@sun-asterisk/sunlint 1.3.5 → 1.3.7

package/CHANGELOG.md

@@ -2,6 +2,73 @@
 
 ---
 
+## � **v1.3.7 - File Count Reporting & Performance Fixes (September 11, 2025)**
+
+**Release Date**: September 11, 2025  
+**Type**: Bug Fix & Enhancement  
+**Branch**: `fix.sunlint.report`
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: File count reporting accuracy in summary
+  - **Issue**: Summary showed incorrect file counts when performance filtering applied
+  - **Before**: `Files loaded: 1322` but summary `Files: 1000` (misleading)  
+  - **After**: Summary accurately reflects files actually analyzed
+- **FIXED**: File count multiplication in batch processing
+  - **Issue**: Multiple batches incorrectly accumulated file counts  
+  - **Before**: 1322 files → reported as 3000 files in batched analysis
+  - **After**: Consistent file count regardless of batch strategy
+
+### ⚡ **Performance Enhancements**
+- **ENHANCED**: `--max-files=-1` unlimited file processing
+  - **Issue**: `-1` flag was ignored, still limited to 1000 files
+  - **Solution**: Proper unlimited file processing support
+  - **Usage**: `sunlint --max-files=-1` now analyzes all files without limits
+
+### 🎯 **Rule Improvements**
+- **ENHANCED**: S057 UTC Logging rule precision (100% accuracy)
+  - Fixed false positive detection for `pino.stdTimeFunctions.isoTime`
+  - Added timezone indicator support: `'Z'`, `"Z"`, `+00:00`, `.l'Z'`
+  - Enhanced config variable tracing for complex logging setups
+  - Cleaned up test fixtures and moved to proper location
+
+### 📊 **Validation Results**
+- **File Processing**: `--max-files=-1` → 1322 files analyzed ✅
+- **Limited Analysis**: `--max-files=500` → 500 files analyzed ✅  
+- **Batch Analysis**: Multi-rule analysis maintains accurate counts ✅
+- **S057 Precision**: 0 false positives on real projects ✅
+
+---
+
+## �🔧 **v1.3.6 - C067 False Positive Reduction (September 8, 2025)**
+
+**Release Date**: September 8, 2025  
+**Type**: Bug Fix & Improvement
+
+### 🐛 **Bug Fixes**
+- **FIXED**: C067 "no hardcoded config" rule - Massive false positive reduction
+  - **replace-fe**: From 296 → 2 violations (-99.3%)
+  - **replace-be**: From 171 → 3 violations (-98.2%) 
+  - **jmb-app-be**: From 121 → 5 violations (-95.9%)
+  - **mdx-cycle-hack**: From 8 → 6 violations (-25%)
+
+### 🔧 **Technical Improvements**
+- **ENHANCED**: C067 analyzer logic improvements
+  - Skip dummy/test files and entity files completely
+  - Exclude field mapping objects and ORM configurations
+  - Skip database constraint names (primaryKeyConstraintName, etc.)
+  - Focus only on truly environment-dependent configurations
+  - Exclude business logic constants and UI field mappings
+- **IMPROVED**: Rule precision - Only flag real environment config issues
+  - API endpoints, AWS service URLs, application keys
+  - Credential values and connection strings
+  - Environment-dependent timeouts and ports
+
+### 📊 **Performance**
+- **OPTIMIZED**: Reduced analysis noise by 95%+ on large projects
+- **ENHANCED**: Better developer experience with fewer false alarms
+
+---
+
 ## 🔧 **v1.3.5 - Preset System Refactor (September 8, 2025)**
 
 **Release Date**: September 8, 2025  

package/config/rule-analysis-strategies.js

@@ -61,6 +61,11 @@ module.exports = {
       methods: ['regex'],
       accuracy: { regex: 90 }
     },
+    'C070': {
+      reason: 'Real-time dependencies detection via timer/sleep patterns',
+      methods: ['regex'],
+      accuracy: { regex: 95 }
+    },
     'S001': {
       reason: 'Security patterns are often string-based',
       methods: ['regex', 'ast'],

