@sun-asterisk/sunlint 1.3.7 → 1.3.8

package/CHANGELOG.md

@@ -2,6 +2,44 @@
 
 ---
 
+## 🧪 **v1.3.8 - C065 Rule Enhancement & Advanced Context Analysis (October 1, 2025)**
+
+**Release Date**: October 1, 2025  
+**Type**: Major Enhancement  
+**Branch**: `feature.sunlint.heuristic_rule_c065`
+
+### ✨ **Major Features**
+- **ENHANCED**: C065 "One Behavior per Test" Rule with Advanced Context Analysis
+  - **New**: UI Workflow Detection for legitimate testing patterns
+  - **New**: UI Interaction Loop Detection (fireEvent iterations)
+  - **New**: Smart Control Flow Analysis with UI pattern exclusions
+  - **New**: Assertion context grouping for accurate behavior detection
+- **ENHANCED**: File Targeting System with Smart Test Detection
+  - **Performance**: 98% file reduction (6873 → 112 files) with `--include-tests`
+  - **Accuracy**: Intelligent project targeting and language filter override
+- **ENHANCED**: Debug Output Management
+  - **Clean**: Production-ready output with conditional debug logging
+  - **Detailed**: Comprehensive debug info available with `--verbose` flag
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: C065 Rule Registry and Configuration
+  - **Issue**: Rule loading from incorrect `rules/quality/` path
+  - **Solution**: Updated to correct `rules/common/` path with proper categorization
+- **FIXED**: False Positive Control Flow Detection
+  - **Issue**: UI testing loops incorrectly flagged as violations
+  - **Solution**: Pattern recognition for legitimate UI element iteration
+- **FIXED**: Test File Language Filtering
+  - **Issue**: Test files excluded by language patterns
+  - **Solution**: Override exclusions for `--include-tests` flag
+
+### 🎯 **Rule Accuracy Validation**
+- **UI Loops**: `for (const checkbox of listCheckbox) { fireEvent.click(checkbox); }` ✅ No false positive
+- **Button Iteration**: `for (const button of buttons) { fireEvent.click(button); }` ✅ No false positive  
+- **Business Logic**: Complex control flow with if/else statements ❌ Properly flagged
+- **Multiple Behaviors**: Tests with multiple mock setups ❌ Properly flagged
+
+---
+
 ## � **v1.3.7 - File Count Reporting & Performance Fixes (September 11, 2025)**
 
 **Release Date**: September 11, 2025  

package/config/defaults/default.json

@@ -3,7 +3,8 @@
     "C006": true,
     "C019": true,
     "C032": true,
-    "C045": true
+    "C045": true,
+    "S054": true
   },
   "categories": ["quality", "security"],
   "integration": {

package/config/rule-analysis-strategies.js

@@ -41,6 +41,26 @@ module.exports = {
       reason: 'JSON injection detection requires AST context analysis',
       methods: ['ast', 'regex'],
       accuracy: { ast: 95, regex: 60 }
+    },
+    'S054': {
+      reason: 'Default account detection in code, SQL, and config files',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 90 }
+    },
+    'S052': {
+      reason: 'OTP entropy analysis requires hybrid approach for RNG detection and context awareness',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 80, ast: 90 }
+    },
+    'S051': {
+      reason: 'Password length policy requires multi-signal context detection and cross-file validation',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
+    },
+    'C065': {
+      reason: 'Test behavior analysis requires hybrid heuristic + AST context for multiple assertions and control flow detection',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
     }
   },
 

