npm - @sun-asterisk/sunlint - Versions diffs - 1.3.8 → 1.3.9 - Mend

@sun-asterisk/sunlint 1.3.8 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,31 @@
 ---
+## 🔧 **v1.3.9 - File Targeting Regression Fix (October 2, 2025)**
+**Release Date**: October 2, 2025
+**Type**: Bug Fix
+**Branch**: `feature.sunlint.heuristic_rule_c065`
+### 🐛 **Critical Bug Fixes**
+- **FIXED**: File targeting regression where user-specified source directories were incorrectly optimized
+  - **Issue**: When using `--input=examples/project-samples/replace-fe/src`, file count dropped from 2.2K to 254 files
+  - **Root Cause**: `optimizeProjectPaths` function incorrectly treated user-specified source directories as project roots
+  - **Solution**: Added source directory detection logic to bypass optimization for `src`, `lib`, `app`, `packages`, `test` directories
+  - **Impact**: Full file coverage restored - all 1507 .tsx files now properly included
+### ⚡ **Performance Improvements**
+- **ENHANCED**: File targeting logic with smart source directory detection
+- **OPTIMIZED**: Direct targeting for user-specified source paths
+### 📝 **Technical Details**
+- Modified `file-targeting-service.js` `optimizeProjectPaths` function
+- Added `sourceDirectoryNames` array for known source directory patterns
+- Implemented basename checking to detect when users specify source directories directly
+- Maintained backward compatibility with existing project structure detection
+---
 ## 🧪 **v1.3.8 - C065 Rule Enhancement & Advanced Context Analysis (October 1, 2025)**
 **Release Date**: October 1, 2025

package/config/rules/enhanced-rules-registry.json CHANGED Viewed

@@ -660,16 +660,51 @@
       "tags": ["security", "email", "injection"]
     },
     "S020": {
-      "name": "No Eval Dynamic Execution",
-      "description": "Prevent eval and dynamic code execution",
+      "name": "Avoid using eval() or executing dynamic code",
+      "description": "Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s020",
+      "analyzer": "./rules/security/S020_no_eval_dynamic_code/analyzer.js",
+      "config": "./rules/security/S020_no_eval_dynamic_code/config.json",
       "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "eval", "dynamic-execution"]
+      "status": "experimental",
+      "tags": ["security", "eval", "dynamic-execution", "code-injection"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 95, "regex": 85 }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S020_no_eval_dynamic_code/analyzer.js"]
+      }
+    },
+    "S030": {
+      "name": "Disable directory browsing and protect sensitive metadata files",
+      "description": "Disable directory browsing and protect sensitive metadata files (.git/, .env, config files, etc.) to prevent information disclosure and potential security vulnerabilities.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S030_directory_browsing_protection/analyzer.js",
+      "config": "./rules/security/S030_directory_browsing_protection/config.json",
+      "version": "1.0.0",
+      "status": "experimental",
+      "tags": [
+        "security",
+        "directory-browsing",
+        "information-disclosure",
+        "metadata-protection"
+      ],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": { "ast": 90, "regex": 75 }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S030_directory_browsing_protection/analyzer.js"
+        ]
+      }
     },
     "S022": {
       "name": "Output Encoding Required",
@@ -791,18 +826,6 @@
       "status": "stable",
       "tags": ["security", "csrf", "protection"]
     },
-    "S030": {
-      "name": "No Directory Browsing",
-      "description": "Prevent directory browsing vulnerabilities",
-      "category": "security",
-      "severity": "error",
-      "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s030",
-      "version": "1.0.0",
-      "status": "stable",
-      "tags": ["security", "directory-browsing", "information-disclosure"]
-    },
     "S031": {
       "name": "Set Secure flag for Session Cookies",
       "description": "Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.",
@@ -1141,7 +1164,7 @@
       "name": "Password length policy enforcement (12-64 chars recommended, reject >128)",
       "description": "Enforce strong password length policies with multi-signal detection. Prevent weak validators, missing limits, and FE/BE mismatches.",
       "category": "security",
-      "severity": "error",
+      "severity": "error",
       "languages": ["typescript", "javascript"],
       "analyzer": "./rules/security/S051_password_length_policy/analyzer.js",
       "config": "./rules/security/S051_password_length_policy/config.json",
@@ -1151,7 +1174,9 @@
       "tags": ["security", "password", "validation", "length", "policy"],
       "engineMappings": {
         "eslint": ["custom/typescript_s051"],
-        "heuristic": ["./rules/security/S051_password_length_policy/analyzer.js"]
+        "heuristic": [
+          "./rules/security/S051_password_length_policy/analyzer.js"
+        ]
       }
     },
     "C065": {
@@ -1191,13 +1216,27 @@
       "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.",
       "category": "security",
       "severity": "error",
-      "languages": ["typescript", "javascript", "sql", "terraform", "yaml", "dockerfile", "all"],
+      "languages": [
+        "typescript",
+        "javascript",
+        "sql",
+        "terraform",
+        "yaml",
+        "dockerfile",
+        "all"
+      ],
       "analyzer": "./rules/security/S054_no_default_accounts/analyzer.js",
       "config": "./rules/security/S054_no_default_accounts/config.json",
       "eslintRule": "custom/typescript_s054",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "accounts", "default", "authentication", "authorization"],
+      "tags": [
+        "security",
+        "accounts",
+        "default",
+        "authentication",
+        "authorization"
+      ],
       "engines": {
         "eslint": ["custom/typescript_s054"],
         "heuristic": ["./rules/security/S054_no_default_accounts/analyzer.js"]

