eslint-plugin-secure-coding 2.3.4 → 3.0.0

package/CHANGELOG.md

@@ -5,6 +5,56 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.0.0] - 2025-12-31
+
+### ⚠️ BREAKING CHANGES
+
+Removed 12 rules that now have dedicated, specialized plugins with enhanced functionality.
+
+#### Removed Rules (use dedicated plugins instead)
+
+| Removed Rule                             | Replacement Plugin               | Replacement Rule(s)                                 |
+| ---------------------------------------- | -------------------------------- | --------------------------------------------------- |
+| `no-sql-injection`                       | `eslint-plugin-pg`               | `pg/no-unsafe-query`                                |
+| `database-injection`                     | `eslint-plugin-pg`               | `pg/no-unsafe-query`                                |
+| `no-insecure-jwt`                        | `eslint-plugin-jwt`              | 13 dedicated JWT rules                              |
+| `no-weak-crypto`                         | `eslint-plugin-crypto`           | `crypto/no-weak-hash-algorithm`                     |
+| `no-timing-attack`                       | `eslint-plugin-crypto`           | `crypto/no-timing-unsafe-compare`                   |
+| `no-insufficient-random`                 | `eslint-plugin-crypto`           | `crypto/no-math-random-crypto`                      |
+| `no-document-cookie`                     | `eslint-plugin-browser-security` | `browser-security/no-sensitive-cookie-js`           |
+| `no-unsanitized-html`                    | `eslint-plugin-browser-security` | `browser-security/no-innerhtml`                     |
+| `no-postmessage-origin-wildcard`         | `eslint-plugin-browser-security` | `browser-security/no-postmessage-wildcard-origin`   |
+| `no-insecure-cookie-settings`            | `eslint-plugin-browser-security` | `browser-security/require-cookie-secure-attrs`      |
+| `no-insufficient-postmessage-validation` | `eslint-plugin-browser-security` | `browser-security/require-postmessage-origin-check` |
+| `no-unencrypted-local-storage`           | `eslint-plugin-browser-security` | `browser-security/no-sensitive-localstorage`        |
+| `no-credentials-in-storage-api`          | `eslint-plugin-browser-security` | `browser-security/no-sensitive-localstorage`        |
+
+### Migration Guide
+
+Install the specialized plugins for the functionality you need:
+
+```bash
+# For PostgreSQL/SQL security
+npm install --save-dev eslint-plugin-pg
+
+# For JWT security
+npm install --save-dev eslint-plugin-jwt
+
+# For cryptography security
+npm install --save-dev eslint-plugin-crypto
+
+# For browser/client-side security
+npm install --save-dev eslint-plugin-browser-security
+```
+
+### Why This Change?
+
+Specialized plugins provide:
+
+- **More rules**: 13 JWT rules vs 1, 24 crypto rules vs 3
+- **Better detection**: Domain-specific AST patterns
+- **Focused maintenance**: Faster updates for each security domain
+
 ## [3.0.2] - 2025-12-20
 
 ### Performance
@@ -18,7 +68,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [3.0.1] - 2025-12-20
 
-### Fixed
+### Fixed444
 
 - **detect-object-injection**: Reduced false positives by detecting validation patterns:
   - `includes()` checks in enclosing if-blocks

package/README.md

@@ -6,18 +6,19 @@
 [![npm downloads](https://img.shields.io/npm/dm/eslint-plugin-secure-coding.svg)](https://www.npmjs.com/package/eslint-plugin-secure-coding)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![codecov](https://codecov.io/gh/ofri-peretz/eslint/graph/badge.svg?component=secure_coding)](https://app.codecov.io/gh/ofri-peretz/eslint/components?components%5B0%5D=secure_coding)
+[![Dec 2025](https://img.shields.io/badge/Dec_2025-blue?logo=rocket&logoColor=white)](https://github.com/ofri-peretz/eslint)
 
 > **A complete security standard:** This plugin provides **full mitigation** for both **OWASP Top 10 Web (2021)** AND **OWASP Mobile Top 10 (2024)**.  
-> With **78 active rules** (+ 11 deprecated) mapped to CWE and CVSS, it transforms your linter into an enterprise-grade security auditor that AI assistants can understand and fix.
+> With **75 active rules** mapped to CWE and CVSS, it transforms your linter into an enterprise-grade security auditor that AI assistants can understand and fix.
 
