@sun-asterisk/sunlint 1.3.6 → 1.3.8

package/CHANGELOG.md

@@ -2,7 +2,82 @@
 
 ---
 
-## 🔧 **v1.3.6 - C067 False Positive Reduction (September 8, 2025)**
+## 🧪 **v1.3.8 - C065 Rule Enhancement & Advanced Context Analysis (October 1, 2025)**
+
+**Release Date**: October 1, 2025  
+**Type**: Major Enhancement  
+**Branch**: `feature.sunlint.heuristic_rule_c065`
+
+### ✨ **Major Features**
+- **ENHANCED**: C065 "One Behavior per Test" Rule with Advanced Context Analysis
+  - **New**: UI Workflow Detection for legitimate testing patterns
+  - **New**: UI Interaction Loop Detection (fireEvent iterations)
+  - **New**: Smart Control Flow Analysis with UI pattern exclusions
+  - **New**: Assertion context grouping for accurate behavior detection
+- **ENHANCED**: File Targeting System with Smart Test Detection
+  - **Performance**: 98% file reduction (6873 → 112 files) with `--include-tests`
+  - **Accuracy**: Intelligent project targeting and language filter override
+- **ENHANCED**: Debug Output Management
+  - **Clean**: Production-ready output with conditional debug logging
+  - **Detailed**: Comprehensive debug info available with `--verbose` flag
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: C065 Rule Registry and Configuration
+  - **Issue**: Rule loading from incorrect `rules/quality/` path
+  - **Solution**: Updated to correct `rules/common/` path with proper categorization
+- **FIXED**: False Positive Control Flow Detection
+  - **Issue**: UI testing loops incorrectly flagged as violations
+  - **Solution**: Pattern recognition for legitimate UI element iteration
+- **FIXED**: Test File Language Filtering
+  - **Issue**: Test files excluded by language patterns
+  - **Solution**: Override exclusions for `--include-tests` flag
+
+### 🎯 **Rule Accuracy Validation**
+- **UI Loops**: `for (const checkbox of listCheckbox) { fireEvent.click(checkbox); }` ✅ No false positive
+- **Button Iteration**: `for (const button of buttons) { fireEvent.click(button); }` ✅ No false positive  
+- **Business Logic**: Complex control flow with if/else statements ❌ Properly flagged
+- **Multiple Behaviors**: Tests with multiple mock setups ❌ Properly flagged
+
+---
+
+## � **v1.3.7 - File Count Reporting & Performance Fixes (September 11, 2025)**
+
+**Release Date**: September 11, 2025  
+**Type**: Bug Fix & Enhancement  
+**Branch**: `fix.sunlint.report`
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: File count reporting accuracy in summary
+  - **Issue**: Summary showed incorrect file counts when performance filtering applied
+  - **Before**: `Files loaded: 1322` but summary `Files: 1000` (misleading)  
+  - **After**: Summary accurately reflects files actually analyzed
+- **FIXED**: File count multiplication in batch processing
+  - **Issue**: Multiple batches incorrectly accumulated file counts  
+  - **Before**: 1322 files → reported as 3000 files in batched analysis
+  - **After**: Consistent file count regardless of batch strategy
+
+### ⚡ **Performance Enhancements**
+- **ENHANCED**: `--max-files=-1` unlimited file processing
+  - **Issue**: `-1` flag was ignored, still limited to 1000 files
+  - **Solution**: Proper unlimited file processing support
+  - **Usage**: `sunlint --max-files=-1` now analyzes all files without limits
+
+### 🎯 **Rule Improvements**
+- **ENHANCED**: S057 UTC Logging rule precision (100% accuracy)
+  - Fixed false positive detection for `pino.stdTimeFunctions.isoTime`
+  - Added timezone indicator support: `'Z'`, `"Z"`, `+00:00`, `.l'Z'`
+  - Enhanced config variable tracing for complex logging setups
+  - Cleaned up test fixtures and moved to proper location
+
+### 📊 **Validation Results**
+- **File Processing**: `--max-files=-1` → 1322 files analyzed ✅
+- **Limited Analysis**: `--max-files=500` → 500 files analyzed ✅  
+- **Batch Analysis**: Multi-rule analysis maintains accurate counts ✅
+- **S057 Precision**: 0 false positives on real projects ✅
+
+---
+
+## �🔧 **v1.3.6 - C067 False Positive Reduction (September 8, 2025)**
 