package/core/file-targeting-service.js CHANGED Viewed

@@ -163,6 +163,21 @@ class FileTargetingService {
     for (const inputPath of inputPaths) {
       // If targeting entire project directory, try to find source/test subdirectories
       if (fs.existsSync(inputPath) && fs.statSync(inputPath).isDirectory()) {
+        const absoluteInputPath = path.resolve(inputPath);
+        const inputDirName = path.basename(absoluteInputPath);
+        // If user already specified a source directory (src, lib, app, packages, test, etc.),
+        // don't try to optimize further - use it as is
+        const sourceDirectoryNames = ['src', 'lib', 'app', 'packages', 'test', 'tests', '__tests__', 'spec', 'specs'];
+        if (sourceDirectoryNames.includes(inputDirName)) {
+          if (cliOptions.verbose) {
+            console.log(chalk.blue(`🎯 Direct targeting: Using specified source directory ${inputDirName}`));
+          }
+          optimizedPaths.push(inputPath);
+          continue;
+        }
+        // Only optimize if this appears to be a project root directory
         const projectOptimization = this.findProjectSourceDirs(inputPath, cliOptions);
         if (projectOptimization.length > 0) {
           if (cliOptions.verbose) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sun-asterisk/sunlint",
-  "version": "1.3.8",
+  "version": "1.3.9",
   "description": "☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards",
   "main": "cli.js",
   "bin": {

