@sun-asterisk/sunlint 1.3.6 → 1.3.7

package/rules/common/C073_validate_required_config_on_startup/config.json

@@ -0,0 +1,46 @@
+{
+  "id": "C073",
+  "name": "C073_validate_required_config_on_startup",
+  "category": "configuration",
+  "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": { "enabled": true, "priority": "high", "fallback": "heuristic" },
+  "patterns": {
+    "include": ["**/*.ts","**/*.tsx","**/*.js","**/*.jsx","**/*.java","**/*.go"],
+    "exclude": ["**/*.test.*","**/*.spec.*","**/__tests__/**","**/fixtures/**","**/examples/**"]
+  },
+  "options": {
+    "configModules": {
+      "typescript": ["src/config/**","**/config/**","**/bootstrap/**","**/main.ts"],
+      "java": ["**/config/**","**/Configuration/**","**/Application.java","**/*Application.java"],
+      "go": ["cmd/**","**/config/**","**/main.go"]
+    },
+    "envAccessors": {
+      "typescript": ["process.env.*"],
+      "java": ["System.getenv(*)","System.getProperty(*)"],
+      "go": ["os.Getenv(*)"]
+    },
+    "schemaDetectors": {
+      "typescript": ["zod","joi","yup","envalid","dotenv-safe","class-validator"],
+      "java": ["@ConfigurationProperties","@Validated","jakarta.validation","hibernate.validator"],
+      "go": ["github.com/kelseyhightower/envconfig","github.com/spf13/viper"]
+    },
+    "failFastSignals": {
+      "typescript": ["throw new Error(*)","process.exit(1)"],
+      "java": ["throw new RuntimeException(*)","SpringApplication.exit(*)","System.exit(1)"],
+      "go": ["log.Fatal(*)","panic(*)","os.Exit(1)"]
+    },
+    "dangerousDefaults": ["|| ''","|| 0","|| 'http://localhost'","?: ''","?: 0"],
+    "thresholds": {
+      "maxEnvReadsOutsideConfig": 3
+    },
+    "policy": {
+      "requireSchemaOrExplicitChecks": true,
+      "requireFailFast": true,
+      "forbidEnvReadsOutsideConfig": true,
+      "flagDangerousDefaults": true,
+      "requireStartupConnectivityChecks": true
+    }
+  }
+}

package/rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js

@@ -0,0 +1,370 @@
+const { traverse } = require('@babel/traverse');
+const t = require('@babel/types');
+
+class C073SymbolBasedAnalyzer {
+  constructor(options = {}) {
+    this.options = options;
+    this.configModules = options.configModules || {};
+    this.envAccessors = options.envAccessors || {};
+    this.schemaDetectors = options.schemaDetectors || {};
+    this.failFastSignals = options.failFastSignals || {};
+    this.dangerousDefaults = options.dangerousDefaults || [];
+    this.policy = options.policy || {};
+  }
+
+  analyze(ast, filePath, content) {
+    const analysis = {
+      envAccess: [],
+      schemaValidation: [],
+      failFastMechanisms: [],
+      dangerousDefaults: [],
+      connectivityChecks: [],
+      imports: [],
+      configValidation: false,
+      hasFailFast: false
+    };
+
+    const language = this.detectLanguageFromPath(filePath);
+    
+    // Analyze both config files and service files for different patterns
+    const isConfigFile = this.isConfigOrStartupFile(filePath, language);
+
+    // Traverse AST to collect information
+    traverse(ast, {
+      // Track imports for schema validation libraries
+      ImportDeclaration: (path) => {
+        const source = path.node.source.value;
+        analysis.imports.push(source);
+        
+        // Check for schema validation libraries
+        if (this.isSchemaValidationLibrary(source, language)) {
+          analysis.schemaValidation.push({
+            library: source,
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track environment variable access
+      MemberExpression: (path) => {
+        if (this.isEnvAccess(path.node, language)) {
+          const envProperty = this.getEnvProperty(path.node);
+          analysis.envAccess.push({
+            variable: envProperty,
+            match: `process.env.${envProperty}`,
+            line: path.node.loc?.start.line || 1,
+            hasDefault: this.hasDefaultValue(path.parent)
+          });
+        }
+      },
+
+      // Track call expressions for multiple purposes
+      CallExpression: (path) => {
+        const node = path.node;
+        
+        // Check for require statements
+        if (t.isIdentifier(node.callee, { name: 'require' })) {
+          const source = node.arguments[0]?.value;
+          if (source && this.isSchemaValidationLibrary(source, language)) {
+            analysis.schemaValidation.push({
+              library: source,
+              line: node.loc?.start.line || 1
+            });
+          }
+        }
+
+        // Check for fail-fast calls (process.exit, throw, etc.)
