eslint-plugin-secure-coding 2.3.2 → 2.3.3

package/src/rules/no-insecure-jwt/index.js

@@ -1,380 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureJwt = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const eslint_devkit_3 = require("@interlace/eslint-devkit");
-exports.noInsecureJwt = (0, eslint_devkit_1.createRule)({
-    name: 'no-insecure-jwt',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-jwt for 13 specialized JWT security rules'],
-        docs: {
-            description: 'Detects insecure JWT operations and missing signature verification',
-        },
-        fixable: 'code',
-        hasSuggestions: true,
-        messages: {
-            insecureJwtAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Insecure JWT Algorithm',
-                cwe: 'CWE-347',
-                description: 'JWT algorithm confusion vulnerability',
-                severity: 'CRITICAL',
-                fix: 'Use RS256/ES256 and validate algorithm before verification',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            missingSignatureVerification: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Missing JWT Signature Verification',
-                cwe: 'CWE-347',
-                description: 'JWT parsed without signature verification',
-                severity: 'CRITICAL',
-                fix: 'Use jwt.verify() instead of jwt.decode()',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            weakJwtSecret: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Weak JWT Secret',
-                cwe: 'CWE-347',
-                description: 'JWT signed with weak/insufficient secret',
-                severity: 'HIGH',
-                fix: 'Use minimum 256-bit secret (32+ characters)',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            jwtWithoutValidation: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'JWT Without Validation',
-                cwe: 'CWE-347',
-                description: 'JWT used without proper validation',
-                severity: 'HIGH',
-                fix: 'Verify JWT signature before trusting payload',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            unsafeJwtParsing: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.SECURITY,
-                issueName: 'Unsafe JWT Parsing',
-                cwe: 'CWE-347',
-                description: 'Unsafe JWT parsing pattern detected',
-                severity: 'MEDIUM',
-                fix: 'Use verified JWT libraries with proper error handling',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            useSecureJwtLibrary: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Use Secure JWT Library',
-                description: 'Use jsonwebtoken or jose library',
-                severity: 'LOW',
-                fix: 'npm install jsonwebtoken && use jwt.verify()',
-                documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
-            }),
-            verifyBeforeTrust: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.INFO,
-                issueName: 'Verify Before Trust',
-                description: 'Always verify JWT signature before using payload',
-                severity: 'LOW',
-                fix: 'jwt.verify(token, secret, callback)',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            strategyUseVerifiedLibrary: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Verified Library Strategy',
-                description: 'Use battle-tested JWT libraries',
-                severity: 'LOW',
-                fix: 'Use jsonwebtoken, jose, or jwt libraries',
-                documentationLink: 'https://www.npmjs.com/package/jsonwebtoken',
-            }),
-            strategyValidateAlgorithm: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Algorithm Validation Strategy',
-                description: 'Validate algorithms before use',
-                severity: 'LOW',
-                fix: 'Whitelist allowed algorithms: ["RS256", "ES256"]',
-                documentationLink: 'https://tools.ietf.org/html/rfc8725',
-            }),
-            strategyStrongSecrets: (0, eslint_devkit_2.formatLLMMessage)({
-                icon: eslint_devkit_2.MessageIcons.STRATEGY,
-                issueName: 'Strong Secrets Strategy',
-                description: 'Use cryptographically strong secrets',
-                severity: 'LOW',
-                fix: 'Generate 256-bit secrets: crypto.randomBytes(32)',
-                documentationLink: 'https://nodejs.org/api/crypto.html',
-            })
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowedInsecureAlgorithms: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                    },
-                    minSecretLength: {
-                        type: 'number',
-                        minimum: 16,
-                        default: 32,
-                    },
-                    trustedJwtLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['jsonwebtoken', 'jose', 'jwt'],
-                    },
-                    trustedSanitizers: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional function names to consider as JWT validators',
-                    },