package/rules/security/S020_no_eval_dynamic_code/README.md ADDED Viewed

@@ -0,0 +1,136 @@
+# S020 - Avoid using eval() or executing dynamic code
+## Overview
+This rule detects and prevents the use of `eval()` and other dynamic code execution mechanisms that can lead to security vulnerabilities, particularly code injection attacks.
+## Why This Rule Matters
+Dynamic code execution through `eval()` and similar functions poses significant security risks:
+1. **Code Injection Vulnerabilities**: Untrusted input can be executed as code
+2. **Performance Issues**: Dynamic code execution is slower than static code
+3. **Debugging Difficulties**: Dynamic code is harder to debug and analyze
+4. **Security Auditing**: Static analysis tools cannot analyze dynamically generated code
+## What This Rule Detects
+### ❌ Dangerous Functions
+- `eval()` - Direct code execution
+- `new Function()` - Function constructor with string
+- `setTimeout(string)` - Timer with string code
+- `setInterval(string)` - Interval with string code
+- `execScript()` - Legacy IE function
+- `setImmediate(string)` - Immediate execution with string
+### ❌ Global Access Patterns
+- `window.eval()`
+- `global.eval()`
+- `globalThis.eval()`
+- `self.eval()`
+### ❌ Suspicious Variable Patterns
+Variables containing dynamic code indicators:
+- Variables named with `code`, `script`, `expression`, `formula`, `template`, `eval`
+## Examples
+### ❌ Violations
+```javascript
+// Direct eval usage
+eval("console.log('Hello')"); // ERROR
+// Function constructor
+const fn = new Function("return 1 + 1"); // ERROR
+// setTimeout with string
+setTimeout("console.log('test')", 1000); // WARNING
+// Global eval access
+window.eval("alert('test')"); // ERROR
+// Dynamic code variables
+const userCode = req.body.code;
+eval(userCode); // ERROR - code injection risk
+```
+### ✅ Safe Alternatives
+```javascript
+// Instead of eval(), use proper parsing and validation
+const result = JSON.parse(jsonString);
+// Instead of Function constructor, use proper function definitions
+function add(a, b) {
+  return a + b;
+}
+// Instead of setTimeout with string, use function reference
+setTimeout(() => console.log("test"), 1000);
+// Instead of dynamic code execution, use configuration objects
+const actions = {
+  add: (a, b) => a + b,
+  multiply: (a, b) => a * b,
+};
+const result = actions[operation](x, y);
+// For template engines, use safe templating libraries
+const template = handlebars.compile(templateString);
+const result = template(data);
+```
+## Configuration
+The rule can be configured in `config.json`:
+```json
+{
+  "validation": {
+    "dangerousFunctions": ["eval", "Function", "setTimeout", "setInterval"],
+    "dangerousPatterns": ["new Function", "window.eval", "global.eval"],
+    "dynamicCodeIndicators": ["code", "script", "expression", "formula"]
+  }
+}
+```
+## Security Best Practices
+1. **Input Validation**: Always validate and sanitize user input
+2. **Use Safe Alternatives**: Prefer configuration objects over dynamic code
+3. **Template Engines**: Use established, secure template libraries
+4. **Content Security Policy**: Implement CSP headers to prevent code injection
+5. **Code Review**: Carefully review any dynamic code patterns
+## Related Rules
+- **S023**: JSON Injection Protection
+- **S025**: Server-side Validation
+- **S056**: Log Injection Protection
+## Severity Levels
+- **ERROR**: Direct `eval()`, `Function()` constructor, global eval access
+- **WARNING**: `setTimeout`/`setInterval` with strings, suspicious variable patterns
+## Framework-Specific Notes
+### Node.js
+- Be especially careful with `vm` module usage
+- Avoid `child_process.exec()` with user input
+### Browser
+- Consider Content Security Policy to prevent eval
+- Be cautious with `innerHTML` and similar DOM manipulation
+### React/Vue
+- Avoid `dangerouslySetInnerHTML` with user content
+- Use proper event handlers instead of inline scripts

