@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/CHANGELOG.md

@@ -2,6 +2,69 @@
 
 ---
 
+## 🔧 **v1.3.9 - File Targeting Regression Fix (October 2, 2025)**
+
+**Release Date**: October 2, 2025  
+**Type**: Bug Fix  
+**Branch**: `feature.sunlint.heuristic_rule_c065`
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: File targeting regression where user-specified source directories were incorrectly optimized
+  - **Issue**: When using `--input=examples/project-samples/replace-fe/src`, file count dropped from 2.2K to 254 files
+  - **Root Cause**: `optimizeProjectPaths` function incorrectly treated user-specified source directories as project roots
+  - **Solution**: Added source directory detection logic to bypass optimization for `src`, `lib`, `app`, `packages`, `test` directories
+  - **Impact**: Full file coverage restored - all 1507 .tsx files now properly included
+
+### ⚡ **Performance Improvements**
+- **ENHANCED**: File targeting logic with smart source directory detection
+- **OPTIMIZED**: Direct targeting for user-specified source paths
+
+### 📝 **Technical Details**
+- Modified `file-targeting-service.js` `optimizeProjectPaths` function
+- Added `sourceDirectoryNames` array for known source directory patterns
+- Implemented basename checking to detect when users specify source directories directly
+- Maintained backward compatibility with existing project structure detection
+
+---
+
+## 🧪 **v1.3.8 - C065 Rule Enhancement & Advanced Context Analysis (October 1, 2025)**
+
+**Release Date**: October 1, 2025  
+**Type**: Major Enhancement  
+**Branch**: `feature.sunlint.heuristic_rule_c065`
+
+### ✨ **Major Features**
+- **ENHANCED**: C065 "One Behavior per Test" Rule with Advanced Context Analysis
+  - **New**: UI Workflow Detection for legitimate testing patterns
+  - **New**: UI Interaction Loop Detection (fireEvent iterations)
+  - **New**: Smart Control Flow Analysis with UI pattern exclusions
+  - **New**: Assertion context grouping for accurate behavior detection
+- **ENHANCED**: File Targeting System with Smart Test Detection
+  - **Performance**: 98% file reduction (6873 → 112 files) with `--include-tests`
+  - **Accuracy**: Intelligent project targeting and language filter override
+- **ENHANCED**: Debug Output Management
+  - **Clean**: Production-ready output with conditional debug logging
+  - **Detailed**: Comprehensive debug info available with `--verbose` flag
+
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: C065 Rule Registry and Configuration
+  - **Issue**: Rule loading from incorrect `rules/quality/` path
+  - **Solution**: Updated to correct `rules/common/` path with proper categorization
+- **FIXED**: False Positive Control Flow Detection
+  - **Issue**: UI testing loops incorrectly flagged as violations
+  - **Solution**: Pattern recognition for legitimate UI element iteration
+- **FIXED**: Test File Language Filtering
+  - **Issue**: Test files excluded by language patterns
+  - **Solution**: Override exclusions for `--include-tests` flag
+
+### 🎯 **Rule Accuracy Validation**
+- **UI Loops**: `for (const checkbox of listCheckbox) { fireEvent.click(checkbox); }` ✅ No false positive
+- **Button Iteration**: `for (const button of buttons) { fireEvent.click(button); }` ✅ No false positive  
+- **Business Logic**: Complex control flow with if/else statements ❌ Properly flagged
+- **Multiple Behaviors**: Tests with multiple mock setups ❌ Properly flagged
+
+---
+
 ## � **v1.3.7 - File Count Reporting & Performance Fixes (September 11, 2025)**
 