 **Release Date**: September 8, 2025  
 **Type**: Bug Fix & Improvement

package/config/defaults/default.json

@@ -3,7 +3,8 @@
     "C006": true,
     "C019": true,
     "C032": true,
-    "C045": true
+    "C045": true,
+    "S054": true
   },
   "categories": ["quality", "security"],
   "integration": {

package/config/rule-analysis-strategies.js

@@ -41,6 +41,26 @@ module.exports = {
       reason: 'JSON injection detection requires AST context analysis',
       methods: ['ast', 'regex'],
       accuracy: { ast: 95, regex: 60 }
+    },
+    'S054': {
+      reason: 'Default account detection in code, SQL, and config files',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 90 }
+    },
+    'S052': {
+      reason: 'OTP entropy analysis requires hybrid approach for RNG detection and context awareness',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 80, ast: 90 }
+    },
+    'S051': {
+      reason: 'Password length policy requires multi-signal context detection and cross-file validation',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
+    },
+    'C065': {
+      reason: 'Test behavior analysis requires hybrid heuristic + AST context for multiple assertions and control flow detection',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
     }
   },
 

package/config/rules/enhanced-rules-registry.json

@@ -736,7 +736,13 @@
       "config": "./rules/security/S025_server_side_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "validation", "server-side", "owasp", "input-validation"],
+      "tags": [
+        "security",
+        "validation",
+        "server-side",
+        "owasp",
+        "input-validation"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast", "regex"],
@@ -927,40 +933,71 @@
       "tags": ["security", "file-inclusion", "path-traversal"]
     },
     "S037": {
-      "name": "Require Anti Cache Headers",
-      "description": "Require anti-cache headers for sensitive content",
+      "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
+      "description": "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s037",
+      "analyzer": "./rules/security/S037_cache_headers/analyzer.js",
+      "config": "./rules/security/S037_cache_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "caching", "headers"]
+      "status": "experimental",
+      "tags": ["security", "caching", "headers", "privacy"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S037_cache_headers/analyzer.js"]
+      }
     },
     "S038": {
-      "name": "No Version Disclosure",
-      "description": "Prevent version information disclosure",
+      "name": "Do not expose version information in response headers",
+      "description": "Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s038",
+      "analyzer": "./rules/security/S038_no_version_headers/analyzer.js",
+      "config": "./rules/security/S038_no_version_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "information-disclosure", "version"]
+      "status": "experimental",
+      "tags": ["security", "information-disclosure", "version", "headers"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S038_no_version_headers/analyzer.js"]
+      }
     },
     "S039": {
-      "name": "No Session Token in URL",
-      "description": "Prevent session tokens in URL parameters",
+      "name": "Do not pass Session Tokens via URL parameters",
+      "description": "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.",
       "category": "security",
-      "severity": "error",
+      "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s039",
+      "analyzer": "./rules/security/S039_no_session_tokens_in_url/analyzer.js",
+      "config": "./rules/security/S039_no_session_tokens_in_url/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "session", "url"]
+      "status": "experimental",
+      "tags": [
+        "security",
+        "session-tokens",
+        "url-parameters",
+        "authentication"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 85, "regex": 70 }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S039_no_session_tokens_in_url/analyzer.js"
+        ]
+      }
     },
     "S041": {
       "name": "Require Session Invalidate on Logout",
@@ -1058,6 +1095,36 @@
       "status": "stable",
       "tags": ["security", "password", "recovery"]
     },
+    "S049": {
+      "name": "Authentication tokens should have short validity periods",
+      "description": "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S049_short_validity_tokens/analyzer.js",
+      "config": "./rules/security/S049_short_validity_tokens/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "authentication",
+        "tokens",
+        "jwt",
+        "session",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 90,
+          "regex": 75
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S049_short_validity_tokens/analyzer.js"]
+      }
+    },
     "S050": {
       "name": "Session Token Weak Hash",
       "description": "Prevent weak hashing for session tokens",
@@ -1070,29 +1137,71 @@
       "status": "stable",
       "tags": ["security", "session", "hashing"]
     },
+    "S051": {
+      "name": "Password length policy enforcement (12-64 chars recommended, reject >128)",
+      "description": "Enforce strong password length policies with multi-signal detection. Prevent weak validators, missing limits, and FE/BE mismatches.",
+      "category": "security",
+      "severity": "error", 
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S051_password_length_policy/analyzer.js",
+      "config": "./rules/security/S051_password_length_policy/config.json",
+      "eslintRule": "custom/typescript_s051",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "password", "validation", "length", "policy"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s051"],
+        "heuristic": ["./rules/security/S051_password_length_policy/analyzer.js"]
+      }
+    },
+    "C065": {
+      "name": "One Behavior per Test (AAA Pattern)",
+      "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
+      "category": "common",
+      "severity": "warning", 
+      "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin", "python"],
+      "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
+      "config": "./rules/common/C065_one_behavior_per_test/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["testing", "aaa", "behavior", "maintainability", "clarity"],
+      "engineMappings": {
+        "heuristic": ["./rules/common/C065_one_behavior_per_test/analyzer.js"]