package/rules/security/S020_no_eval_dynamic_code/analyzer.js ADDED Viewed

@@ -0,0 +1,263 @@
+/**
+ * S020 Main Analyzer - Avoid using eval() or executing dynamic code
+ * Primary: Symbol-based analysis (when available)
+ * Fallback: Regex-based for all other cases
+ * Command: node cli.js --rule=S020 --input=examples/rule-test-fixtures/rules/S020_no_eval_dynamic_code --engine=heuristic
+ */
+const S020SymbolBasedAnalyzer = require("./symbol-based-analyzer.js");
+const S020RegexBasedAnalyzer = require("./regex-based-analyzer.js");
+class S020Analyzer {
+  constructor(options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(`🔧 [S020] Constructor called with options:`, !!options);
+      console.log(
+        `🔧 [S020] Options type:`,
+        typeof options,
+        Object.keys(options || {})
+      );
+    }
+    this.ruleId = "S020";
+    this.ruleName = "Avoid using eval() or executing dynamic code";
+    this.description =
+      "Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.";
+    this.semanticEngine = options.semanticEngine || null;
+    this.verbose = options.verbose || false;
+    this.config = {
+      useSymbolBased: true,
+      fallbackToRegex: true,
+      regexBasedOnly: false,
+      prioritizeSymbolic: true, // Prefer symbol-based when available
+      fallbackToSymbol: true, // Allow symbol analysis even without semantic engine
+    };
+    try {
+      this.symbolAnalyzer = new S020SymbolBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Symbol analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S020] Error creating symbol analyzer:`, error);
+    }
+    try {
+      this.regexAnalyzer = new S020RegexBasedAnalyzer(this.semanticEngine);
+      if (process.env.SUNLINT_DEBUG)
+        console.log(`🔧 [S020] Regex analyzer created successfully`);
+    } catch (error) {
+      console.error(`🔧 [S020] Error creating regex analyzer:`, error);
+    }
+  }
+  async initialize(semanticEngine) {
+    this.semanticEngine = semanticEngine;
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Main analyzer initializing...`);
+    if (this.symbolAnalyzer)
+      await this.symbolAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer)
+      await this.regexAnalyzer.initialize?.(semanticEngine);
+    if (this.regexAnalyzer) this.regexAnalyzer.cleanup?.();
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Main analyzer initialized successfully`);
+  }
+  analyzeSingle(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S020] analyzeSingle() called for: ${filePath}`);
+    return this.analyze([filePath], "typescript", options);
+  }
+  async analyze(files, language, options = {}) {
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S020] analyze() method called with ${files.length} files, language: ${language}`
+      );
+    }
+    const violations = [];
+    for (const filePath of files) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Processing file: ${filePath}`);
+        const fileViolations = await this.analyzeFile(filePath, options);
+        violations.push(...fileViolations);
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] File ${filePath}: Found ${fileViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(
+          `⚠ [S020] Analysis failed for ${filePath}:`,
+          error.message
+        );
+      }
+    }
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔧 [S020] Total violations found: ${violations.length}`);
+    return violations;
+  }
+  async analyzeFile(filePath, options = {}) {
+    if (process.env.SUNLINT_DEBUG)
+      console.log(`🔍 [S020] analyzeFile() called for: ${filePath}`);
+    const violationMap = new Map();
+    // Try symbol-based analysis first when semantic engine is available OR when explicitly enabled
+    if (process.env.SUNLINT_DEBUG) {
+      console.log(
+        `🔧 [S020] Symbol check: useSymbolBased=${
+          this.config.useSymbolBased
+        }, semanticEngine=${!!this.semanticEngine}, project=${!!this
+          .semanticEngine?.project}, initialized=${!!this.semanticEngine
+          ?.initialized}`
+      );
+    }
+    const canUseSymbol =
+      this.config.useSymbolBased &&
+      ((this.semanticEngine?.project && this.semanticEngine?.initialized) ||
+        (!this.semanticEngine && this.config.fallbackToSymbol !== false));
+    if (canUseSymbol) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Trying symbol-based analysis...`);
+        let sourceFile = null;
+        if (this.semanticEngine?.project) {
+          sourceFile = this.semanticEngine.project.getSourceFile(filePath);
+          if (process.env.SUNLINT_DEBUG) {
+            console.log(
+              `🔧 [S020] Checked existing semantic engine project: sourceFile=${!!sourceFile}`
+            );
+          }
+        }
+        if (!sourceFile) {
+          // Create a minimal ts-morph project for this analysis
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] Creating temporary ts-morph project for: ${filePath}`
+            );
+          try {
+            const fs = require("fs");
+            const path = require("path");
+            const { Project } = require("ts-morph");
+            // Check if file exists and read content
+            if (!fs.existsSync(filePath)) {
+              throw new Error(`File not found: ${filePath}`);
+            }
+            const fileContent = fs.readFileSync(filePath, "utf8");
+            const fileName = path.basename(filePath);
+            const tempProject = new Project({
+              useInMemoryFileSystem: true,
+              compilerOptions: {
+                allowJs: true,
+                allowSyntheticDefaultImports: true,
+              },
+            });
+            // Add file content to in-memory project
+            sourceFile = tempProject.createSourceFile(fileName, fileContent);
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Temporary project created successfully with file: ${fileName}`
+              );
+          } catch (projectError) {
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Failed to create temporary project:`,
+                projectError.message
+              );
+            throw projectError;
+          }
+        }
+        if (sourceFile) {
+          const symbolViolations = await this.symbolAnalyzer.analyze(
+            sourceFile,
+            filePath
+          );
+          symbolViolations.forEach((v) => {
+            const key = `${v.line}:${v.column}:${v.message}`;
+            if (!violationMap.has(key)) violationMap.set(key, v);
+          });
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] Symbol analysis completed: ${symbolViolations.length} violations`
+            );
+          // If symbol-based found violations AND prioritizeSymbolic is true, skip regex
+          // But still run regex if symbol-based didn't find any violations
+          if (this.config.prioritizeSymbolic && symbolViolations.length > 0) {
+            const finalViolations = Array.from(violationMap.values()).map(
+              (v) => ({
+                ...v,
+                filePath,
+                file: filePath,
+              })
+            );
+            if (process.env.SUNLINT_DEBUG)
+              console.log(
+                `🔧 [S020] Symbol-based analysis prioritized: ${finalViolations.length} violations`
+              );
+            return finalViolations;
+          }
+        } else {
+          if (process.env.SUNLINT_DEBUG)
+            console.log(
+              `🔧 [S020] No source file found, skipping symbol analysis`
+            );
+        }
+      } catch (error) {
+        console.warn(`⚠ [S020] Symbol analysis failed:`, error.message);
+      }
+    }
+    // Fallback to regex-based analysis
+    if (this.config.fallbackToRegex || this.config.regexBasedOnly) {
+      try {
+        if (process.env.SUNLINT_DEBUG)
+          console.log(`🔧 [S020] Trying regex-based analysis...`);
+        const regexViolations = await this.regexAnalyzer.analyze(filePath);
+        regexViolations.forEach((v) => {
+          const key = `${v.line}:${v.column}:${v.message}`;
+          if (!violationMap.has(key)) violationMap.set(key, v);
+        });
+        if (process.env.SUNLINT_DEBUG)
+          console.log(
+            `🔧 [S020] Regex analysis completed: ${regexViolations.length} violations`
+          );
+      } catch (error) {
+        console.warn(`⚠ [S020] Regex analysis failed:`, error.message);
+      }
+    }
+    const finalViolations = Array.from(violationMap.values()).map((v) => ({
+      ...v,
+      filePath,
+      file: filePath,
+    }));
+    if (process.env.SUNLINT_DEBUG)
+      console.log(
+        `🔧 [S020] File analysis completed: ${finalViolations.length} unique violations`
+      );
+    return finalViolations;
+  }
+  cleanup() {
+    if (this.symbolAnalyzer?.cleanup) this.symbolAnalyzer.cleanup();
+    if (this.regexAnalyzer?.cleanup) this.regexAnalyzer.cleanup();
+  }
+}
+module.exports = S020Analyzer;