-                    trustedAnnotations: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional JSDoc annotations to consider as safe markers',
-                    },
-                    strictMode: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Disable all false positive detection (strict mode)',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowedInsecureAlgorithms: [],
-            minSecretLength: 32,
-            trustedJwtLibraries: ['jsonwebtoken', 'jose', 'jwt'],
-            trustedSanitizers: [],
-            trustedAnnotations: [],
-            strictMode: false,
-        },
-    ],
-    create(context) {
-        const options = context.options[0] || {};
-        const { minSecretLength = 32, trustedJwtLibraries = ['jsonwebtoken', 'jose', 'jwt'], trustedSanitizers = [], trustedAnnotations = [], strictMode = false, } = options;
-        const sourceCode = context.sourceCode || context.sourceCode;
-        const filename = context.filename || context.getFilename();
-        // Create safety checker for false positive detection
-        const safetyChecker = (0, eslint_devkit_3.createSafetyChecker)({
-            trustedSanitizers,
-            trustedAnnotations,
-            trustedOrmPatterns: [],
-            strictMode,
-        });
-        /**
-         * Check if secret/key is weak
-         */
-        const isWeakSecret = (secretNode) => {
-            if (secretNode.type === 'Literal' && typeof secretNode.value === 'string') {
-                return secretNode.value.length < minSecretLength;
-            }
-            return false; // Can't determine strength of non-literal secrets
-        };
-        /**
-         * Check if JWT operation has signature verification
-         */
-        const hasSignatureVerification = (jwtCall) => {
-            // Check if it's jwt.verify() call
-            if (jwtCall.callee.type === 'MemberExpression' &&
-                jwtCall.callee.property.type === 'Identifier' &&
-                jwtCall.callee.property.name === 'verify') {
-                return true;
-            }
-            // Check for @verified annotation
-            return (0, eslint_devkit_3.hasSafeAnnotation)(jwtCall, context, trustedAnnotations);
-        };
-        /**
-         * Check if this is a trusted JWT library call
-         */
-        const isTrustedJwtLibrary = (node) => {
-            // Check if callee is a member expression (library.method)
-            if (node.callee.type !== 'MemberExpression') {
-                return false;
-            }
-            // Check if the object is a JWT library
-            const object = node.callee.object;
-            if (object.type === 'Identifier') {
-                return trustedJwtLibraries.includes(object.name.toLowerCase());
-            }
-            return false;
-        };
-        /**
-         * Extract JWT-related information from a call
-         */
-        const extractJwtInfo = (node) => {
-            const sourceText = sourceCode.getText(node);
-            // Check for algorithm specification
-            const hasAlgorithmSpec = /\b(algorithms?|alg)\s*:/i.test(sourceText);
-            // Check for insecure patterns
-            const hasNoneAlgorithm = /\b(alg|algorithms?)\s*:\s*(\[\s*)?['"`]\s*none\s*['"`]/i.test(sourceText);
-            const hasEmptyAlgorithms = /\b(alg|algorithms?)\s*:\s*\[\s*\]/i.test(sourceText);
-            const weakAlgorithms = ['HS256', 'HS384', 'HS512']; // Define weak algorithms
-            const hasWeakAlgorithm = weakAlgorithms.some(alg => {
-                const regex = new RegExp(`['"\`]${alg}['"\`]`, 'i');
-                return regex.test(sourceText);
-            });
-            return {
-                sourceText,
-                hasAlgorithmSpec,
-                hasNoneAlgorithm: hasNoneAlgorithm || hasEmptyAlgorithms,
-                hasWeakAlgorithm,
-                isDecodeCall: /\bdecode\b/i.test(sourceText),
-                isVerifyCall: /\bverify\b/i.test(sourceText),
-            };
-        };
-        /**
-         * Locate the algorithms option node for precise error highlighting
-         */
-        const getAlgorithmsNode = (call) => {
-            const optionsArg = call.arguments[2];
-            if (optionsArg && optionsArg.type === 'ObjectExpression') {
-                const algorithmsProp = optionsArg.properties.find((prop) => prop.type === 'Property' &&
-                    prop.key.type === 'Identifier' &&
-                    (prop.key.name === 'algorithms' || prop.key.name === 'alg'));
-                if (algorithmsProp) {
-                    return algorithmsProp.value;
-                }
-                return optionsArg;
-            }
-            return null;
-        };
-        /**
-         * Check if this looks like a JWT operation (verify/decode/sign)
-         */
-        const looksLikeJwtOperation = (node) => {
-            if (node.callee.type !== 'MemberExpression') {
-                return false;
-            }
-            const property = node.callee.property;
-            if (property.type !== 'Identifier') {
-                return false;
-            }
-            // Check for JWT-related method names
-            const jwtMethods = ['verify', 'decode', 'sign', 'encode'];