 > [!NOTE]
-> **v3.0.0**: 11 rules have been deprecated in favor of dedicated plugins with better coverage. See [Related ESLint Plugins](#-related-eslint-plugins) for migration guidance.
+> **v3.0.0**: 14 legacy rules have been **removed** and migrated to dedicated plugins with better coverage. See [Related ESLint Plugins](#-related-eslint-plugins) for migration guidance.
 
 ---
 
 ## 💡 What you get
 
-- **Feature-based coverage:** 89 rules grouped by attack surface (injection, crypto, auth, cookies, headers, mobile security, resource limits, platform specifics).
+- **Feature-based coverage:** 75 rules grouped by attack surface (injection, crypto, auth, cookies, headers, mobile security, resource limits, platform specifics).
 - **LLM-optimized & MCP-ready:** Structured 2-line messages with CWE + OWASP + CVSS + concrete fixes so humans _and_ AI auto-fixers stay aligned.
 - **Standards aligned:** OWASP Top 10 Web + Mobile, CWE tagging, CVSS scoring in every finding for compliance mapping.
 - **Tiered presets:** `recommended`, `strict`, `owasp-top-10` for fast policy rollout.
@@ -88,9 +89,9 @@ src/components/Display.tsx
 
 ---
 
-## 🔐 78 Active Security Rules
+## 🔐 75 Active Security Rules
 
-💼 = Set in `recommended` | ⚠️ = Warns in `recommended` | 🔧 = Auto-fixable | 💡 = Suggestions | 🚫 = Deprecated (use dedicated plugin)
+💼 = Set in `recommended` | ⚠️ = Warns in `recommended` | 🔧 = Auto-fixable | 💡 = Suggestions
 
 ### Injection Prevention (11 rules)
 
@@ -282,7 +283,7 @@ npx eslint .
 
 ## 📚 Documentation
 
-- **[Rules Reference](./docs/RULES.md)** - Complete list of all 89 rules with configuration options
+- **[Rules Reference](./docs/RULES.md)** - Complete list of all 75 rules with configuration options
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-secure-coding",
-  "version": "2.3.4",
+  "version": "3.0.0",
   "description": "Security-focused ESLint plugin with 89 AI-parseable rules for detecting and preventing vulnerabilities. OWASP Top 10 2021 + Mobile Top 10 2024 coverage, CWE references, and AI-assisted fix guidance.",
   "type": "commonjs",
   "main": "./src/index.js",
@@ -72,15 +72,8 @@
     "@interlace/eslint-devkit": "^1.2.1",
     "tslib": "^2.3.0"
   },
-  "scripts": {
-    "test": "vitest run",
-    "test:watch": "vitest watch",
-    "test:coverage": "vitest run --coverage"
-  },
   "devDependencies": {
     "@typescript-eslint/parser": "^8.46.2",
-    "@typescript-eslint/rule-tester": "^8.46.2",
-    "@vitest/coverage-v8": "^4.0.6",
-    "vitest": "^4.0.6"
+    "@typescript-eslint/rule-tester": "^8.46.2"
   }
 }

package/src/index.d.ts

@@ -29,4 +29,4 @@ export default plugin;
 /**
  * Re-export all types from the types barrel
  */
-export type { NoSqlInjectionOptions, DatabaseInjectionOptions, DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoWeakCryptoOptions, NoInsufficientRandomOptions, NoTimingAttackOptions, NoInsecureComparisonOptions, NoInsecureJwtOptions, NoUnvalidatedUserInputOptions, NoUnsanitizedHtmlOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoInsecureCookieSettingsOptions, NoMissingCsrfProtectionOptions, NoDocumentCookieOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, NoInsufficientPostmessageValidationOptions, AllSecurityRulesOptions, } from './types/index';
+export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, AllSecurityRulesOptions, } from './types/index';