package/config/rules/enhanced-rules-registry.json

@@ -736,7 +736,13 @@
       "config": "./rules/security/S025_server_side_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "validation", "server-side", "owasp", "input-validation"],
+      "tags": [
+        "security",
+        "validation",
+        "server-side",
+        "owasp",
+        "input-validation"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast", "regex"],
@@ -927,40 +933,71 @@
       "tags": ["security", "file-inclusion", "path-traversal"]
     },
     "S037": {
-      "name": "Require Anti Cache Headers",
-      "description": "Require anti-cache headers for sensitive content",
+      "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
+      "description": "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s037",
+      "analyzer": "./rules/security/S037_cache_headers/analyzer.js",
+      "config": "./rules/security/S037_cache_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "caching", "headers"]
+      "status": "experimental",
+      "tags": ["security", "caching", "headers", "privacy"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S037_cache_headers/analyzer.js"]
+      }
     },
     "S038": {
-      "name": "No Version Disclosure",
-      "description": "Prevent version information disclosure",
+      "name": "Do not expose version information in response headers",
+      "description": "Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s038",
+      "analyzer": "./rules/security/S038_no_version_headers/analyzer.js",
+      "config": "./rules/security/S038_no_version_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "information-disclosure", "version"]
+      "status": "experimental",
+      "tags": ["security", "information-disclosure", "version", "headers"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S038_no_version_headers/analyzer.js"]
+      }
     },
     "S039": {
-      "name": "No Session Token in URL",
-      "description": "Prevent session tokens in URL parameters",
+      "name": "Do not pass Session Tokens via URL parameters",
+      "description": "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.",
       "category": "security",
-      "severity": "error",
+      "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s039",
+      "analyzer": "./rules/security/S039_no_session_tokens_in_url/analyzer.js",
+      "config": "./rules/security/S039_no_session_tokens_in_url/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "session", "url"]
+      "status": "experimental",
+      "tags": [
+        "security",
+        "session-tokens",
+        "url-parameters",
+        "authentication"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 85, "regex": 70 }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S039_no_session_tokens_in_url/analyzer.js"
+        ]
+      }
     },
     "S041": {
       "name": "Require Session Invalidate on Logout",
@@ -1058,6 +1095,36 @@
       "status": "stable",
       "tags": ["security", "password", "recovery"]
     },
+    "S049": {
+      "name": "Authentication tokens should have short validity periods",
+      "description": "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S049_short_validity_tokens/analyzer.js",
+      "config": "./rules/security/S049_short_validity_tokens/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "authentication",
+        "tokens",
+        "jwt",
+        "session",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 90,
+          "regex": 75
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S049_short_validity_tokens/analyzer.js"]
+      }
+    },
     "S050": {
       "name": "Session Token Weak Hash",
       "description": "Prevent weak hashing for session tokens",
@@ -1070,29 +1137,71 @@
       "status": "stable",
       "tags": ["security", "session", "hashing"]
     },
+    "S051": {
+      "name": "Password length policy enforcement (12-64 chars recommended, reject >128)",
+      "description": "Enforce strong password length policies with multi-signal detection. Prevent weak validators, missing limits, and FE/BE mismatches.",
+      "category": "security",
+      "severity": "error", 
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S051_password_length_policy/analyzer.js",
+      "config": "./rules/security/S051_password_length_policy/config.json",
+      "eslintRule": "custom/typescript_s051",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "password", "validation", "length", "policy"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s051"],
+        "heuristic": ["./rules/security/S051_password_length_policy/analyzer.js"]
+      }
+    },
+    "C065": {
+      "name": "One Behavior per Test (AAA Pattern)",
+      "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
+      "category": "common",
+      "severity": "warning", 
+      "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin", "python"],
+      "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
+      "config": "./rules/common/C065_one_behavior_per_test/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["testing", "aaa", "behavior", "maintainability", "clarity"],