+        if (this.isFailFastCall(node, language)) {
+          analysis.failFastMechanisms.push({
+            type: this.getFailFastType(node),
+            line: node.loc?.start.line || 1
+          });
+        }
+
+        // Check for connectivity patterns (ping, connect, health check)
+        if (this.isConnectivityCheck(node)) {
+          analysis.connectivityChecks.push({
+            method: this.getConnectivityMethod(node),
+            line: node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track dangerous default patterns
+      LogicalExpression: (path) => {
+        if (this.isDangerousDefault(path.node)) {
+          analysis.dangerousDefaults.push({
+            operator: path.node.operator,
+            pattern: this.getDangerousDefaultPattern(path.node),
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Track conditional expressions with dangerous defaults
+      ConditionalExpression: (path) => {
+        if (this.isDangerousConditionalDefault(path.node)) {
+          analysis.dangerousDefaults.push({
+            type: 'conditional',
+            pattern: this.getDangerousDefaultPattern(path.node),
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      },
+
+      // Check for validation patterns
+      IfStatement: (path) => {
+        if (this.isConfigValidation(path.node, analysis.envAccess)) {
+          analysis.configValidation = true;
+        }
+      },
+
+      // Check for throw statements with configuration errors
+      ThrowStatement: (path) => {
+        if (this.isConfigRelatedError(path.node)) {
+          analysis.failFastMechanisms.push({
+            type: 'throw',
+            line: path.node.loc?.start.line || 1
+          });
+        }
+      }
+    });
+
+    return analysis;
+  }
+
+  detectLanguageFromPath(filePath) {
+    const ext = filePath.split('.').pop()?.toLowerCase();
+    if (['ts', 'tsx', 'js', 'jsx'].includes(ext)) return 'typescript';
+    if (['java'].includes(ext)) return 'java';
+    if (['go'].includes(ext)) return 'go';
+    return null;
+  }
+
+  isConfigOrStartupFile(filePath, language) {
+    const configPatterns = this.configModules[language] || [];
+    return configPatterns.some(pattern => {
+      const globPattern = pattern.replace(/\*\*/g, '.*').replace(/\*/g, '[^/]*');
+      const regex = new RegExp(globPattern.replace(/\//g, '\\/'));
+      return regex.test(filePath);
+    });
+  }
+
+  isSchemaValidationLibrary(source, language) {
+    const libraries = this.schemaDetectors[language] || [];
+    return libraries.some(lib => source.includes(lib));
+  }
+
+  isEnvAccess(node, language) {
+    if (language === 'typescript') {
+      // process.env.VARIABLE
+      return (
+        t.isMemberExpression(node) &&
+        t.isMemberExpression(node.object) &&
+        t.isIdentifier(node.object.object, { name: 'process' }) &&
+        t.isIdentifier(node.object.property, { name: 'env' })
+      );
+    }
+    return false;
+  }
+
+  getEnvProperty(node) {
+    if (t.isIdentifier(node.property)) {
+      return node.property.name;
+    }
+    if (t.isStringLiteral(node.property)) {
+      return node.property.value;
+    }
+    return 'unknown';
+  }
+
+  hasDefaultValue(parent) {
+    return (
+      t.isLogicalExpression(parent) ||
+      t.isConditionalExpression(parent) ||
+      (t.isAssignmentExpression(parent) && parent.right)
+    );
+  }
+
+  isFailFastCall(node, language) {
+    if (language === 'typescript') {
+      // process.exit(1)
+      if (
+        t.isMemberExpression(node.callee) &&
+        t.isIdentifier(node.callee.object, { name: 'process' }) &&
+        t.isIdentifier(node.callee.property, { name: 'exit' })
+      ) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  getFailFastType(node) {
+    if (t.isMemberExpression(node.callee)) {
+      if (t.isIdentifier(node.callee.property, { name: 'exit' })) {
+        return 'process.exit';
+      }
+    }
+    if (t.isThrowStatement(node)) {
+      return 'throw';
+    }
+    return 'unknown';
+  }
+
+  isConnectivityCheck(node) {
+    if (!t.isCallExpression(node)) return false;
+    
+    // Check for common connectivity patterns
+    const patterns = [
+      'ping', 'connect', 'healthCheck', 'testConnection',
+      'validateConnection', 'checkHealth', 'authenticate'
+    ];
+    
+    if (t.isMemberExpression(node.callee)) {
+      const methodName = node.callee.property?.name;