package/config/rules/enhanced-rules-registry.json

@@ -1107,28 +1107,36 @@
       "tags": ["security", "rest", "content-type"]
     },
     "S057": {
-      "name": "UTC Logging",
-      "description": "Enforce UTC usage in time formatting and logging",
+      "name": "Log with UTC Timestamps",
+      "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s057",
+      "analyzer": "./rules/security/S057_utc_logging/analyzer.js",
+      "config": "./rules/security/S057_utc_logging/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "logging", "timezone"]
+      "tags": ["security", "logging", "timezone", "utc"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s057"],
+        "heuristic": ["./rules/security/S057_utc_logging/analyzer.js"]
+      }
     },
     "S058": {
-      "name": "No SSRF",
-      "description": "Detect SSRF vulnerabilities via unvalidated user-controlled URLs",
+      "name": "No SSRF (Server-Side Request Forgery)",
+      "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s058",
+      "analyzer": "./rules/security/S058_no_ssrf/analyzer.js",
+      "config": "./rules/security/S058_no_ssrf/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "ssrf", "url-validation"]
+      "tags": ["security", "ssrf", "url-validation", "http-requests"],
+      "engineMappings": {
+        "heuristic": ["./rules/security/S058_no_ssrf/analyzer.js"],
+        "eslint": ["custom/typescript_s058"]
+      }
     },
     "C002": {
       "id": "C002",
@@ -1357,6 +1365,29 @@
         "heuristic": ["rules/common/C067_no_hardcoded_config/analyzer.js"]
       }
     },
+    "C070": {
+      "name": "No Real Time Tests",
+      "description": "Tests should not depend on real time delays or sleeps. Use fake timers, clock injection, or condition-based waits to improve test reliability and speed.",
+      "category": "testing",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "../rules/common/C070_no_real_time_tests/regex-analyzer.js",
+      "config": "../rules/common/C070_no_real_time_tests/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["testing", "flaky-tests", "timing", "fake-timers", "reliability"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 88
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["../rules/common/C070_no_real_time_tests/regex-analyzer.js"]
+      }
+    },
     "C072": {
       "id": "C072",
       "name": "Single Test Behavior",
@@ -1377,6 +1408,29 @@
         "accuracy": {}
       }
     },
+    "C073": {
+      "id": "C073",
+      "name": "Validate Required Configuration on Startup",
+      "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values",
+      "category": "configuration",
+      "severity": "error",
+      "languages": ["typescript", "javascript", "java", "go"],
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["configuration", "validation", "startup", "fail-fast"],
+      "engineMappings": {
+        "heuristic": ["rules/common/C073_validate_required_config_on_startup/analyzer.js"],
+        "semantic": ["rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"]
+      },
+      "strategy": {
+        "preferred": "semantic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "semantic": 0.9,
+          "heuristic": 0.7
+        }
+      }
+    },
     "C075": {
       "id": "C075",
       "name": "Rule C075",
@@ -1784,6 +1838,7 @@
         "C048",
         "C052",
         "C072",
+        "C073",
         "C075",
         "T002",
         "T003",

package/core/analysis-orchestrator.js

@@ -264,7 +264,7 @@ class AnalysisOrchestrator {
       }
 
       // Merge results and add performance metrics
-      const mergedResults = this.mergeEngineResults(results, options);
+      const mergedResults = this.mergeEngineResults(results, options, optimizedFiles.length);
       mergedResults.performance = performanceMetrics;
       
       return mergedResults;
@@ -523,7 +523,7 @@ class AnalysisOrchestrator {
    * @param {Object} options - Analysis options
    * @returns {Object} Merged results
    */
-  mergeEngineResults(engineResults, options) {
+  mergeEngineResults(engineResults, options, actualFilesCount = 0) {
     const mergedResults = {
       results: [],
       summary: {
@@ -568,15 +568,19 @@ class AnalysisOrchestrator {
       // Accumulate engine statistics across batches
       mergedResults.summary.engines[engineName].rules.push(...(engineResult.rules || []));
       mergedResults.summary.engines[engineName].violations += violationCount;
-      mergedResults.summary.engines[engineName].files += engineResult.filesAnalyzed || 0;
+      // Don't accumulate filesAnalyzed for each batch - use actual unique file count
+      if (!mergedResults.summary.engines[engineName].filesSet) {
+        mergedResults.summary.engines[engineName].files = actualFilesCount;
+        mergedResults.summary.engines[engineName].filesSet = true;
+      }
       mergedResults.summary.engines[engineName].batches += 1;
       
       mergedResults.summary.totalViolations += violationCount;
-      mergedResults.summary.totalFiles += engineResult.filesAnalyzed || 0;
     }
 