 **Release Date**: September 11, 2025  

package/config/defaults/default.json

@@ -3,7 +3,8 @@
     "C006": true,
     "C019": true,
     "C032": true,
-    "C045": true
+    "C045": true,
+    "S054": true
   },
   "categories": ["quality", "security"],
   "integration": {

package/config/rule-analysis-strategies.js

@@ -41,6 +41,26 @@ module.exports = {
       reason: 'JSON injection detection requires AST context analysis',
       methods: ['ast', 'regex'],
       accuracy: { ast: 95, regex: 60 }
+    },
+    'S054': {
+      reason: 'Default account detection in code, SQL, and config files',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 90 }
+    },
+    'S052': {
+      reason: 'OTP entropy analysis requires hybrid approach for RNG detection and context awareness',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 80, ast: 90 }
+    },
+    'S051': {
+      reason: 'Password length policy requires multi-signal context detection and cross-file validation',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
+    },
+    'C065': {
+      reason: 'Test behavior analysis requires hybrid heuristic + AST context for multiple assertions and control flow detection',
+      methods: ['regex', 'ast'],
+      accuracy: { regex: 85, ast: 92 }
     }
   },
 

package/config/rules/enhanced-rules-registry.json

@@ -660,16 +660,51 @@
       "tags": ["security", "email", "injection"]
     },
     "S020": {
-      "name": "No Eval Dynamic Execution",
-      "description": "Prevent eval and dynamic code execution",
+      "name": "Avoid using eval() or executing dynamic code",
+      "description": "Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s020",
+      "analyzer": "./rules/security/S020_no_eval_dynamic_code/analyzer.js",
+      "config": "./rules/security/S020_no_eval_dynamic_code/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "eval", "dynamic-execution"]
+      "status": "experimental",
+      "tags": ["security", "eval", "dynamic-execution", "code-injection"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 95, "regex": 85 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S020_no_eval_dynamic_code/analyzer.js"]
+      }
+    },
+    "S030": {
+      "name": "Disable directory browsing and protect sensitive metadata files",
+      "description": "Disable directory browsing and protect sensitive metadata files (.git/, .env, config files, etc.) to prevent information disclosure and potential security vulnerabilities.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S030_directory_browsing_protection/analyzer.js",
+      "config": "./rules/security/S030_directory_browsing_protection/config.json",
+      "version": "1.0.0",
+      "status": "experimental",
+      "tags": [
+        "security",
+        "directory-browsing",
+        "information-disclosure",
+        "metadata-protection"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S030_directory_browsing_protection/analyzer.js"
+        ]
+      }
     },
     "S022": {
       "name": "Output Encoding Required",
@@ -736,7 +771,13 @@
       "config": "./rules/security/S025_server_side_validation/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "validation", "server-side", "owasp", "input-validation"],
+      "tags": [
+        "security",
+        "validation",
+        "server-side",
+        "owasp",
+        "input-validation"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast", "regex"],
@@ -785,18 +826,6 @@
       "status": "stable",
       "tags": ["security", "csrf", "protection"]
     },
-    "S030": {
-      "name": "No Directory Browsing",
-      "description": "Prevent directory browsing vulnerabilities",
-      "category": "security",
-      "severity": "error",
-      "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s030",
-      "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "directory-browsing", "information-disclosure"]
-    },
     "S031": {
       "name": "Set Secure flag for Session Cookies",
       "description": "Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.",
@@ -927,40 +956,71 @@
       "tags": ["security", "file-inclusion", "path-traversal"]
     },
     "S037": {
-      "name": "Require Anti Cache Headers",
-      "description": "Require anti-cache headers for sensitive content",
+      "name": "Configure comprehensive cache headers to prevent sensitive data leakage",
+      "description": "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s037",
+      "analyzer": "./rules/security/S037_cache_headers/analyzer.js",
+      "config": "./rules/security/S037_cache_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "caching", "headers"]
+      "status": "experimental",
+      "tags": ["security", "caching", "headers", "privacy"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S037_cache_headers/analyzer.js"]