package/src/index.js

@@ -16,8 +16,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.configs = exports.plugin = exports.rules = void 0;
 // Security rules - Injection
-const no_sql_injection_1 = require("./rules/no-sql-injection");
-const database_injection_1 = require("./rules/database-injection");
 const detect_eval_with_expression_1 = require("./rules/detect-eval-with-expression");
 const detect_child_process_1 = require("./rules/detect-child-process");
 const no_unsafe_dynamic_require_1 = require("./rules/no-unsafe-dynamic-require");
@@ -40,14 +38,9 @@ const detect_object_injection_1 = require("./rules/detect-object-injection");
 const no_unsafe_deserialization_1 = require("./rules/no-unsafe-deserialization");
 // Security rules - Credentials & Crypto
 const no_hardcoded_credentials_1 = require("./rules/no-hardcoded-credentials");
-const no_weak_crypto_1 = require("./rules/no-weak-crypto");
-const no_insufficient_random_1 = require("./rules/no-insufficient-random");
-const no_timing_attack_1 = require("./rules/no-timing-attack");
 const no_insecure_comparison_1 = require("./rules/no-insecure-comparison");
-const no_insecure_jwt_1 = require("./rules/no-insecure-jwt");
 // Security rules - Input Validation & XSS
 const no_unvalidated_user_input_1 = require("./rules/no-unvalidated-user-input");
-const no_unsanitized_html_1 = require("./rules/no-unsanitized-html");
 const no_unescaped_url_parameter_1 = require("./rules/no-unescaped-url-parameter");
 const no_improper_sanitization_1 = require("./rules/no-improper-sanitization");
 const no_improper_type_validation_1 = require("./rules/no-improper-type-validation");
@@ -56,9 +49,7 @@ const no_missing_authentication_1 = require("./rules/no-missing-authentication")
 const no_privilege_escalation_1 = require("./rules/no-privilege-escalation");
 const no_weak_password_recovery_1 = require("./rules/no-weak-password-recovery");
 // Security rules - Session & Cookies
-const no_insecure_cookie_settings_1 = require("./rules/no-insecure-cookie-settings");
 const no_missing_csrf_protection_1 = require("./rules/no-missing-csrf-protection");
-const no_document_cookie_1 = require("./rules/no-document-cookie");
 // Security rules - Network & Headers
 const no_missing_cors_check_1 = require("./rules/no-missing-cors-check");
 const no_missing_security_headers_1 = require("./rules/no-missing-security-headers");
@@ -75,10 +66,8 @@ const no_unlimited_resource_allocation_1 = require("./rules/no-unlimited-resourc
 const no_unchecked_loop_condition_1 = require("./rules/no-unchecked-loop-condition");
 // Security rules - Platform Specific
 const no_electron_security_issues_1 = require("./rules/no-electron-security-issues");
-const no_insufficient_postmessage_validation_1 = require("./rules/no-insufficient-postmessage-validation");
 // OWASP Mobile Top 10 2023/2024 - Mobile Security Rules (40 rules)
 // M1: Improper Credential Usage (3 rules)
-const no_credentials_in_storage_api_1 = require("./rules/no-credentials-in-storage-api");
 const no_credentials_in_query_params_1 = require("./rules/no-credentials-in-query-params");
 const require_secure_credential_storage_1 = require("./rules/require-secure-credential-storage");
 // M2: Inadequate Supply Chain Security (4 rules)
@@ -97,7 +86,6 @@ const no_unvalidated_deeplinks_1 = require("./rules/no-unvalidated-deeplinks");
 const require_url_validation_1 = require("./rules/require-url-validation");
 const no_arbitrary_file_access_1 = require("./rules/no-arbitrary-file-access");
 const require_mime_type_validation_1 = require("./rules/require-mime-type-validation");
-const no_postmessage_origin_wildcard_1 = require("./rules/no-postmessage-origin-wildcard");
 const require_csp_headers_1 = require("./rules/require-csp-headers");
 // M5: Insecure Communication (7 rules)
 const no_http_urls_1 = require("./rules/no-http-urls");
@@ -121,7 +109,6 @@ const no_exposed_debug_endpoints_1 = require("./rules/no-exposed-debug-endpoints
 const require_secure_defaults_1 = require("./rules/require-secure-defaults");
 const no_permissive_cors_1 = require("./rules/no-permissive-cors");
 // M9: Insecure Data Storage (5 rules)
-const no_unencrypted_local_storage_1 = require("./rules/no-unencrypted-local-storage");
 const no_sensitive_data_in_cache_1 = require("./rules/no-sensitive-data-in-cache");
 const require_storage_encryption_1 = require("./rules/require-storage-encryption");
 const no_data_in_temp_storage_1 = require("./rules/no-data-in-temp-storage");
@@ -131,8 +118,6 @@ const require_secure_deletion_1 = require("./rules/require-secure-deletion");
  */
 exports.rules = {
     // Flat rule names (recommended usage)
-    'no-sql-injection': no_sql_injection_1.noSqlInjection,
-    'database-injection': database_injection_1.databaseInjection,
     'detect-eval-with-expression': detect_eval_with_expression_1.detectEvalWithExpression,
     'detect-child-process': detect_child_process_1.detectChildProcess,