+      }
+    },
     "S052": {
-      "name": "Secure Random Authentication Code",
-      "description": "Require secure random number generation for authentication codes",
+      "name": "OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG",
+      "description": "Prevent guessable OTP by enforcing CSPRNG and minimal entropy. Ban non-crypto RNG and too-short codes.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "analyzer": "./rules/security/S052_weak_otp_entropy/analyzer.js",
+      "config": "./rules/security/S052_weak_otp_entropy/config.json",
       "eslintRule": "custom/typescript_s052",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "random", "authentication"]
+      "tags": ["security", "otp", "entropy", "csprng"],
+      "engines": {
+        "eslint": ["custom/typescript_s052"],
+        "heuristic": ["./rules/security/S052_weak_otp_entropy/analyzer.js"]
+      }
     },
     "S054": {
-      "name": "Verification Default Account",
-      "description": "Verify and secure default accounts",
+      "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
+      "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
       "category": "security",
       "severity": "error",
-      "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "languages": ["typescript", "javascript", "sql", "terraform", "yaml", "dockerfile", "all"],
+      "analyzer": "./rules/security/S054_no_default_accounts/analyzer.js",
+      "config": "./rules/security/S054_no_default_accounts/config.json",
       "eslintRule": "custom/typescript_s054",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "accounts", "default"]
+      "tags": ["security", "accounts", "default", "authentication", "authorization"],
+      "engines": {
+        "eslint": ["custom/typescript_s054"],
+        "heuristic": ["./rules/security/S054_no_default_accounts/analyzer.js"]
+      }
     },
     "S055": {
       "name": "REST Content-Type Verification",
@@ -1106,29 +1215,62 @@
       "status": "stable",
       "tags": ["security", "rest", "content-type"]
     },
+    "S056": {
+      "name": "Protect against Log Injection attacks",
+      "description": "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S056_log_injection_protection/analyzer.js",
+      "config": "./rules/security/S056_log_injection_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "logging", "injection", "owasp", "crlf"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S056_log_injection_protection/analyzer.js"
+        ]
+      }
+    },
     "S057": {
-      "name": "UTC Logging",
-      "description": "Enforce UTC usage in time formatting and logging",
+      "name": "Log with UTC Timestamps",
+      "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s057",
+      "analyzer": "./rules/security/S057_utc_logging/analyzer.js",
+      "config": "./rules/security/S057_utc_logging/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "logging", "timezone"]
+      "tags": ["security", "logging", "timezone", "utc"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s057"],
+        "heuristic": ["./rules/security/S057_utc_logging/analyzer.js"]
+      }
     },
     "S058": {
-      "name": "No SSRF",
-      "description": "Detect SSRF vulnerabilities via unvalidated user-controlled URLs",
+      "name": "No SSRF (Server-Side Request Forgery)",
+      "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s058",
+      "analyzer": "./rules/security/S058_no_ssrf/analyzer.js",
+      "config": "./rules/security/S058_no_ssrf/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "ssrf", "url-validation"]
+      "tags": ["security", "ssrf", "url-validation", "http-requests"],
+      "engineMappings": {
+        "heuristic": ["./rules/security/S058_no_ssrf/analyzer.js"],
+        "eslint": ["custom/typescript_s058"]
+      }
     },
     "C002": {
       "id": "C002",
@@ -1345,7 +1487,13 @@
       "config": "./rules/common/C067_no_hardcoded_config/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["configuration", "hardcode", "environment", "maintainability", "security"],
+      "tags": [
+        "configuration",
+        "hardcode",
+        "environment",
+        "maintainability",
+        "security"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast"],
@@ -1367,7 +1515,13 @@
       "config": "../rules/common/C070_no_real_time_tests/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["testing", "flaky-tests", "timing", "fake-timers", "reliability"],
+      "tags": [
+        "testing",
+        "flaky-tests",
+        "timing",
+        "fake-timers",
+        "reliability"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["regex"],
@@ -1377,7 +1531,9 @@
         }
       },
       "engineMappings": {
-        "heuristic": ["../rules/common/C070_no_real_time_tests/regex-analyzer.js"]
+        "heuristic": [
+          "../rules/common/C070_no_real_time_tests/regex-analyzer.js"
+        ]
       }
     },
     "C072": {
@@ -1400,6 +1556,33 @@
         "accuracy": {}
       }
     },
+    "C073": {
+      "id": "C073",
+      "name": "Validate Required Configuration on Startup",
+      "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values",
+      "category": "configuration",
+      "severity": "error",
+      "languages": ["typescript", "javascript", "java", "go"],
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["configuration", "validation", "startup", "fail-fast"],
+      "engineMappings": {
+        "heuristic": [
+          "rules/common/C073_validate_required_config_on_startup/analyzer.js"
+        ],
+        "semantic": [
+          "rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"
+        ]
+      },
+      "strategy": {
+        "preferred": "semantic",
+        "fallbacks": ["heuristic"],
+        "accuracy": {
+          "semantic": 0.9,
+          "heuristic": 0.7
+        }
+      }
+    },
     "C075": {
       "id": "C075",
       "name": "Rule C075",
@@ -1806,7 +1989,9 @@
         "C047",
         "C048",
         "C052",
+        "C065",
         "C072",
+        "C073",
         "C075",
         "T002",
         "T003",
@@ -1874,9 +2059,11 @@
         "S047",
         "S048",
         "S050",
+        "S051",
         "S052",
         "S054",
         "S055",
+        "S056",
         "S057",
         "S058"
       ],
@@ -1971,7 +2158,7 @@
     "lastUpdated": "2025-08-25",
     "totalRules": 98,
     "qualityRules": 33,
-    "securityRules": 50,
+    "securityRules": 51,
     "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,