-    // Update unique engine count
+    // Update unique engine count and correct total files count
     mergedResults.summary.totalEngines = uniqueEngines.size;
+    mergedResults.summary.totalFiles = actualFilesCount;
 
     return mergedResults;
   }

package/core/performance-optimizer.js

@@ -26,6 +26,12 @@ class PerformanceOptimizer {
       ...DEFAULT_PERFORMANCE,
       ...config
     };
+    
+    // Override maxTotalFiles if provided in config
+    if (config.maxFiles !== undefined) {
+      this.fileSizeLimits.maxTotalFiles = config.maxFiles;
+    }
+    
     this.initialized = true;
   }
 
@@ -106,8 +112,8 @@ class PerformanceOptimizer {
           break;
         }
         
-        // Check file count limit
-        if (filtered.length >= this.fileSizeLimits.maxTotalFiles) {
+        // Check file count limit (skip if unlimited -1)
+        if (this.fileSizeLimits.maxTotalFiles > 0 && filtered.length >= this.fileSizeLimits.maxTotalFiles) {
           if (this.config.verbose) {
             console.log(`⚠️ Reached file count limit: ${this.fileSizeLimits.maxTotalFiles} files`);
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.5",
+  "version": "1.3.7",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C067_no_hardcoded_config/symbol-based-analyzer.js

@@ -246,7 +246,7 @@ class C067SymbolBasedAnalyzer {
   }
 
   isConfigOrTestFile(filePath) {
-    // Skip config files themselves and test files (NOT dummy files used in production)
+    // Skip config files themselves and test files, including dummy/test data files
     const fileName = filePath.toLowerCase();
     const configPatterns = [
       /config\.(ts|js|json)$/,
@@ -264,9 +264,12 @@ class C067SymbolBasedAnalyzer {
       /\/test\//,
       /\/tests\//,
       /\.stories\.(ts|tsx|js|jsx)$/,
-      /\.mock\.(ts|tsx|js|jsx)$/
-      // NOTE: Deliberately NOT including /dummy/ because dummy files 
-      // in production code often contain hardcoded config that should be flagged
+      /\.mock\.(ts|tsx|js|jsx)$/,
+      /\/dummy\//,                    // Skip dummy data files
+      /dummy\.(ts|js)$/,              // Skip dummy files
+      /test-fixtures\//,              // Skip test fixture files
+      /\.fixture\.(ts|js)$/,          // Skip fixture files
+      /entity\.(ts|js)$/              // Skip entity/ORM files (contain DB constraints)
     ];
     
     return configPatterns.some(pattern => pattern.test(fileName)) ||
@@ -451,66 +454,97 @@ class C067SymbolBasedAnalyzer {
     const propertyName = nameNode.getText();
     const position = sourceFile.getLineAndColumnAtPos(node.getStart());
     
-    // Skip field mapping objects
+    // Skip ALL field mapping objects and ORM/database entity configurations
     const ancestorObj = node.getParent();
     if (ancestorObj && Node.isObjectLiteralExpression(ancestorObj)) {
       const objParent = ancestorObj.getParent();
       if (objParent && Node.isVariableDeclaration(objParent)) {
         const varName = objParent.getName();
-        if (/mapping|map|field|column|decode/i.test(varName)) {
-          return null; // Skip field mapping objects
+        // Skip field mappings, database schemas, etc.
+        if (/mapping|map|field|column|decode|schema|entity|constraint|table/i.test(varName)) {
+          return null;
         }
       }
+      
+      // Check if this looks like a table column definition or field mapping
+      const objText = ancestorObj.getText();
+      if (/primaryKeyConstraintName|foreignKeyConstraintName|key.*may contain/i.test(objText)) {
+        return null; // Skip database constraint definitions
+      }
     }
     