     'no-unsafe-dynamic-require': no_unsafe_dynamic_require_1.noUnsafeDynamicRequire,
@@ -151,22 +136,15 @@ exports.rules = {
     'detect-object-injection': detect_object_injection_1.detectObjectInjection,
     'no-unsafe-deserialization': no_unsafe_deserialization_1.noUnsafeDeserialization,
     'no-hardcoded-credentials': no_hardcoded_credentials_1.noHardcodedCredentials,
-    'no-weak-crypto': no_weak_crypto_1.noWeakCrypto,
-    'no-insufficient-random': no_insufficient_random_1.noInsufficientRandom,
-    'no-timing-attack': no_timing_attack_1.noTimingAttack,
     'no-insecure-comparison': no_insecure_comparison_1.noInsecureComparison,
-    'no-insecure-jwt': no_insecure_jwt_1.noInsecureJwt,
     'no-unvalidated-user-input': no_unvalidated_user_input_1.noUnvalidatedUserInput,
-    'no-unsanitized-html': no_unsanitized_html_1.noUnsanitizedHtml,
     'no-unescaped-url-parameter': no_unescaped_url_parameter_1.noUnescapedUrlParameter,
     'no-improper-sanitization': no_improper_sanitization_1.noImproperSanitization,
     'no-improper-type-validation': no_improper_type_validation_1.noImproperTypeValidation,
     'no-missing-authentication': no_missing_authentication_1.noMissingAuthentication,
     'no-privilege-escalation': no_privilege_escalation_1.noPrivilegeEscalation,
     'no-weak-password-recovery': no_weak_password_recovery_1.noWeakPasswordRecovery,
-    'no-insecure-cookie-settings': no_insecure_cookie_settings_1.noInsecureCookieSettings,
     'no-missing-csrf-protection': no_missing_csrf_protection_1.noMissingCsrfProtection,
-    'no-document-cookie': no_document_cookie_1.noDocumentCookie,
     'no-missing-cors-check': no_missing_cors_check_1.noMissingCorsCheck,
     'no-missing-security-headers': no_missing_security_headers_1.noMissingSecurityHeaders,
     'no-insecure-redirects': no_insecure_redirects_1.noInsecureRedirects,
@@ -178,10 +156,8 @@ exports.rules = {
     'no-unlimited-resource-allocation': no_unlimited_resource_allocation_1.noUnlimitedResourceAllocation,
     'no-unchecked-loop-condition': no_unchecked_loop_condition_1.noUncheckedLoopCondition,
     'no-electron-security-issues': no_electron_security_issues_1.noElectronSecurityIssues,
-    'no-insufficient-postmessage-validation': no_insufficient_postmessage_validation_1.noInsufficientPostmessageValidation,
     // OWASP Mobile Top 10 2023/2024 rules (40 rules)
     // M1: Improper Credential Usage (3 rules)
-    'no-credentials-in-storage-api': no_credentials_in_storage_api_1.noCredentialsInStorageApi,
     'no-credentials-in-query-params': no_credentials_in_query_params_1.noCredentialsInQueryParams,
     'require-secure-credential-storage': require_secure_credential_storage_1.requireSecureCredentialStorage,
     // M2: Inadequate Supply Chain Security (4 rules)
@@ -200,7 +176,6 @@ exports.rules = {
     'require-url-validation': require_url_validation_1.requireUrlValidation,
     'no-arbitrary-file-access': no_arbitrary_file_access_1.noArbitraryFileAccess,
     'require-mime-type-validation': require_mime_type_validation_1.requireMimeTypeValidation,
-    'no-postmessage-origin-wildcard': no_postmessage_origin_wildcard_1.noPostmessageOriginWildcard,
     'require-csp-headers': require_csp_headers_1.requireCspHeaders,
     // M5: Insecure Communication (7 rules)
     'no-http-urls': no_http_urls_1.noHttpUrls,
@@ -224,7 +199,6 @@ exports.rules = {
     'require-secure-defaults': require_secure_defaults_1.requireSecureDefaults,
     'no-permissive-cors': no_permissive_cors_1.noPermissiveCors,
     // M9: Insecure Data Storage (5 rules)
-    'no-unencrypted-local-storage': no_unencrypted_local_storage_1.noUnencryptedLocalStorage,
     'no-sensitive-data-in-cache': no_sensitive_data_in_cache_1.noSensitiveDataInCache,
     'require-storage-encryption': require_storage_encryption_1.requireStorageEncryption,
     'no-data-in-temp-storage': no_data_in_temp_storage_1.noDataInTempStorage,
@@ -245,8 +219,6 @@ exports.plugin = {
  */
 const recommendedRules = {
     // Critical - Injection vulnerabilities (OWASP A03)
-    'secure-coding/no-sql-injection': 'error',
-    'secure-coding/database-injection': 'error',
     'secure-coding/detect-eval-with-expression': 'error',
     'secure-coding/detect-child-process': 'error',
     'secure-coding/no-unsafe-dynamic-require': 'error',
@@ -270,14 +242,9 @@ const recommendedRules = {
     'secure-coding/detect-object-injection': 'warn',
     // Critical - Cryptography (OWASP A02)
     'secure-coding/no-hardcoded-credentials': 'error',
-    'secure-coding/no-weak-crypto': 'error',
-    'secure-coding/no-insufficient-random': 'warn',
-    'secure-coding/no-timing-attack': 'error',
     'secure-coding/no-insecure-comparison': 'warn',
-    'secure-coding/no-insecure-jwt': 'error',
     // Critical - XSS vulnerabilities (OWASP A03)
     'secure-coding/no-unvalidated-user-input': 'warn',
-    'secure-coding/no-unsanitized-html': 'error',