-            return jwtMethods.includes(property.name);
-        };
-        return {
-            // Check JWT library method calls
-            CallExpression(node) {
-                // Check both trusted libraries AND generic JWT-like operations
-                const isTrusted = isTrustedJwtLibrary(node);
-                const looksLikeJwt = looksLikeJwtOperation(node);
-                if (!isTrusted && !looksLikeJwt) {
-                    return;
-                }
-                const jwtInfo = extractJwtInfo(node);
-                // CRITICAL: Algorithm confusion attack (alg: "none" or algorithms: [])
-                if (jwtInfo.hasNoneAlgorithm) {
-                    const algorithmsNode = getAlgorithmsNode(node);
-                    context.report({
-                        node: algorithmsNode ?? node,
-                        messageId: 'insecureJwtAlgorithm',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                    return;
-                }
-                // HIGH: Weak algorithm without proper key validation
-                if (jwtInfo.hasWeakAlgorithm && node.arguments.length >= 2) {
-                    const secretArg = node.arguments[1];
-                    if (isWeakSecret(secretArg)) {
-                        context.report({
-                            node: secretArg,
-                            messageId: 'weakJwtSecret',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                        return;
-                    }
-                }
-                // CRITICAL: Using jwt.decode() instead of jwt.verify()
-                if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
-                    // FALSE POSITIVE REDUCTION: Skip if annotated as safe
-                    if (safetyChecker.isSafe(node, context)) {
-                        return;
-                    }
-                    context.report({
-                        node,
-                        messageId: 'missingSignatureVerification',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                        suggest: [
-                            {
-                                messageId: 'verifyBeforeTrust',
-                                fix: () => null // Could be complex to auto-fix
-                            },
-                        ],
-                    });
-                }
-            },
-            // Check for JWT-related variable declarations and assignments
-            VariableDeclarator(node) {
-                if (!node.init || node.init.type !== 'CallExpression') {
-                    return;
-                }
-                const initCall = node.init;
-                if (!isTrustedJwtLibrary(initCall) && !looksLikeJwtOperation(initCall)) {
-                    return;
-                }
-                const jwtInfo = extractJwtInfo(initCall);
-                // Variable assigned with unverified JWT data
-                if (jwtInfo.isDecodeCall && !jwtInfo.isVerifyCall) {
-                    /* c8 ignore start -- safetyChecker requires JSDoc annotations not testable via RuleTester */
-                    if (safetyChecker.isSafe(initCall, context)) {
-                        return;
-                    }
-                    /* c8 ignore stop */
-                    context.report({
-                        node,
-                        messageId: 'jwtWithoutValidation',
-                        data: {
-                            filePath: filename,
-                            line: String(node.loc?.start.line ?? 0),
-                        },
-                    });
-                }
-            },
-            // Check for JWT token usage without verification
-            Literal(node) {
-                if (typeof node.value !== 'string') {
-                    return;
-                }
-                const value = node.value;
-                // Look for JWT patterns in strings
-                if (value.includes('eyJ') && value.split('.').length === 3) { // JWT structure
-                    // Check if this JWT is used unsafely
-                    let current = node;
-                    let isVerified = false;
-                    // Walk up to find if this is within a verified JWT operation
-                    while (current && !isVerified) {
-                        if (current.type === 'CallExpression' && hasSignatureVerification(current)) {
-                            isVerified = true;
-                            break;
-                        }
-                        current = current.parent;
-                    }
-                    if (!isVerified && !safetyChecker.isSafe(node, context)) {
-                        context.report({
-                            node,
-                            messageId: 'unsafeJwtParsing',
-                            data: {
-                                filePath: filename,
-                                line: String(node.loc?.start.line ?? 0),
-                            },
-                        });
-                    }
-                }
-            }
-        };
-    },
-});

package/src/rules/no-insecure-redirects/index.d.ts

@@ -1,7 +0,0 @@
-export interface Options {