package/core/analysis-orchestrator.js

@@ -264,7 +264,7 @@ class AnalysisOrchestrator {
       }
 
       // Merge results and add performance metrics
-      const mergedResults = this.mergeEngineResults(results, options);
+      const mergedResults = this.mergeEngineResults(results, options, optimizedFiles.length);
       mergedResults.performance = performanceMetrics;
       
       return mergedResults;
@@ -523,7 +523,7 @@ class AnalysisOrchestrator {
    * @param {Object} options - Analysis options
    * @returns {Object} Merged results
    */
-  mergeEngineResults(engineResults, options) {
+  mergeEngineResults(engineResults, options, actualFilesCount = 0) {
     const mergedResults = {
       results: [],
       summary: {
@@ -568,15 +568,19 @@ class AnalysisOrchestrator {
       // Accumulate engine statistics across batches
       mergedResults.summary.engines[engineName].rules.push(...(engineResult.rules || []));
       mergedResults.summary.engines[engineName].violations += violationCount;
-      mergedResults.summary.engines[engineName].files += engineResult.filesAnalyzed || 0;
+      // Don't accumulate filesAnalyzed for each batch - use actual unique file count
+      if (!mergedResults.summary.engines[engineName].filesSet) {
+        mergedResults.summary.engines[engineName].files = actualFilesCount;
+        mergedResults.summary.engines[engineName].filesSet = true;
+      }
       mergedResults.summary.engines[engineName].batches += 1;
       
       mergedResults.summary.totalViolations += violationCount;
-      mergedResults.summary.totalFiles += engineResult.filesAnalyzed || 0;
     }
 
-    // Update unique engine count
+    // Update unique engine count and correct total files count
     mergedResults.summary.totalEngines = uniqueEngines.size;
+    mergedResults.summary.totalFiles = actualFilesCount;
 
     return mergedResults;
   }