     'secure-coding/no-unescaped-url-parameter': 'warn',
     'secure-coding/no-improper-sanitization': 'error',
     'secure-coding/no-improper-type-validation': 'warn',
@@ -286,9 +253,7 @@ const recommendedRules = {
     'secure-coding/no-privilege-escalation': 'warn',
     'secure-coding/no-weak-password-recovery': 'error',
     // High - Session & Cookies
-    'secure-coding/no-insecure-cookie-settings': 'warn',
     'secure-coding/no-missing-csrf-protection': 'warn',
-    'secure-coding/no-document-cookie': 'warn',
     // High - Network & Headers (OWASP A05)
     'secure-coding/no-missing-cors-check': 'warn',
     'secure-coding/no-missing-security-headers': 'warn',
@@ -305,9 +270,7 @@ const recommendedRules = {
     'secure-coding/no-unchecked-loop-condition': 'error',
     // Medium - Platform specific
     'secure-coding/no-electron-security-issues': 'error',
-    'secure-coding/no-insufficient-postmessage-validation': 'error',
     // Mobile & General Security (OWASP Mobile)
-    'secure-coding/no-credentials-in-storage-api': 'error',
     'secure-coding/no-credentials-in-query-params': 'error',
     'secure-coding/no-http-urls': 'error',
     'secure-coding/require-https-only': 'error',
@@ -316,7 +279,6 @@ const recommendedRules = {
     'secure-coding/no-hardcoded-session-tokens': 'error',
     'secure-coding/detect-mixed-content': 'error',
     'secure-coding/no-unvalidated-deeplinks': 'error',
-    'secure-coding/no-postmessage-origin-wildcard': 'error',
     'secure-coding/no-insecure-websocket': 'error',
     'secure-coding/detect-suspicious-dependencies': 'warn',
 };
@@ -362,21 +324,15 @@ exports.configs = {
             'secure-coding/no-insecure-redirects': 'error',
             // A02:2021 – Cryptographic Failures
             'secure-coding/no-hardcoded-credentials': 'error',
-            'secure-coding/no-weak-crypto': 'error',
-            'secure-coding/no-insufficient-random': 'error',
-            'secure-coding/no-insecure-jwt': 'error',
             'secure-coding/no-unencrypted-transmission': 'error',
             'secure-coding/no-sensitive-data-exposure': 'error',
             // A03:2021 – Injection
-            'secure-coding/no-sql-injection': 'error',
-            'secure-coding/database-injection': 'error',
             'secure-coding/detect-eval-with-expression': 'error',
             'secure-coding/detect-child-process': 'error',
             'secure-coding/no-graphql-injection': 'error',
             'secure-coding/no-xxe-injection': 'error',
             'secure-coding/no-xpath-injection': 'error',
             'secure-coding/no-ldap-injection': 'error',
-            'secure-coding/no-unsanitized-html': 'error',
             'secure-coding/no-unescaped-url-parameter': 'error',
             // A04:2021 – Insecure Design
             'secure-coding/no-weak-password-recovery': 'error',
@@ -384,11 +340,9 @@ exports.configs = {
             // A05:2021 – Security Misconfiguration
             'secure-coding/no-missing-security-headers': 'error',
             'secure-coding/no-missing-cors-check': 'error',
-            'secure-coding/no-insecure-cookie-settings': 'error',
             'secure-coding/no-clickjacking': 'error',
             'secure-coding/no-electron-security-issues': 'error',
             // A07:2021 – Identification and Authentication Failures
-            'secure-coding/no-timing-attack': 'error',
             'secure-coding/no-insecure-comparison': 'error',
             'secure-coding/no-missing-csrf-protection': 'error',
             // A08:2021 – Software and Data Integrity Failures
@@ -407,7 +361,6 @@ exports.configs = {
         },
         rules: {
             // M1: Improper Credential Usage
-            'secure-coding/no-credentials-in-storage-api': 'error',
             'secure-coding/no-credentials-in-query-params': 'error',
             'secure-coding/require-secure-credential-storage': 'error',
             'secure-coding/no-hardcoded-credentials': 'error',
@@ -427,7 +380,6 @@ exports.configs = {
             'secure-coding/require-url-validation': 'error',
             'secure-coding/no-arbitrary-file-access': 'error',
             'secure-coding/require-mime-type-validation': 'error',
-            'secure-coding/no-postmessage-origin-wildcard': 'error',
             'secure-coding/require-csp-headers': 'error',
             // M5: Insecure Communication
             'secure-coding/no-http-urls': 'error',
@@ -451,7 +403,6 @@ exports.configs = {
             'secure-coding/require-secure-defaults': 'error',
             'secure-coding/no-permissive-cors': 'error',
             // M9: Insecure Data Storage
-            'secure-coding/no-unencrypted-local-storage': 'error',
             'secure-coding/no-sensitive-data-in-cache': 'error',
             'secure-coding/require-storage-encryption': 'error',
             'secure-coding/no-data-in-temp-storage': 'error',