-    /** Ignore in test files. Default: true */
-    ignoreInTests?: boolean;
-    /** Allowed redirect domains. Default: [] */
-    allowedDomains?: string[];
-}
-export declare const noInsecureRedirects: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-insecure-redirects/index.js

@@ -1,216 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureRedirects = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-/**
- * Check if redirect URL is validated
- */
-function isRedirectValidated(node, sourceCode) {
-    const callText = sourceCode.getText(node);
-    // Check if URL is from user input (req.query, req.body, req.params)
-    const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-    if (!userInputPattern.test(callText)) {
-        // Not from user input, assume safe
-        return true;
-    }
-    // Look for validation patterns in the surrounding code
-    // This is a simplified static analysis - in practice, would need data flow analysis
-    const program = sourceCode.ast;
-    const nodeStart = node.loc?.start;
-    const nodeEnd = node.loc?.end;
-    /* c8 ignore start -- Guard clause: loc is always present in RuleTester */
-    if (!nodeStart || !nodeEnd || !program) {
-        return false;
-    }
-    /* c8 ignore stop */
-    // Check for validation function calls before this redirect
-    const validationPatterns = [
-        /\b(validateUrl|validateRedirect|isValidUrl|isSafeUrl)\s*\(/,
-        /\b(whitelist|allowedDomains|permittedUrls)\s*\./,
-        /\b(url\.hostname|url\.host)\s*===/,
-        /\ballowedDomains\.includes\s*\(/,
-        /\bstartsWith\s*\(\s*['"]/,
-        /\bendsWith\s*\(\s*['"]/,
-        /\bindexOf\s*\(\s*['"]/,
-        /\bmatch\s*\(\s*\//,
-    ];
-    // Look for validation in the same function scope
-    let current = node;
-    let depth = 0;
-    const maxDepth = 20;
-    while (current && depth < maxDepth) {
-        // Check siblings before this node
-        const parent = current.parent;
-        if (!parent)
-            break;
-        if (parent.type === 'BlockStatement') {
-            const body = parent.body;
-            const currentIndex = body.indexOf(current);
-            // Check previous statements in the same block
-            for (let i = currentIndex - 1; i >= 0 && i >= currentIndex - 5; i--) {
-                const stmt = body[i];
-                const stmtText = sourceCode.getText(stmt);
-                if (validationPatterns.some(pattern => pattern.test(stmtText))) {
-                    return true; // Found validation
-                }
-            }
-        }
-        current = parent;
-        depth++;
-    }
-    // No validation found
-    return false;
-}
-exports.noInsecureRedirects = (0, eslint_devkit_2.createRule)({
-    name: 'no-insecure-redirects',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Detects open redirect vulnerabilities',
-        },
-        hasSuggestions: true,
-        messages: {
-            insecureRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Open redirect',
-                cwe: 'CWE-601',
-                description: 'Unvalidated redirect detected - user-controlled URL',
-                severity: 'HIGH',
-                fix: 'Whitelist allowed domains or validate redirect target',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            whitelistDomains: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Whitelist Domains',
-                description: 'Whitelist allowed redirect domains',
-                severity: 'LOW',
-                fix: 'if (allowedDomains.includes(url.hostname)) redirect(url)',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            validateRedirect: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Validate Redirect',
-                description: 'Validate redirect URL before use',
-                severity: 'LOW',
-                fix: 'validateRedirectUrl(userInput) before redirect',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-            useRelativeUrl: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Relative URL',
-                description: 'Use relative URLs for internal redirects',
-                severity: 'LOW',
-                fix: 'redirect("/internal/path") instead of absolute URLs',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Unvalidated_Redirects_and_Forwards',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    ignoreInTests: {
-                        type: 'boolean',
-                        default: true,
-                    },
-                    allowedDomains: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            ignoreInTests: true,
-            allowedDomains: [],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { ignoreInTests = true } = options || {};
-        const filename = context.getFilename();
-        const isTestFile = ignoreInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        if (isTestFile) {
-            return {};
-        }
-        const sourceCode = context.sourceCode || context.sourceCode;
-        /**
-         * Check redirect calls and assignments
-         */
-        function checkCallExpression(node) {
-            // Check for res.redirect, window.location, etc.