+      "engineMappings": {
+        "heuristic": ["./rules/common/C065_one_behavior_per_test/analyzer.js"]
+      }
+    },
     "S052": {
-      "name": "Secure Random Authentication Code",
-      "description": "Require secure random number generation for authentication codes",
+      "name": "OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG",
+      "description": "Prevent guessable OTP by enforcing CSPRNG and minimal entropy. Ban non-crypto RNG and too-short codes.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "analyzer": "./rules/security/S052_weak_otp_entropy/analyzer.js",
+      "config": "./rules/security/S052_weak_otp_entropy/config.json",
       "eslintRule": "custom/typescript_s052",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "random", "authentication"]
+      "tags": ["security", "otp", "entropy", "csprng"],
+      "engines": {
+        "eslint": ["custom/typescript_s052"],
+        "heuristic": ["./rules/security/S052_weak_otp_entropy/analyzer.js"]
+      }
     },
     "S054": {
-      "name": "Verification Default Account",
-      "description": "Verify and secure default accounts",
+      "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
+      "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
       "category": "security",
       "severity": "error",
-      "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "languages": ["typescript", "javascript", "sql", "terraform", "yaml", "dockerfile", "all"],
+      "analyzer": "./rules/security/S054_no_default_accounts/analyzer.js",
+      "config": "./rules/security/S054_no_default_accounts/config.json",
       "eslintRule": "custom/typescript_s054",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "accounts", "default"]
+      "tags": ["security", "accounts", "default", "authentication", "authorization"],
+      "engines": {
+        "eslint": ["custom/typescript_s054"],
+        "heuristic": ["./rules/security/S054_no_default_accounts/analyzer.js"]
+      }
     },
     "S055": {
       "name": "REST Content-Type Verification",
@@ -1106,6 +1215,31 @@
       "status": "stable",
       "tags": ["security", "rest", "content-type"]
     },
+    "S056": {
+      "name": "Protect against Log Injection attacks",
+      "description": "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S056_log_injection_protection/analyzer.js",
+      "config": "./rules/security/S056_log_injection_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "logging", "injection", "owasp", "crlf"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S056_log_injection_protection/analyzer.js"
+        ]
+      }
+    },
     "S057": {
       "name": "Log with UTC Timestamps",
       "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems",
@@ -1353,7 +1487,13 @@
       "config": "./rules/common/C067_no_hardcoded_config/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["configuration", "hardcode", "environment", "maintainability", "security"],
+      "tags": [
+        "configuration",
+        "hardcode",
+        "environment",
+        "maintainability",
+        "security"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast"],
@@ -1375,7 +1515,13 @@
       "config": "../rules/common/C070_no_real_time_tests/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["testing", "flaky-tests", "timing", "fake-timers", "reliability"],
+      "tags": [
+        "testing",
+        "flaky-tests",
+        "timing",
+        "fake-timers",
+        "reliability"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["regex"],
@@ -1385,7 +1531,9 @@
         }
       },
       "engineMappings": {
-        "heuristic": ["../rules/common/C070_no_real_time_tests/regex-analyzer.js"]
+        "heuristic": [
+          "../rules/common/C070_no_real_time_tests/regex-analyzer.js"
+        ]
       }
     },
     "C072": {
@@ -1419,8 +1567,12 @@
       "status": "stable",
       "tags": ["configuration", "validation", "startup", "fail-fast"],
       "engineMappings": {
-        "heuristic": ["rules/common/C073_validate_required_config_on_startup/analyzer.js"],
-        "semantic": ["rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"]
+        "heuristic": [
+          "rules/common/C073_validate_required_config_on_startup/analyzer.js"
+        ],
+        "semantic": [
+          "rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"
+        ]
       },
       "strategy": {
         "preferred": "semantic",
@@ -1837,6 +1989,7 @@
         "C047",
         "C048",
         "C052",
+        "C065",
         "C072",
         "C073",
         "C075",
@@ -1906,9 +2059,11 @@
         "S047",
         "S048",
         "S050",
+        "S051",
         "S052",
         "S054",
         "S055",
+        "S056",
         "S057",
         "S058"
       ],
@@ -2003,7 +2158,7 @@
     "lastUpdated": "2025-08-25",
     "totalRules": 98,
     "qualityRules": 33,
-    "securityRules": 50,
+    "securityRules": 51,
     "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,