package/src/types/index.d.ts

@@ -5,16 +5,13 @@
  *
  * Usage:
  * ```typescript
- * import type { NoSqlInjectionOptions } from 'eslint-plugin-secure-coding/types';
+ * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
  *
- * const config: NoSqlInjectionOptions = {
- *   allowDynamicTableNames: false,
- *   strategy: 'parameterize',
+ * const config: NoHardcodedCredentialsOptions = {
+ *   ignorePatterns: ['test/*'],
  * };
  * ```
  */
-import type { Options as NoSqlInjectionOptions } from '../rules/no-sql-injection';
-import type { Options as DatabaseInjectionOptions } from '../rules/database-injection';
 import type { Options as DetectEvalWithExpressionOptions } from '../rules/detect-eval-with-expression';
 import type { Options as DetectChildProcessOptions } from '../rules/detect-child-process';
 import type { Options as NoUnsafeDynamicRequireOptions } from '../rules/no-unsafe-dynamic-require';
@@ -33,22 +30,15 @@ import type { Options as NoUnsafeRegexConstructionOptions } from '../rules/no-un
 import type { Options as DetectObjectInjectionOptions } from '../rules/detect-object-injection';
 import type { Options as NoUnsafeDeserializationOptions } from '../rules/no-unsafe-deserialization';
 import type { Options as NoHardcodedCredentialsOptions } from '../rules/no-hardcoded-credentials';
-import type { Options as NoWeakCryptoOptions } from '../rules/no-weak-crypto';
-import type { Options as NoInsufficientRandomOptions } from '../rules/no-insufficient-random';
-import type { Options as NoTimingAttackOptions } from '../rules/no-timing-attack';
 import type { Options as NoInsecureComparisonOptions } from '../rules/no-insecure-comparison';
-import type { Options as NoInsecureJwtOptions } from '../rules/no-insecure-jwt';
 import type { Options as NoUnvalidatedUserInputOptions } from '../rules/no-unvalidated-user-input';
-import type { Options as NoUnsanitizedHtmlOptions } from '../rules/no-unsanitized-html';
 import type { Options as NoUnescapedUrlParameterOptions } from '../rules/no-unescaped-url-parameter';
 import type { Options as NoImproperSanitizationOptions } from '../rules/no-improper-sanitization';
 import type { Options as NoImproperTypeValidationOptions } from '../rules/no-improper-type-validation';
 import type { Options as NoMissingAuthenticationOptions } from '../rules/no-missing-authentication';
 import type { Options as NoPrivilegeEscalationOptions } from '../rules/no-privilege-escalation';
 import type { Options as NoWeakPasswordRecoveryOptions } from '../rules/no-weak-password-recovery';
-import type { Options as NoInsecureCookieSettingsOptions } from '../rules/no-insecure-cookie-settings';
 import type { Options as NoMissingCsrfProtectionOptions } from '../rules/no-missing-csrf-protection';
-import type { Options as NoDocumentCookieOptions } from '../rules/no-document-cookie';
 import type { Options as NoMissingCorsCheckOptions } from '../rules/no-missing-cors-check';
 import type { Options as NoMissingSecurityHeadersOptions } from '../rules/no-missing-security-headers';
 import type { Options as NoInsecureRedirectsOptions } from '../rules/no-insecure-redirects';
@@ -60,8 +50,7 @@ import type { Options as NoBufferOverreadOptions } from '../rules/no-buffer-over
 import type { Options as NoUnlimitedResourceAllocationOptions } from '../rules/no-unlimited-resource-allocation';
 import type { Options as NoUncheckedLoopConditionOptions } from '../rules/no-unchecked-loop-condition';
 import type { Options as NoElectronSecurityIssuesOptions } from '../rules/no-electron-security-issues';
-import type { Options as NoInsufficientPostmessageValidationOptions } from '../rules/no-insufficient-postmessage-validation';
-export type { NoSqlInjectionOptions, DatabaseInjectionOptions, DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoWeakCryptoOptions, NoInsufficientRandomOptions, NoTimingAttackOptions, NoInsecureComparisonOptions, NoInsecureJwtOptions, NoUnvalidatedUserInputOptions, NoUnsanitizedHtmlOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoInsecureCookieSettingsOptions, NoMissingCsrfProtectionOptions, NoDocumentCookieOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, NoInsufficientPostmessageValidationOptions, };
