback to standalone ts-morph
+      if (this.semanticEngine?.isSymbolEngineReady?.() && this.semanticEngine.project) {
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Using semantic engine for ${filePath.split('/').pop()}`);
+        }
+        
+        const violations = await this.symbolAnalyzer.analyzeFileBasic(filePath, options);
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Symbol-based analysis found ${violations.length} violations`);
+        }
+
+        return violations;
+      } else {
+        // Fallback to standalone analysis
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Using standalone analysis for ${filePath.split('/').pop()}`);
+        }
+        
+        const violations = await this.symbolAnalyzer.analyzeFileStandalone(filePath, options);
+        
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 C067: Standalone analysis found ${violations.length} violations`);
+        }
+
+        return violations;
+      }
+    } catch (error) {
+      if (this.verbose) {
+        console.error(`[DEBUG] ❌ C067: Analysis failed: ${error.message}`);
+      }
+      throw new Error(`C067 analysis failed: ${error.message}`);
+    }
+  }
+
+  async analyzeFiles(files, options = {}) {
+    const allViolations = [];
+    for (const filePath of files) {
+      try {
+        const violations = await this.analyzeFileBasic(filePath, options);
+        allViolations.push(...violations);
+      } catch (error) {
+        console.warn(`C067: Skipping ${filePath}: ${error.message}`);
+      }
+    }
+    return allViolations;
+  }
+}
+
+module.exports = C067Analyzer;

package/rules/common/C067_no_hardcoded_config/config.json

@@ -0,0 +1,81 @@
+{
+  "maxConfigValues": 50,
+  "excludePatterns": [
+    "**/*.test.js",
+    "**/*.spec.js",
+    "**/*.test.ts",
+    "**/*.spec.ts",
+    "**/config/**",
+    "**/constants/**",
+    "**/*.config.js",
+    "**/*.config.ts",
+    "**/.env*"
+  ],
+  "includePatterns": [
+    "**/*.js",
+    "**/*.ts",
+    "**/*.jsx",
+    "**/*.tsx"
+  ],
+  "allowedDomains": [
+    "localhost",
+    "127.0.0.1",
+    "0.0.0.0",
+    "example.com",
+    "test.com",
+    "dummy.com"
+  ],
+  "allowedPorts": [
+    3000,
+    8080,
+    5000,
+    4200,
+    3001
+  ],
+  "commonConstants": [
+    100, 200, 300, 400, 500,
+    1000, 2000, 3000, 5000,
+    8080, 3000, 4200
+  ],
+  "credentialKeywords": [
+    "password",
+    "secret",
+    "key",
+    "token",
+    "auth",
+    "credential",
+    "apikey",
+    "api_key"
+  ],
+  "configKeywords": [
+    "timeout",
+    "interval",
+    "delay",
+    "duration",
+    "limit",
+    "max",
+    "min",
+    "size",
+    "count",
+    "port",
+    "url",
+    "endpoint",
+    "host",
+    "retry",
+    "batch"
+  ],
+  "allowedUIValues": [
+    "password",
+    "text",
+    "email",
+    "username",
+    "input",
+    "field",
+    "ok",
+    "cancel",
+    "yes",
+    "no",
+    "true",
+    "false"
+  ]
+}