+      }
     },
     "S038": {
-      "name": "No Version Disclosure",
-      "description": "Prevent version information disclosure",
+      "name": "Do not expose version information in response headers",
+      "description": "Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.",
       "category": "security",
       "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s038",
+      "analyzer": "./rules/security/S038_no_version_headers/analyzer.js",
+      "config": "./rules/security/S038_no_version_headers/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "information-disclosure", "version"]
+      "status": "experimental",
+      "tags": ["security", "information-disclosure", "version", "headers"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S038_no_version_headers/analyzer.js"]
+      }
     },
     "S039": {
-      "name": "No Session Token in URL",
-      "description": "Prevent session tokens in URL parameters",
+      "name": "Do not pass Session Tokens via URL parameters",
+      "description": "Detects when session tokens, authentication tokens, JWT tokens, or other sensitive authentication data are passed as URL parameters instead of secure headers or request body. URL parameters are logged in web server logs, browser history, and can be exposed in referrer headers.",
       "category": "security",
-      "severity": "error",
+      "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s039",
+      "analyzer": "./rules/security/S039_no_session_tokens_in_url/analyzer.js",
+      "config": "./rules/security/S039_no_session_tokens_in_url/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "session", "url"]
+      "status": "experimental",
+      "tags": [
+        "security",
+        "session-tokens",
+        "url-parameters",
+        "authentication"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 85, "regex": 70 }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S039_no_session_tokens_in_url/analyzer.js"
+        ]
+      }
     },
     "S041": {
       "name": "Require Session Invalidate on Logout",
@@ -1058,6 +1118,36 @@
       "status": "stable",
       "tags": ["security", "password", "recovery"]
     },
+    "S049": {
+      "name": "Authentication tokens should have short validity periods",
+      "description": "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S049_short_validity_tokens/analyzer.js",
+      "config": "./rules/security/S049_short_validity_tokens/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": [
+        "security",
+        "authentication",
+        "tokens",
+        "jwt",
+        "session",
+        "owasp"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 90,
+          "regex": 75
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S049_short_validity_tokens/analyzer.js"]
+      }
+    },
     "S050": {
       "name": "Session Token Weak Hash",
       "description": "Prevent weak hashing for session tokens",
@@ -1070,29 +1160,87 @@
       "status": "stable",
       "tags": ["security", "session", "hashing"]
     },
+    "S051": {
+      "name": "Password length policy enforcement (12-64 chars recommended, reject >128)",
+      "description": "Enforce strong password length policies with multi-signal detection. Prevent weak validators, missing limits, and FE/BE mismatches.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S051_password_length_policy/analyzer.js",
+      "config": "./rules/security/S051_password_length_policy/config.json",
+      "eslintRule": "custom/typescript_s051",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "password", "validation", "length", "policy"],
+      "engineMappings": {
+        "eslint": ["custom/typescript_s051"],
+        "heuristic": [
+          "./rules/security/S051_password_length_policy/analyzer.js"
+        ]
+      }
+    },
+    "C065": {
+      "name": "One Behavior per Test (AAA Pattern)",
+      "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure",
+      "category": "common",
+      "severity": "warning", 
+      "languages": ["typescript", "javascript", "java", "csharp", "swift", "kotlin", "python"],
+      "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js",
+      "config": "./rules/common/C065_one_behavior_per_test/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["testing", "aaa", "behavior", "maintainability", "clarity"],
+      "engineMappings": {
+        "heuristic": ["./rules/common/C065_one_behavior_per_test/analyzer.js"]
+      }
+    },
     "S052": {
-      "name": "Secure Random Authentication Code",
-      "description": "Require secure random number generation for authentication codes",
+      "name": "OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG",
