@sun-asterisk/sunlint 1.3.6 → 1.3.7

package/CHANGELOG.md

@@ -2,7 +2,44 @@
 
 ---
 
-## 🔧 **v1.3.6 - C067 False Positive Reduction (September 8, 2025)**
+## � **v1.3.7 - File Count Reporting & Performance Fixes (September 11, 2025)**
+
+**Release Date**: September 11, 2025  
+**Type**: Bug Fix & Enhancement  
+**Branch**: `fix.sunlint.report`
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: File count reporting accuracy in summary
+  - **Issue**: Summary showed incorrect file counts when performance filtering applied
+  - **Before**: `Files loaded: 1322` but summary `Files: 1000` (misleading)  
+  - **After**: Summary accurately reflects files actually analyzed
+- **FIXED**: File count multiplication in batch processing
+  - **Issue**: Multiple batches incorrectly accumulated file counts  
+  - **Before**: 1322 files → reported as 3000 files in batched analysis
+  - **After**: Consistent file count regardless of batch strategy
+
+### ⚡ **Performance Enhancements**
+- **ENHANCED**: `--max-files=-1` unlimited file processing
+  - **Issue**: `-1` flag was ignored, still limited to 1000 files
+  - **Solution**: Proper unlimited file processing support
+  - **Usage**: `sunlint --max-files=-1` now analyzes all files without limits
+
+### 🎯 **Rule Improvements**
+- **ENHANCED**: S057 UTC Logging rule precision (100% accuracy)
+  - Fixed false positive detection for `pino.stdTimeFunctions.isoTime`
+  - Added timezone indicator support: `'Z'`, `"Z"`, `+00:00`, `.l'Z'`
+  - Enhanced config variable tracing for complex logging setups
+  - Cleaned up test fixtures and moved to proper location
+
+### 📊 **Validation Results**
+- **File Processing**: `--max-files=-1` → 1322 files analyzed ✅
+- **Limited Analysis**: `--max-files=500` → 500 files analyzed ✅  
+- **Batch Analysis**: Multi-rule analysis maintains accurate counts ✅
+- **S057 Precision**: 0 false positives on real projects ✅
+
+---
+
+## �🔧 **v1.3.6 - C067 False Positive Reduction (September 8, 2025)**
 
 **Release Date**: September 8, 2025  
 **Type**: Bug Fix & Improvement

package/config/rules/enhanced-rules-registry.json

@@ -1107,28 +1107,36 @@
       "tags": ["security", "rest", "content-type"]
     },
     "S057": {
-      "name": "UTC Logging",
-      "description": "Enforce UTC usage in time formatting and logging",
+      "name": "Log with UTC Timestamps",
+      "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s057",
+      "analyzer": "./rules/security/S057_utc_logging/analyzer.js",
+      "config": "./rules/security/S057_utc_logging/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "logging", "timezone"]
+      "tags": ["security", "logging", "timezone", "utc"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s057"],
+        "heuristic": ["./rules/security/S057_utc_logging/analyzer.js"]
+      }
     },
     "S058": {
-      "name": "No SSRF",
-      "description": "Detect SSRF vulnerabilities via unvalidated user-controlled URLs",
+      "name": "No SSRF (Server-Side Request Forgery)",
+      "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s058",
+      "analyzer": "./rules/security/S058_no_ssrf/analyzer.js",
+      "config": "./rules/security/S058_no_ssrf/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "ssrf", "url-validation"]
+      "tags": ["security", "ssrf", "url-validation", "http-requests"],
+      "engineMappings": {
+        "heuristic": ["./rules/security/S058_no_ssrf/analyzer.js"],
+        "eslint": ["custom/typescript_s058"]
+      }
     },
     "C002": {
       "id": "C002",
@@ -1400,6 +1408,29 @@
         "accuracy": {}
       }
     },
+    "C073": {
+      "id": "C073",
+      "name": "Validate Required Configuration on Startup",
+      "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values",
+      "category": "configuration",
+      "severity": "error",
+      "languages": ["typescript", "javascript", "java", "go"],
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["configuration", "validation", "startup", "fail-fast"],
+      "engineMappings": {
+        "heuristic": ["rules/common/C073_validate_required_config_on_startup/analyzer.js"],
+        "semantic": ["rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"]
+      },
+      "strategy": {
+        "preferred": "semantic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "semantic": 0.9,
+          "heuristic": 0.7
+        }
+      }
+    },
     "C075": {
       "id": "C075",
       "name": "Rule C075",
@@ -1807,6 +1838,7 @@
         "C048",
         "C052",
         "C072",
+        "C073",
         "C075",
         "T002",
         "T003",