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property.type === 'Identifier') {
-                const methodName = node.callee.property.name;
-                if (['redirect', 'replace', 'assign'].includes(methodName)) {
-                    // Check if redirect URL is validated
-                    if (!isRedirectValidated(node, sourceCode)) {
-                        context.report({
-                            node,
-                            messageId: 'insecureRedirect',
-                            suggest: [
-                                {
-                                    messageId: 'whitelistDomains',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'validateRedirect',
-                                    fix: () => null,
-                                },
-                                {
-                                    messageId: 'useRelativeUrl',
-                                    fix: () => null,
-                                },
-                            ],
-                        });
-                    }
-                }
-            }
-        }
-        /**
-         * Check assignment expressions like window.location.href = ...
-         */
-        function checkAssignmentExpression(node) {
-            // Check for window.location.href assignments
-            if (node.left.type === 'MemberExpression' &&
-                node.left.object.type === 'MemberExpression' &&
-                node.left.object.object.type === 'Identifier' &&
-                node.left.object.object.name === 'window' &&
-                node.left.object.property.type === 'Identifier' &&
-                node.left.object.property.name === 'location' &&
-                node.left.property.type === 'Identifier' &&
-                ['href', 'replace', 'assign'].includes(node.left.property.name)) {
-                // Check if assignment value comes from user input
-                const rightText = sourceCode.getText(node.right);
-                const userInputPattern = /\b(req\.(query|body|params)|window\.location|document\.location)\b/;
-                if (userInputPattern.test(rightText)) {
-                    context.report({
-                        node,
-                        messageId: 'insecureRedirect',
-                        suggest: [
-                            {
-                                messageId: 'whitelistDomains',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'validateRedirect',
-                                fix: () => null,
-                            },
-                            {
-                                messageId: 'useRelativeUrl',
-                                fix: () => null,
-                            },
-                        ],
-                    });
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-            AssignmentExpression: checkAssignmentExpression,
-        };
-    },
-});

package/src/rules/no-insecure-websocket/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * @fileoverview Require secure WebSocket connections (wss://)
- */
-export interface Options {
-}
-export declare const noInsecureWebsocket: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;

package/src/rules/no-insecure-websocket/index.js

@@ -1,61 +0,0 @@
-"use strict";
-/**
- * @fileoverview Require secure WebSocket connections (wss://)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noInsecureWebsocket = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-exports.noInsecureWebsocket = (0, eslint_devkit_1.createRule)({
-    name: 'no-insecure-websocket',
-    meta: {
-        type: 'problem',
-        docs: {
-            description: 'Require secure WebSocket connections (wss://)',
-        },
-        messages: {
-            violationDetected: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Insecure WebSocket',
-                cwe: 'CWE-319',
-                description: 'Insecure WebSocket connection (ws://) - data transmitted in clear text',
-                severity: 'HIGH',
-                fix: 'Use wss:// instead of ws:// for secure WebSocket connections',
-                documentationLink: 'https://cwe.mitre.org/data/definitions/319.html',
-            })
-        },
-        schema: [],
-    },
-    defaultOptions: [],
-    create(context) {
-        function report(node) {
-            context.report({ node, messageId: 'violationDetected' });
-        }
-        return {
-            NewExpression(node) {
-                // Check for new WebSocket('ws://...')
-                if (node.callee.type === 'Identifier' && node.callee.name === 'WebSocket') {
-                    const urlArg = node.arguments[0];
-                    // Check literal string
-                    if (urlArg && urlArg.type === 'Literal' &&
-                        typeof urlArg.value === 'string' &&
-                        urlArg.value.startsWith('ws://')) {
-                        report(node);
-                    }
-                    // Check template literal
-                    if (urlArg && urlArg.type === 'TemplateLiteral') {
-                        const text = context.sourceCode.getText(urlArg);
-                        if (text.includes('ws://')) {
-                            report(node);
-                        }
-                    }
-                }
-            },
-            Literal(node) {
-                // Check for ws:// URLs in string literals
-                if (typeof node.value === 'string' && node.value.startsWith('ws://')) {
-                    report(node);
-                }
-            },
-        };
-    },
-});