+      return patterns.includes(methodName);
+    }
+    
+    if (t.isIdentifier(node.callee)) {
+      return patterns.includes(node.callee.name);
+    }
+    
+    return false;
+  }
+
+  getConnectivityMethod(node) {
+    if (t.isMemberExpression(node.callee)) {
+      return node.callee.property?.name || 'unknown';
+    }
+    if (t.isIdentifier(node.callee)) {
+      return node.callee.name;
+    }
+    return 'unknown';
+  }
+
+  isDangerousDefault(node) {
+    if (!t.isLogicalExpression(node, { operator: '||' })) {
+      return false;
+    }
+    
+    const rightValue = this.getDefaultValue(node.right);
+    const dangerousPatterns = [
+      "''", '""', '0', 'null', 'undefined',
+      "'localhost'", "'http://localhost'", "'dev'", "'development'"
+    ];
+    
+    return dangerousPatterns.includes(rightValue);
+  }
+
+  isDangerousConditionalDefault(node) {
+    if (!t.isConditionalExpression(node)) return false;
+    
+    const consequent = this.getDefaultValue(node.consequent);
+    const alternate = this.getDefaultValue(node.alternate);
+    
+    const dangerousPatterns = [
+      "''", '""', '0', 'null', 'undefined',
+      "'localhost'", "'http://localhost'", "'dev'", "'development'"
+    ];
+    
+    return dangerousPatterns.includes(consequent) || dangerousPatterns.includes(alternate);
+  }
+
+  getDangerousDefaultPattern(node) {
+    if (t.isLogicalExpression(node)) {
+      return this.getDefaultValue(node.right);
+    }
+    if (t.isConditionalExpression(node)) {
+      const consequent = this.getDefaultValue(node.consequent);
+      const alternate = this.getDefaultValue(node.alternate);
+      return `${consequent} ? ${alternate}`;
+    }
+    return 'unknown';
+  }
+
+  getDefaultValue(node) {
+    if (t.isStringLiteral(node)) {
+      return `'${node.value}'`;
+    }
+    if (t.isNumericLiteral(node)) {
+      return node.value.toString();
+    }
+    if (t.isNullLiteral(node)) {
+      return 'null';
+    }
+    if (t.isIdentifier(node, { name: 'undefined' })) {
+      return 'undefined';
+    }
+    return 'unknown';
+  }
+
+  isConfigValidation(node, envAccess) {
+    // Simple heuristic: if an if statement contains a check for environment variables
+    // and has a throw or process.exit in the consequent, it's likely validation
+    if (t.isIfStatement(node)) {
+      const test = node.test;
+      const consequent = node.consequent;
+      
+      // Check if test involves environment variables
+      const involvesEnv = this.containsEnvAccess(test);
+      
+      // Check if consequent has fail-fast behavior
+      const hasFailFast = this.containsFailFast(consequent);
+      
+      return involvesEnv && hasFailFast;
+    }
+    
+    return false;
+  }
+
+  containsEnvAccess(node) {
+    // Simple traversal to check if node contains process.env access
+    let hasEnvAccess = false;
+    
+    traverse(node, {
+      MemberExpression: (path) => {
+        if (this.isEnvAccess(path.node, 'typescript')) {
+          hasEnvAccess = true;
+          path.stop();
+        }
+      }
+    }, null, {});
+    
+    return hasEnvAccess;
+  }
+
+  containsFailFast(node) {
+    // Check if node contains fail-fast patterns
+    let hasFailFast = false;
+    
+    traverse(node, {
+      CallExpression: (path) => {
+        if (this.isFailFastCall(path.node, 'typescript')) {
+          hasFailFast = true;
+          path.stop();
+        }
+      },
+      ThrowStatement: () => {
+        hasFailFast = true;
+      }
+    }, null, {});
+    
+    return hasFailFast;
+  }
+
+  isConfigRelatedError(node) {
+    // Check if the error message is configuration-related
+    if (t.isThrowStatement(node) && t.isNewExpression(node.argument)) {
+      const args = node.argument.arguments;
+      if (args.length > 0 && t.isStringLiteral(args[0])) {
+        const message = args[0].value.toLowerCase();
+        const configKeywords = ['config', 'environment', 'env', 'missing', 'required', 'invalid'];
+        return configKeywords.some(keyword => message.includes(keyword));
+      }
+    }
+    return false;
+  }
+}
+
+module.exports = C073SymbolBasedAnalyzer;

package/rules/security/S057_utc_logging/README.md

@@ -0,0 +1,152 @@
+# S057 - Log with UTC Timestamps
+
+## Overview
+Enforce UTC usage in logging and time formatting to ensure consistency across systems and avoid timezone-related issues in log analysis.