package/core/file-targeting-service.js

@@ -16,7 +16,7 @@ class FileTargetingService {
 
   /**
    * Get target files based on enhanced configuration
-   * ENHANCED: Uses metadata for intelligent file targeting
+   * ENHANCED: Uses metadata for intelligent file targeting with smart project-level optimization
    */
   async getTargetFiles(inputPaths, config, cliOptions = {}) {
     try {
@@ -32,11 +32,14 @@ class FileTargetingService {
       
       let allFiles = [];
       
+      // Smart project-level optimization
+      const optimizedPaths = this.optimizeProjectPaths(inputPaths, cliOptions);
+      
       // Use enhanced targeting based on metadata
       if (metadata?.shouldBypassProjectDiscovery) {
-        allFiles = await this.collectTargetedFiles(inputPaths, config, cliOptions);
+        allFiles = await this.collectTargetedFiles(optimizedPaths, config, cliOptions);
       } else {
-        allFiles = await this.collectProjectFiles(inputPaths, config, cliOptions);
+        allFiles = await this.collectProjectFiles(optimizedPaths, config, cliOptions);
       }
 
       // Apply filtering logic
@@ -150,13 +153,69 @@ class FileTargetingService {
     return allFiles;
   }
 
+    /**
+   * Optimize project paths to focus on source and test directories
+   * Prevents unnecessary scanning of entire project when smart targeting is possible
+   */
+  optimizeProjectPaths(inputPaths, cliOptions = {}) {
+    const optimizedPaths = [];
+    
+    for (const inputPath of inputPaths) {
+      // If targeting entire project directory, try to find source/test subdirectories
+      if (fs.existsSync(inputPath) && fs.statSync(inputPath).isDirectory()) {
+        const projectOptimization = this.findProjectSourceDirs(inputPath, cliOptions);
+        if (projectOptimization.length > 0) {
+          if (cliOptions.verbose) {
+            console.log(chalk.blue(`🎯 Smart targeting: Found ${projectOptimization.length} source directories in ${path.basename(inputPath)}`));
+          }
+          optimizedPaths.push(...projectOptimization);
+        } else {
+          optimizedPaths.push(inputPath);
+        }
+      } else {
+        optimizedPaths.push(inputPath);
+      }
+    }
+    
+    return optimizedPaths;
+  }
+
+  /**
+   * Find source directories in project to avoid scanning entire project
+   */
+  findProjectSourceDirs(projectPath, cliOptions = {}) {
+    const sourceDirs = [];
+    const candidateDirs = ['src', 'lib', 'app', 'packages'];
+    const testDirs = ['test', 'tests', '__tests__', 'spec', 'specs'];
+    
+    // Always include test directories if --include-tests flag is used
+    const dirsToCheck = cliOptions.includeTests ? [...candidateDirs, ...testDirs] : candidateDirs;
+    
+    for (const dir of dirsToCheck) {
+      const dirPath = path.join(projectPath, dir);
+      if (fs.existsSync(dirPath) && fs.statSync(dirPath).isDirectory()) {
+        sourceDirs.push(dirPath);
+      }
+    }
+    
+    return sourceDirs;
+  }
+
   /**
    * Check if directory should be skipped
+   * Enhanced with more comprehensive ignore patterns
+   * Enhanced with more comprehensive ignore patterns
    */
   shouldSkipDirectory(dirName) {
     const skipDirs = [
       'node_modules', '.git', 'dist', 'build', 'coverage', 
-      '.next', '.nuxt', 'vendor', 'target', 'generated'
+      '.next', '.nuxt', 'vendor', 'target', 'generated',
+      '.vscode', '.id',
+      '.vscode', '.idea', '.husky', '.github', '.yarn',
+      'out', 'public', 'static', 'assets', 'tmp', 'temp',
+      'cache', '.cache', 'logs', 'logea', '.husky', '.github', '.yarn',
+      'out', 'public', 'static', 'assets', 'tmp', 'temp',
+      'cache', '.cache', 'logs', 'log'
     ];
     return skipDirs.includes(dirName);
   }
@@ -278,10 +337,27 @@ class FileTargetingService {
           if (debug) console.log(`🔍 [DEBUG] After include patterns ${langConfig.include}: ${langFiles.length} files`);
         }
 
-        // Apply language-specific exclude patterns
+        // Apply language-specific exclude patterns (but respect --include-tests for test files)
         if (langConfig.exclude && langConfig.exclude.length > 0) {
-          langFiles = this.applyExcludePatterns(langFiles, langConfig.exclude, debug);
-          if (debug) console.log(`🔍 [DEBUG] After exclude patterns ${langConfig.exclude}: ${langFiles.length} files`);
+          // Skip test-related exclude patterns if --include-tests is enabled
+          let effectiveExcludes = langConfig.exclude;
+          if (cliOptions.includeTests === true) {
+            // Remove test-related patterns completely
+            effectiveExcludes = langConfig.exclude.filter(pattern => {
+              const isTestPattern = pattern.includes('.test.') || pattern.includes('.spec.') || 
+                                    pattern.includes('/test/') || pattern.includes('/tests/') || 
+                                    pattern.includes('/__tests__/');
+              return !isTestPattern;
+            });
+            if (debug) console.log(`🔍 [DEBUG] --include-tests enabled, filtered excludes: ${effectiveExcludes}`);
+          }
+          
+          if (effectiveExcludes.length > 0) {
+            langFiles = this.applyExcludePatterns(langFiles, effectiveExcludes, debug);
+            if (debug) console.log(`🔍 [DEBUG] After exclude patterns ${effectiveExcludes}: ${langFiles.length} files`);
+          } else {
+            if (debug) console.log(`🔍 [DEBUG] All exclude patterns filtered out by --include-tests`);
+          }
         }
 
         languageFiles.push(...langFiles);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.7",
+  "version": "1.3.8",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {