getdoorman 1.0.0

package/src/rules/bugs/js-async-fixable.js

@@ -0,0 +1,223 @@
+// Auto-fixable versions of async bug rules
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-FIX-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'parseInt without radix — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/parseInt\s*\(\s*(\w+)\s*\)/);
+          if (match && !/parseInt\s*\([^,]+,/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-FIX-001', category: 'bugs', severity: 'high',
+              title: 'parseInt() without radix — auto-fixable',
+              file: fp, line: i + 1,
+              fix: { type: 'replace', old: match[0], new: `parseInt(${match[1]}, 10)` },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'isNaN() → Number.isNaN() — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/(?<![.\w])isNaN\s*\(([^)]+)\)/);
+          if (match && !lines[i].includes('Number.isNaN')) {
+            findings.push({
+              ruleId: 'BUG-FIX-002', category: 'bugs', severity: 'high',
+              title: 'isNaN() → Number.isNaN() — auto-fixable',
+              file: fp, line: i + 1,
+              fix: { type: 'replace', old: match[0], new: `Number.isNaN(${match[1]})` },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'var in for-loop → let — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/for\s*\(\s*var\s+(\w+)/);
+          if (match) {
+            findings.push({
+              ruleId: 'BUG-FIX-003', category: 'bugs', severity: 'high',
+              title: 'var in for-loop → let — auto-fixable',
+              file: fp, line: i + 1,
+              fix: { type: 'replace', old: `for (var ${match[1]}`, new: `for (let ${match[1]}` },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'throw "string" → throw new Error("string") — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/throw\s+(['"`])([^'"`]*)\1/);
+          if (match) {
+            findings.push({
+              ruleId: 'BUG-FIX-004', category: 'bugs', severity: 'high',
+              title: 'throw string → throw new Error() — auto-fixable',
+              file: fp, line: i + 1,
+              fix: { type: 'replace', old: match[0], new: `throw new Error(${match[1]}${match[2]}${match[1]})` },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Off-by-one: <= length → < length — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/(\w+)\s*<=\s*(\w+)\.length\b/);
+          if (match && /for\s*\(/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-FIX-005', category: 'bugs', severity: 'high',
+              title: 'Off-by-one: <= length → < length — auto-fixable',
+              file: fp, line: i + 1,
+              fix: { type: 'replace', old: `${match[1]} <= ${match[2]}.length`, new: `${match[1]} < ${match[2]}.length` },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Empty catch block → log error — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        // Match catch(e) {} or catch (e) { }
+        const regex = /catch\s*\(\s*(\w+)\s*\)\s*\{\s*\}/g;
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'BUG-FIX-006', category: 'bugs', severity: 'high',
+            title: 'Empty catch block → log error — auto-fixable',
+            file: fp, line: lineNum,
+            fix: { type: 'replace', old: match[0], new: `catch (${match[1]}) { console.error(${match[1]}); }` },
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-007',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'new Promise(async ...) → just use async function — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/new\s+Promise\s*\(\s*async\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-FIX-007', category: 'bugs', severity: 'high',
+              title: 'new Promise(async ...) anti-pattern',
+              description: 'Async errors inside Promise executor are silently swallowed. Remove the Promise wrapper and use async/await directly.',
+              file: fp, line: i + 1,
+              fix: { suggestion: 'Remove the new Promise() wrapper. The async function already returns a Promise.' },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-FIX-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'console.log(err) in catch → console.error — auto-fixable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        let inCatch = false;
+        let catchVar = null;
+        for (let i = 0; i < lines.length; i++) {
+          const catchMatch = lines[i].match(/\bcatch\s*\(\s*(\w+)\s*\)/);
+          if (catchMatch) { inCatch = true; catchVar = catchMatch[1]; }
+          if (inCatch && catchVar) {
+            const logMatch = lines[i].match(new RegExp(`(console\\.log\\(\\s*${catchVar}\\s*\\))`));
+            if (logMatch) {
+              findings.push({
+                ruleId: 'BUG-FIX-008', category: 'bugs', severity: 'high',
+                title: 'console.log(err) → console.error(err) — auto-fixable',
+                file: fp, line: i + 1,
+                fix: { type: 'replace', old: logMatch[1], new: logMatch[1].replace('console.log', 'console.error') },
+              });
+            }
+          }
+          if (/^\s*\}/.test(lines[i]) && inCatch) inCatch = false;
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/js-async.js

@@ -0,0 +1,211 @@
+// Bug detection: JavaScript async/await and Promise bugs
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-ASYNC-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'async function inside forEach — callbacks not awaited',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.forEach\(\s*async\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-ASYNC-001', category: 'bugs', severity: 'high',
+              title: 'async function inside forEach — callbacks not awaited',