+      "description": "Prevent guessable OTP by enforcing CSPRNG and minimal entropy. Ban non-crypto RNG and too-short codes.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "analyzer": "./rules/security/S052_weak_otp_entropy/analyzer.js",
+      "config": "./rules/security/S052_weak_otp_entropy/config.json",
       "eslintRule": "custom/typescript_s052",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "random", "authentication"]
+      "tags": ["security", "otp", "entropy", "csprng"],
+      "engines": {
+        "eslint": ["custom/typescript_s052"],
+        "heuristic": ["./rules/security/S052_weak_otp_entropy/analyzer.js"]
+      }
     },
     "S054": {
-      "name": "Verification Default Account",
-      "description": "Verify and secure default accounts",
+      "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)",
+      "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
       "category": "security",
       "severity": "error",
-      "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
+      "languages": [
+        "typescript",
+        "javascript",
+        "sql",
+        "terraform",
+        "yaml",
+        "dockerfile",
+        "all"
+      ],
+      "analyzer": "./rules/security/S054_no_default_accounts/analyzer.js",
+      "config": "./rules/security/S054_no_default_accounts/config.json",
       "eslintRule": "custom/typescript_s054",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "accounts", "default"]
+      "tags": [
+        "security",
+        "accounts",
+        "default",
+        "authentication",
+        "authorization"
+      ],
+      "engines": {
+        "eslint": ["custom/typescript_s054"],
+        "heuristic": ["./rules/security/S054_no_default_accounts/analyzer.js"]
+      }
     },
     "S055": {
       "name": "REST Content-Type Verification",
@@ -1106,6 +1254,31 @@
       "status": "stable",
       "tags": ["security", "rest", "content-type"]
     },
+    "S056": {
+      "name": "Protect against Log Injection attacks",
+      "description": "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S056_log_injection_protection/analyzer.js",
+      "config": "./rules/security/S056_log_injection_protection/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "logging", "injection", "owasp", "crlf"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S056_log_injection_protection/analyzer.js"
+        ]
+      }
+    },
     "S057": {
       "name": "Log with UTC Timestamps",
       "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems",
@@ -1353,7 +1526,13 @@
       "config": "./rules/common/C067_no_hardcoded_config/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["configuration", "hardcode", "environment", "maintainability", "security"],
+      "tags": [
+        "configuration",
+        "hardcode",
+        "environment",
+        "maintainability",
+        "security"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["ast"],
@@ -1375,7 +1554,13 @@
       "config": "../rules/common/C070_no_real_time_tests/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["testing", "flaky-tests", "timing", "fake-timers", "reliability"],
+      "tags": [
+        "testing",
+        "flaky-tests",
+        "timing",
+        "fake-timers",
+        "reliability"
+      ],
       "strategy": {
         "preferred": "ast",
         "fallbacks": ["regex"],
@@ -1385,7 +1570,9 @@
         }
       },
       "engineMappings": {
-        "heuristic": ["../rules/common/C070_no_real_time_tests/regex-analyzer.js"]
+        "heuristic": [
+          "../rules/common/C070_no_real_time_tests/regex-analyzer.js"
+        ]
       }
     },
     "C072": {
@@ -1419,8 +1606,12 @@
       "status": "stable",
       "tags": ["configuration", "validation", "startup", "fail-fast"],
       "engineMappings": {
-        "heuristic": ["rules/common/C073_validate_required_config_on_startup/analyzer.js"],
-        "semantic": ["rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"]
+        "heuristic": [
+          "rules/common/C073_validate_required_config_on_startup/analyzer.js"
+        ],
+        "semantic": [
+          "rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js"
+        ]
       },
       "strategy": {
         "preferred": "semantic",
@@ -1837,6 +2028,7 @@
         "C047",
         "C048",
         "C052",
+        "C065",
         "C072",
         "C073",
         "C075",
@@ -1906,9 +2098,11 @@
         "S047",
         "S048",
         "S050",
+        "S051",
         "S052",
         "S054",
         "S055",
+        "S056",
         "S057",
         "S058"
       ],
@@ -2003,7 +2197,7 @@
     "lastUpdated": "2025-08-25",
     "totalRules": 98,
     "qualityRules": 33,
-    "securityRules": 50,
+    "securityRules": 51,
     "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,