+export type { DetectEvalWithExpressionOptions, DetectChildProcessOptions, NoUnsafeDynamicRequireOptions, NoGraphqlInjectionOptions, NoXxeInjectionOptions, NoXpathInjectionOptions, NoLdapInjectionOptions, NoDirectiveInjectionOptions, NoFormatStringInjectionOptions, DetectNonLiteralFsFilenameOptions, NoZipSlipOptions, NoToctouVulnerabilityOptions, DetectNonLiteralRegexpOptions, NoRedosVulnerableRegexOptions, NoUnsafeRegexConstructionOptions, DetectObjectInjectionOptions, NoUnsafeDeserializationOptions, NoHardcodedCredentialsOptions, NoInsecureComparisonOptions, NoUnvalidatedUserInputOptions, NoUnescapedUrlParameterOptions, NoImproperSanitizationOptions, NoImproperTypeValidationOptions, NoMissingAuthenticationOptions, NoPrivilegeEscalationOptions, NoWeakPasswordRecoveryOptions, NoMissingCsrfProtectionOptions, NoMissingCorsCheckOptions, NoMissingSecurityHeadersOptions, NoInsecureRedirectsOptions, NoUnencryptedTransmissionOptions, NoClickjackingOptions, NoExposedSensitiveDataOptions, NoSensitiveDataExposureOptions, NoBufferOverreadOptions, NoUnlimitedResourceAllocationOptions, NoUncheckedLoopConditionOptions, NoElectronSecurityIssuesOptions, };
 /**
  * Combined type for all security rule options
  * Useful for creating unified configuration objects
@@ -69,10 +58,6 @@ export type { NoSqlInjectionOptions, DatabaseInjectionOptions, DetectEvalWithExp
  * @example
  * ```typescript
  * const config: AllSecurityRulesOptions = {
- *   'no-sql-injection': {
- *     allowDynamicTableNames: false,
- *     strategy: 'parameterize',
- *   },
  *   'no-hardcoded-credentials': {
  *     ignorePatterns: ['test/*'],
  *   },
@@ -80,8 +65,6 @@ export type { NoSqlInjectionOptions, DatabaseInjectionOptions, DetectEvalWithExp
  * ```
  */
 export type AllSecurityRulesOptions = {
-    'no-sql-injection'?: NoSqlInjectionOptions;
-    'database-injection'?: DatabaseInjectionOptions;
     'detect-eval-with-expression'?: DetectEvalWithExpressionOptions;
     'detect-child-process'?: DetectChildProcessOptions;
     'no-unsafe-dynamic-require'?: NoUnsafeDynamicRequireOptions;
@@ -100,22 +83,15 @@ export type AllSecurityRulesOptions = {
     'detect-object-injection'?: DetectObjectInjectionOptions;
     'no-unsafe-deserialization'?: NoUnsafeDeserializationOptions;
     'no-hardcoded-credentials'?: NoHardcodedCredentialsOptions;
-    'no-weak-crypto'?: NoWeakCryptoOptions;
-    'no-insufficient-random'?: NoInsufficientRandomOptions;
-    'no-timing-attack'?: NoTimingAttackOptions;
     'no-insecure-comparison'?: NoInsecureComparisonOptions;
-    'no-insecure-jwt'?: NoInsecureJwtOptions;
     'no-unvalidated-user-input'?: NoUnvalidatedUserInputOptions;
-    'no-unsanitized-html'?: NoUnsanitizedHtmlOptions;
     'no-unescaped-url-parameter'?: NoUnescapedUrlParameterOptions;
     'no-improper-sanitization'?: NoImproperSanitizationOptions;
     'no-improper-type-validation'?: NoImproperTypeValidationOptions;
     'no-missing-authentication'?: NoMissingAuthenticationOptions;
     'no-privilege-escalation'?: NoPrivilegeEscalationOptions;
     'no-weak-password-recovery'?: NoWeakPasswordRecoveryOptions;
-    'no-insecure-cookie-settings'?: NoInsecureCookieSettingsOptions;
     'no-missing-csrf-protection'?: NoMissingCsrfProtectionOptions;
-    'no-document-cookie'?: NoDocumentCookieOptions;
     'no-missing-cors-check'?: NoMissingCorsCheckOptions;
     'no-missing-security-headers'?: NoMissingSecurityHeadersOptions;
     'no-insecure-redirects'?: NoInsecureRedirectsOptions;
@@ -127,5 +103,4 @@ export type AllSecurityRulesOptions = {
     'no-unlimited-resource-allocation'?: NoUnlimitedResourceAllocationOptions;
     'no-unchecked-loop-condition'?: NoUncheckedLoopConditionOptions;
     'no-electron-security-issues'?: NoElectronSecurityIssuesOptions;
-    'no-insufficient-postmessage-validation'?: NoInsufficientPostmessageValidationOptions;
 };