+              description: 'forEach does not await async callbacks. Use for...of or Promise.all(arr.map(async ...)) instead.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Promise created but not awaited or returned',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Detect: functionCall() on its own line where function is likely async
+          if (/^\s+\w+\.\w+\([^)]*\)\s*;?\s*$/.test(line) && !line.includes('await') && !line.includes('return')) {
+            // Check if function name suggests async (save, fetch, send, create, update, delete, write, read)
+            if (/\.(save|fetch|send|create|update|delete|remove|write|read|insert|find|query|execute|upload|download)\s*\(/.test(line)) {
+              // Check if it's inside an async function
+              const contextBefore = lines.slice(Math.max(0, i - 15), i).join('\n');
+              if (/async\s+(?:function|\w+\s*=\s*async|\([^)]*\)\s*=>)/.test(contextBefore)) {
+                findings.push({
+                  ruleId: 'BUG-ASYNC-002', category: 'bugs', severity: 'high',
+                  title: 'Async operation may not be awaited',
+                  description: 'This looks like an async operation (save/fetch/send/etc.) without await. The operation may not complete before the function continues.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: '.then() chain without .catch() — unhandled rejection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.then\s*\(/.test(lines[i]) && !lines[i].includes('.catch')) {
+            // Check next few lines for .catch
+            const next5 = lines.slice(i, i + 5).join('\n');
+            if (!next5.includes('.catch') && !next5.includes('try') && !lines[i].includes('return')) {
+              findings.push({
+                ruleId: 'BUG-ASYNC-003', category: 'bugs', severity: 'high',
+                title: 'Promise .then() without .catch() — unhandled rejection',
+                description: 'A rejected promise without .catch() causes an unhandled rejection, which crashes Node.js by default.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'await inside a loop — sequential execution, should be parallel',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        let inLoop = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/\b(for|while)\s*\(/.test(line)) inLoop++;
+          if (inLoop > 0 && /\bawait\b/.test(line)) {
+            // Check if it's a data-dependent await (skip those)
+            if (!/await.*(?:previous|result|last|acc)/i.test(line)) {
+              findings.push({
+                ruleId: 'BUG-ASYNC-004', category: 'bugs', severity: 'high',
+                title: 'await inside loop — runs sequentially instead of in parallel',
+                description: 'Each iteration waits for the previous one to complete. Use Promise.all() with .map() for parallel execution.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+          if (/\}\s*$/.test(line) && inLoop > 0) inLoop--;
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Promise.all without error handling — one rejection loses all results',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/Promise\.all\s*\(/.test(lines[i])) {
+            const context = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 5)).join('\n');
+            if (!context.includes('catch') && !context.includes('try') && !context.includes('allSettled')) {
+              findings.push({
+                ruleId: 'BUG-ASYNC-005', category: 'bugs', severity: 'high',
+                title: 'Promise.all without error handling — one rejection loses all results',
+                description: 'If any promise rejects, Promise.all rejects immediately and other results are lost. Use Promise.allSettled() or wrap with try/catch.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'new Promise with async executor — errors may be swallowed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/new\s+Promise\s*\(\s*async\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-ASYNC-006', category: 'bugs', severity: 'medium',
+              title: 'new Promise with async executor — thrown errors are silently swallowed',
+              description: 'An async function as Promise executor can throw errors that are not caught by the Promise. Just use an async function directly.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ASYNC-007',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Floating promise in event handler — errors silently ignored',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/\.on\(\s*['"]/.test(line) || /addEventListener\s*\(/.test(line)) {
+            // Check if handler is async but event doesn't await
+            const next10 = lines.slice(i, i + 10).join('\n');
+            if (/async\s*(?:\(|function)/.test(next10) && !next10.includes('.catch') && !next10.includes('try')) {
+              findings.push({
+                ruleId: 'BUG-ASYNC-007', category: 'bugs', severity: 'high',
+                title: 'Async event handler without error handling',
+                description: 'Event emitters do not catch async errors. Wrap the handler body in try/catch or the error will be silently lost.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/js-closure-scope.js

@@ -0,0 +1,182 @@
+// Bug detection: JavaScript closure and scope bugs
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-SCOPE-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'var in loop with closure — all closures share same variable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/for\s*\(\s*var\s+/.test(lines[i])) {
+            // Check if there's a closure in the loop body
+            const body = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+            if (/(?:setTimeout|setInterval|addEventListener|\.on\(|function\s*\(|=>\s*\{)/.test(body)) {
+              findings.push({
+                ruleId: 'BUG-SCOPE-001', category: 'bugs', severity: 'high',
+                title: 'var in for-loop with closure — all callbacks share same variable',
+                description: 'var is function-scoped, so all closures in this loop capture the same variable. By the time callbacks run, the loop variable has its final value. Use let instead.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SCOPE-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'this context lost in callback — use arrow function or .bind()',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Detect: setTimeout(function() { this.x }) or .on('event', function() { this.x })
+          if (/(?:setTimeout|setInterval|\.on|addEventListener)\s*\(\s*function\b/.test(line)) {
+            const body = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (/\bthis\./.test(body) && !body.includes('.bind(this)')) {
+              findings.push({
+                ruleId: 'BUG-SCOPE-002', category: 'bugs', severity: 'high',
+                title: 'this context lost in callback — function() rebinds this',
+                description: 'Regular function() expressions get their own "this". Use an arrow function () => {} to preserve the outer this context.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SCOPE-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Variable declared but never used',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/^\s*(?:const|let|var)\s+(\w+)\s*=\s*.+;?\s*$/);
+          if (match) {
+            const varName = match[1];
+            if (varName === '_' || varName.startsWith('_')) continue;
+            if (varName.length < 2) continue;
+            // Count occurrences in the rest of the file
+            const rest = lines.slice(i + 1).join('\n');
+            const regex = new RegExp('\\b' + varName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '\\b');
+            if (!regex.test(rest)) {
+              findings.push({
+                ruleId: 'BUG-SCOPE-003', category: 'bugs', severity: 'high',
+                title: `Variable "${varName}" is declared but never used`,
+                description: 'Unused variables indicate dead code or a missing reference. Remove it or use it.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SCOPE-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Implicit global — assignment to undeclared variable',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (content.includes('"use strict"') || content.includes("'use strict'") || fp.endsWith('.mjs') || fp.endsWith('.ts') || fp.endsWith('.tsx')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          // Simple heuristic: assignment at start of line without var/let/const/this/module/exports
+          const m = line.match(/^(\w+)\s*=\s*(?!==)/);
+          if (m && !/^(var|let|const|if|else|for|while|return|throw|this|module|exports|self|window|global|process|require|import|export|class|function|async|switch|case|default|break|continue|new|delete|typeof|void|yield|true|false|null|undefined)\b/.test(m[1])) {
+            // Check if it's declared elsewhere in file
+            const name = m[1];
+            const declPattern = new RegExp('(?:var|let|const|function)\\s+' + name + '\\b');
+            const paramPattern = new RegExp('[({,]\\s*' + name + '\\s*[,})]');
+            if (!declPattern.test(content) && !paramPattern.test(content)) {
+              findings.push({
+                ruleId: 'BUG-SCOPE-004', category: 'bugs', severity: 'high',
+                title: `Implicit global variable "${name}"`,
+                description: 'Assigning to an undeclared variable creates a global. This causes hard-to-track bugs and breaks in strict mode. Add let/const.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SCOPE-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Variable shadows outer scope — same name in nested scope',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        // Track scope depth and declarations per depth
+        const scopeStack = [new Set()]; // stack of sets, each set = vars declared at that depth
+        const topDecl = new Map(); // name -> line of top-level declaration
+        let depth = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Track brace depth for scope
+          const opens = (line.match(/\{/g) || []).length;
+          const closes = (line.match(/\}/g) || []).length;
+
+          const match = line.match(/^\s*(?:const|let|var)\s+(\w+)\b/);
+          if (match) {
+            const name = match[1];
+            // Skip very common short names and common loop/callback vars
+            if (name.length < 4 || /^(err|key|val|res|req|ctx|idx|str|obj|arr|tmp|buf|msg|ret|acc|cur|pre|ref|row|col|src|dst|len|ptr|sum|max|min|map|set|log|doc|dom|div|img|btn|url|api|arg|cmd|cfg|env|app|pkg|lib|mod|opt|out|ext|fmt|num|pos|end|top)$/.test(name)) continue;
+            // Check if same name exists in an outer scope
+            if (depth === 0) {
+              topDecl.set(name, i + 1);
+            } else if (topDecl.has(name)) {
+              findings.push({
+                ruleId: 'BUG-SCOPE-005', category: 'bugs', severity: 'medium',
+                title: `Variable "${name}" shadows declaration on line ${topDecl.get(name)}`,
+                description: 'Re-declaring a variable with the same name in a nested scope hides the outer one, making bugs hard to spot. Rename one of them.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+
+          depth += opens - closes;
+          if (depth < 0) depth = 0;
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;