package/core/analysis-orchestrator.js

@@ -264,7 +264,7 @@ class AnalysisOrchestrator {
       }
 
       // Merge results and add performance metrics
-      const mergedResults = this.mergeEngineResults(results, options);
+      const mergedResults = this.mergeEngineResults(results, options, optimizedFiles.length);
       mergedResults.performance = performanceMetrics;
       
       return mergedResults;
@@ -523,7 +523,7 @@ class AnalysisOrchestrator {
    * @param {Object} options - Analysis options
    * @returns {Object} Merged results
    */
-  mergeEngineResults(engineResults, options) {
+  mergeEngineResults(engineResults, options, actualFilesCount = 0) {
     const mergedResults = {
       results: [],
       summary: {
@@ -568,15 +568,19 @@ class AnalysisOrchestrator {
       // Accumulate engine statistics across batches
       mergedResults.summary.engines[engineName].rules.push(...(engineResult.rules || []));
       mergedResults.summary.engines[engineName].violations += violationCount;
-      mergedResults.summary.engines[engineName].files += engineResult.filesAnalyzed || 0;
+      // Don't accumulate filesAnalyzed for each batch - use actual unique file count
+      if (!mergedResults.summary.engines[engineName].filesSet) {
+        mergedResults.summary.engines[engineName].files = actualFilesCount;
+        mergedResults.summary.engines[engineName].filesSet = true;
+      }
       mergedResults.summary.engines[engineName].batches += 1;
       
       mergedResults.summary.totalViolations += violationCount;
-      mergedResults.summary.totalFiles += engineResult.filesAnalyzed || 0;
     }
 
-    // Update unique engine count
+    // Update unique engine count and correct total files count
     mergedResults.summary.totalEngines = uniqueEngines.size;
+    mergedResults.summary.totalFiles = actualFilesCount;
 
     return mergedResults;
   }

package/core/performance-optimizer.js

@@ -26,6 +26,12 @@ class PerformanceOptimizer {
       ...DEFAULT_PERFORMANCE,
       ...config
     };
+    
+    // Override maxTotalFiles if provided in config
+    if (config.maxFiles !== undefined) {
+      this.fileSizeLimits.maxTotalFiles = config.maxFiles;
+    }
+    
     this.initialized = true;
   }
 
@@ -106,8 +112,8 @@ class PerformanceOptimizer {
           break;
         }
         
-        // Check file count limit
-        if (filtered.length >= this.fileSizeLimits.maxTotalFiles) {
+        // Check file count limit (skip if unlimited -1)
+        if (this.fileSizeLimits.maxTotalFiles > 0 && filtered.length >= this.fileSizeLimits.maxTotalFiles) {
           if (this.config.verbose) {
             console.log(`⚠️ Reached file count limit: ${this.fileSizeLimits.maxTotalFiles} files`);
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/common/C073_validate_required_config_on_startup/README.md