package/rules/security/S020_no_eval_dynamic_code/config.json ADDED Viewed

@@ -0,0 +1,54 @@
+{
+  "id": "S020",
+  "name": "Avoid using eval() or executing dynamic code",
+  "category": "security",
+  "description": "S020 - Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.",
+  "severity": "error",
+  "enabled": true,
+  "semantic": {
+    "enabled": true,
+    "priority": "high",
+    "fallback": "heuristic"
+  },
+  "patterns": {
+    "include": ["**/*.js", "**/*.ts", "**/*.jsx", "**/*.tsx"],
+    "exclude": [
+      "**/*.test.js",
+      "**/*.test.ts",
+      "**/*.spec.js",
+      "**/*.spec.ts",
+      "**/node_modules/**",
+      "**/dist/**",
+      "**/build/**"
+    ]
+  },
+  "analysis": {
+    "approach": "symbol-based-primary",
+    "fallback": "regex-based",
+    "depth": 2,
+    "timeout": 5000
+  },
+  "validation": {
+    "dangerousFunctions": [
+      "eval",
+      "Function",
+      "setTimeout",
+      "setInterval",
+      "execScript",
+      "setImmediate"
+    ],
+    "dangerousPatterns": [
+      "new Function",
+      "window.eval",
+      "global.eval",
+      "globalThis.eval"
+    ],
+    "dynamicCodeIndicators": [
+      "code",
+      "script",
+      "expression",
+      "formula",
+      "template"
+    ]
+  }
+}