package/src/types/index.js

@@ -6,11 +6,10 @@
  *
  * Usage:
  * ```typescript
- * import type { NoSqlInjectionOptions } from 'eslint-plugin-secure-coding/types';
+ * import type { NoHardcodedCredentialsOptions } from 'eslint-plugin-secure-coding/types';
  *
- * const config: NoSqlInjectionOptions = {
- *   allowDynamicTableNames: false,
- *   strategy: 'parameterize',
+ * const config: NoHardcodedCredentialsOptions = {
+ *   ignorePatterns: ['test/*'],
  * };
  * ```
  */

package/src/rules/database-injection/index.d.ts

@@ -1,13 +0,0 @@
-export interface Options {
-    /** Detect NoSQL injection patterns. Default: true */
-    detectNoSQL?: boolean;
-    /** Detect ORM-specific vulnerabilities. Default: true */
-    detectORMs?: boolean;
-    /** Trusted data sources that bypass detection */
-    trustedSources?: string[];
-    /** Show framework-specific recommendations. Default: true */
-    frameworkHints?: boolean;
-    /** Strategy for fixing injection: 'parameterize', 'orm', 'sanitize', 'auto' */
-    strategy?: 'parameterize' | 'orm' | 'sanitize' | 'auto';
-}
-export declare const databaseInjection: ESLintUtils.RuleModule<MessageIds, Options, unknown, ESLintUtils.RuleListener>;