@@ -0,0 +1,110 @@
+# C073 - Validate Required Configuration on Startup
+
+## Mục tiêu
+Tránh lỗi runtime không rõ nguyên nhân do thiếu hoặc sai cấu hình. Đảm bảo ứng dụng dừng sớm (fail fast) nếu thiếu cấu hình quan trọng.
+
+## Mô tả
+Rule này kiểm tra việc validate cấu hình bắt buộc ngay khi ứng dụng khởi động và yêu cầu hệ thống fail fast nếu có vấn đề với cấu hình.
+
+## Các điều kiện kiểm tra
+
+### 1. Schema Validation hoặc Explicit Checks
+- Tất cả cấu hình bắt buộc phải được validate bằng schema libraries (zod, joi, yup, etc.) hoặc explicit checks
+- Không được truy cập `process.env` mà không có validation
+
+### 2. Fail Fast Behavior
+- Khi phát hiện cấu hình thiếu hoặc không hợp lệ, ứng dụng phải dừng ngay lập tức
+- Sử dụng `process.exit(1)`, `throw Error`, hoặc tương tự
+
+### 3. Centralized Configuration
+- Hạn chế việc truy cập environment variables rải rác trong code
+- Tập trung xử lý cấu hình trong các module chuyên dụng
+
+### 4. No Dangerous Defaults
+- Không sử dụng default values nguy hiểm như empty string, localhost URLs
+- Flag các pattern như `|| ''`, `|| 0`, `|| 'http://localhost'`
+
+### 5. Startup Connectivity Checks
+- Với database hoặc external services, cần có connectivity check khi startup
+- Test kết nối trước khi application bắt đầu phục vụ requests
+
+## Ví dụ
+
+### ❌ Không đúng
+```typescript
+// Không có validation, dangerous defaults
+const config = {
+  apiKey: process.env.API_KEY || 'default-key',
+  dbUrl: process.env.DATABASE_URL || '',
+  port: process.env.PORT || 3000
+};
+
+function startServer() {
+  const server = createServer();
+  server.listen(config.port); // Có thể fail runtime nếu config sai
+}
+```
+
+### ✅ Đúng
+```typescript
+import { z } from 'zod';
+
+const configSchema = z.object({
+  API_KEY: z.string().min(1, 'API_KEY is required'),
+  DATABASE_URL: z.string().url('DATABASE_URL must be valid URL'),
+  PORT: z.string().transform(val => parseInt(val, 10))
+});
+
+function validateConfig() {
+  try {
+    return configSchema.parse(process.env);
+  } catch (error) {
+    console.error('Configuration validation failed:', error.message);
+    process.exit(1); // Fail fast
+  }
+}
+
+export const config = validateConfig();
+
+async function checkDatabaseConnection() {
+  try {
+    const connection = await connectToDatabase(config.DATABASE_URL);
+    await connection.ping();
+  } catch (error) {
+    console.error('Database connection failed:', error.message);
+    process.exit(1); // Fail fast on connectivity issues
+  }
+}
+```
+
+## Cấu hình
+
+### Schema Validation Libraries
+- **TypeScript/JavaScript**: zod, joi, yup, envalid, dotenv-safe, class-validator
+- **Java**: @ConfigurationProperties, @Validated, jakarta.validation, hibernate.validator  
+- **Go**: envconfig, viper
+
+### Fail Fast Mechanisms
+- **TypeScript/JavaScript**: `throw new Error()`, `process.exit(1)`
+- **Java**: `throw new RuntimeException()`, `SpringApplication.exit()`, `System.exit(1)`
+- **Go**: `log.Fatal()`, `panic()`, `os.Exit(1)`
+
+### Policy Options
+- `requireSchemaOrExplicitChecks`: Bắt buộc có validation
+- `requireFailFast`: Bắt buộc có fail fast mechanism
+- `forbidEnvReadsOutsideConfig`: Hạn chế env access ngoài config modules
+- `flagDangerousDefaults`: Cảnh báo về dangerous default values
+- `requireStartupConnectivityChecks`: Yêu cầu connectivity check
+
+## Mức độ nghiêm trọng
+**Error** - Rule này có thể ngăn chặn các lỗi runtime nghiêm trọng và khó debug.
+
+## Ngôn ngữ hỗ trợ
+- TypeScript/JavaScript
+- Java  
+- Go
+
+## Tham khảo
+- [Fail Fast Principle](https://en.wikipedia.org/wiki/Fail-fast)
+- [Configuration Validation Best Practices](https://12factor.net/config)
+- [Schema Validation Libraries](https://github.com/colinhacks/zod)