-    // Skip common business logic properties that aren't environment-dependent
+    // Skip properties that are clearly field mappings or business data
     const businessLogicProperties = [
-      'endpoint', 'path', 'route',     // API routing
-      'limit', 'pageSize', 'batchSize', // Pagination (usually business logic)
-      'retry', 'retries', 'maxRetries', // Retry logic (usually business logic)
-      'count', 'max', 'min'             // Common limits
+      // Field mappings
+      'key', 'field', 'dataKey', 'valueKey', 'labelKey', 'sortKey',
+      // Business logic
+      'endpoint', 'path', 'route', 'method',
+      'limit', 'pageSize', 'batchSize', 'maxResults',
+      'retry', 'retries', 'maxRetries', 'attempts',
+      'count', 'max', 'min', 'size', 'length',
+      // UI properties
+      'className', 'style', 'disabled', 'readonly',
+      // Database/ORM
+      'primaryKeyConstraintName', 'foreignKeyConstraintName', 'constraintName',
+      'tableName', 'columnName', 'schemaName'
     ];
     
     const lowerPropertyName = propertyName.toLowerCase();
     if (businessLogicProperties.some(prop => lowerPropertyName.includes(prop))) {
-      // Only flag if it's clearly environment-dependent
-      let value = null;
-      if (valueNode.getKind() === SyntaxKind.StringLiteral) {
-        value = valueNode.getLiteralValue();
-        // Only flag URLs or clearly environment-dependent strings
-        if (!this.configPatterns.urls.regex.test(value) || !this.isEnvironmentDependentUrl(value)) {
-          return null;
-        }
-      } else if (valueNode.getKind() === SyntaxKind.NumericLiteral) {
-        value = valueNode.getLiteralValue();
-        const parentContext = this.getParentContext(node);
-        // Only flag if it's clearly environment-dependent (like ports, large timeouts)
-        if (!this.configPatterns.environmentNumbers.isEnvironmentDependent(value, parentContext)) {
-          return null;
-        }
-      }
+      return null; // Skip these completely
     }
     
-    // Check if property name suggests environment-dependent configuration
-    if (this.isEnvironmentDependentProperty(propertyName)) {
-      let value = null;
+    // Only check for CLEARLY environment-dependent properties
+    const trulyEnvironmentDependentProps = [
+      'baseurl', 'baseURL', 'host', 'hostname', 'server', 'endpoint', 
+      'apikey', 'api_key', 'secret_key', 'client_secret',
+      'database', 'connectionstring', 'dbhost', 'dbport',
+      'port', 'timeout', // Only when they have suspicious values
+      'bucket', 'region', // Cloud-specific
+      'clientid', 'tenantid' // OAuth-specific
+    ];
+    
+    if (!trulyEnvironmentDependentProps.some(prop => lowerPropertyName.includes(prop))) {
+      return null; // Not clearly environment-dependent
+    }
+    
+    let value = null;
+    let configType = null;
+    
+    if (valueNode.getKind() === SyntaxKind.StringLiteral) {
+      value = valueNode.getLiteralValue();
       
-      if (valueNode.getKind() === SyntaxKind.StringLiteral) {
-        value = valueNode.getLiteralValue();
-      } else if (valueNode.getKind() === SyntaxKind.NumericLiteral) {
-        value = valueNode.getLiteralValue();
+      // Only flag URLs or clearly sensitive values
+      if (this.configPatterns.urls.regex.test(value) && this.isEnvironmentDependentUrl(value)) {
+        configType = 'url';
+      } else if (this.isRealCredential(value, propertyName)) {
+        configType = 'credential';
+      } else {
+        return null; // Skip other string values
       }
+    } else if (valueNode.getKind() === SyntaxKind.NumericLiteral) {
+      value = valueNode.getLiteralValue();
+      const parentContext = this.getParentContext(node);
       
-      if (value !== null && this.looksLikeEnvironmentConfig(propertyName, value)) {
-        return {
-          type: 'property_config',
-          value: value,
-          line: position.line,
-          column: position.column,
-          node: node,
-          propertyName: propertyName
-        };
+      // Only flag numbers that are clearly environment-dependent
+      if (this.configPatterns.environmentNumbers.isEnvironmentDependent(value, parentContext)) {
+        configType = 'environment_config';
+      } else {
+        return null;
       }
+    } else {
+      return null; // Skip other value types
+    }
+    
+    if (configType) {
+      return {
+        type: configType,
+        value: value,
+        line: position.line,
+        column: position.column,
+        node: node,
+        propertyName: propertyName
+      };
     }
     
     return null;