+
+## Rule Details
+
+This rule enforces:
+- **UTC Timestamps Only**: All logged timestamps must use UTC format
+- **ISO 8601/RFC3339 Standard**: Prefer standardized time formats
+- **No Local Time**: Prevent usage of local time in logs
+- **Framework Configuration**: Ensure logging frameworks are configured for UTC
+
+## ❌ Incorrect Examples
+
+```javascript
+// Using local time
+console.log('Event at:', new Date().toString());
+console.log('Timestamp:', new Date().toLocaleString());
+
+// Non-UTC moment.js
+const moment = require('moment');
+logger.info(`Event time: ${moment().format()}`);
+
+// Local DateTime patterns
+logger.error(`Error at ${DateTime.now()}`);
+logger.warn(`Time: ${LocalDateTime.now()}`);
+
+// Framework without UTC config
+const winston = require('winston');
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.json(),
+  // Missing UTC timezone configuration
+});
+```
+
+## ✅ Correct Examples
+
+```javascript
+// Using UTC ISO format
+console.log('Event at:', new Date().toISOString());
+logger.info(`Event time: ${new Date().toISOString()}`);
+
+// UTC moment.js
+const moment = require('moment');
+logger.info(`Event time: ${moment.utc().format()}`);
+
+// UTC DateTime patterns
+logger.error(`Error at ${Instant.now()}`);
+logger.warn(`Time: ${OffsetDateTime.now(ZoneOffset.UTC)}`);
+
+// Proper framework configuration
+const winston = require('winston');
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.combine(
+    winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
+    winston.format.timezone('UTC'),
+    winston.format.json()
+  )
+});
+```
+
+## Configuration Options
+
+### disallowedDatePatterns
+Patterns that create timezone-dependent timestamps:
+- `new Date().toString()`
+- `new Date().toLocaleString()`
+- `DateTime.now()`
+- `LocalDateTime.now()`
+- `moment().format()`
+
+### allowedUtcPatterns
+UTC-safe timestamp patterns:
+- `toISOString()`
+- `Instant.now()`
+- `moment.utc()`
+- `dayjs.utc()`
+- `OffsetDateTime.now(ZoneOffset.UTC)`
+
+### logFrameworks
+Supported logging frameworks for configuration checking:
+- Winston
+- Pino
+- Bunyan
+- Log4js
+- Console methods
+
+## Benefits
+
+1. **Consistent Logs**: All timestamps in the same timezone
+2. **Global Compatibility**: Works across multiple regions/servers
+3. **Easy Analysis**: No timezone conversion needed for log correlation
+4. **Audit Compliance**: Standardized timestamps for security auditing
+5. **Debugging**: Simplified troubleshooting across distributed systems
+
+## Security Implications
+
+- **Audit Trail**: Consistent timestamps critical for security incident investigation
+- **Compliance**: Many security standards require UTC logging
+- **Forensics**: Timezone consistency essential for timeline reconstruction
+- **Correlation**: Multi-system log correlation requires synchronized time
+
+## Related Rules
+
+- **C019**: Log Level Usage - Proper log severity levels
+- **S056**: Sensitive Data Logging - Avoid logging sensitive information
+- **S058**: SSRF Protection - Related to secure logging practices
+
+## Implementation Notes
+
+### NTP Synchronization
+While this rule focuses on timestamp format, ensure your systems use NTP for time synchronization:
+
+```bash
+# Check NTP status
+timedatectl status
+
+# Enable NTP sync
+sudo timedatectl set-ntp true
+```
+
+### Docker Configuration
+For containerized applications:
+
+```dockerfile
+# Set timezone to UTC
+ENV TZ=UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+```
+
+### Database Considerations
+Ensure database timestamps also use UTC:
+
+```sql
+-- PostgreSQL
+SET timezone = 'UTC';
+
+-- MySQL
+SET time_zone = '+00:00';
+```
+
+## False Positives
+
+This rule may flag legitimate use cases in:
+- Test files (can be exempted via configuration)
+- Display/UI code (where local time is appropriate)
+- Time calculation utilities (where local time is intentional)
+
+Configure exemptions in the rule configuration as needed.