getdoorman 1.0.0

package/src/rules/bugs/silent-failures.js

@@ -0,0 +1,261 @@
+// Bug detection: Silent failure patterns — empty catch blocks, swallowed errors, silent data loss
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const PY_EXT = ['.py'];
+const ALL_EXT = [...JS_EXT, ...PY_EXT, '.go', '.java', '.cs', '.rb', '.php', '.rs', '.swift', '.dart'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+function isPy(f) { return PY_EXT.some(e => f.endsWith(e)); }
+function isSource(f) { return ALL_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  // BUG-SILENT-001: Empty catch block (JS/TS)
+  {
+    id: 'BUG-SILENT-001',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Empty catch block silently swallows errors',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Match catch with empty body or body containing only a comment
+          if (/\bcatch\s*(?:\([^)]*\))?\s*\{\s*\}/.test(line)) {
+            findings.push({
+              ruleId: 'BUG-SILENT-001', category: 'bugs', severity: 'medium',
+              title: 'Empty catch block — errors are silently swallowed',
+              description: 'This catch block discards all errors. At minimum, log the error: catch (e) { console.error(e); }. Silent failures make debugging extremely difficult.',
+              file: fp, line: i + 1,
+              fix: null,
+            });
+            continue;
+          }
+          // Multi-line: catch { \n // comment \n }
+          if (/\bcatch\s*(?:\([^)]*\))?\s*\{\s*$/.test(line)) {
+            const bodyLines = [];
+            for (let j = i + 1; j < Math.min(lines.length, i + 5); j++) {
+              const bodyLine = lines[j].trim();
+              if (bodyLine === '}') {
+                // Check if body was empty or only comments
+                const onlyComments = bodyLines.every(l => !l || l.startsWith('//') || l.startsWith('*') || l.startsWith('/*'));
+                if (onlyComments) {
+                  findings.push({
+                    ruleId: 'BUG-SILENT-001', category: 'bugs', severity: 'medium',
+                    title: 'Empty catch block — errors are silently swallowed',
+                    description: 'This catch block discards all errors (only has comments). At minimum, log the error: catch (e) { console.error(e); }.',
+                    file: fp, line: i + 1,
+                    fix: null,
+                  });
+                }
+                break;
+              }
+              bodyLines.push(bodyLine);
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SILENT-002: Catch returns null/undefined without logging (JS/TS)
+  {
+    id: 'BUG-SILENT-002',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Catch block returns fallback without logging the error',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Match: catch (optional param) { return null/undefined/false/[]/{}; }
+          const catchMatch = line.match(/\bcatch\s*(?:\(([^)]*)\))?\s*\{\s*$/);
+          if (!catchMatch) continue;
+
+          const errVar = catchMatch[1]?.trim();
+          const bodyLines = [];
+          let closingLine = -1;
+          for (let j = i + 1; j < Math.min(lines.length, i + 6); j++) {
+            if (lines[j].trim() === '}') { closingLine = j; break; }
+            bodyLines.push(lines[j].trim());
+          }
+          if (closingLine === -1) continue;
+
+          const body = bodyLines.join(' ');
+          // Return a fallback value without referencing the error
+          if (/return\s+(null|undefined|false|\[\]|\{\}|''|""|0|-1)\s*;?/.test(body)) {
+            // If the error variable is referenced (logged, rethrown, etc.), it's fine
+            if (errVar && body.includes(errVar)) continue;
+            // If there's any console/log call, it's fine
+            if (/console\.|log\(|logger\.|warn\(/.test(body)) continue;
+
+            findings.push({
+              ruleId: 'BUG-SILENT-002', category: 'bugs', severity: 'medium',
+              title: 'Catch block returns fallback without logging the error',
+              description: 'This catch block returns a default value but silently discards the error. Add logging: catch (e) { console.error(e); return null; }. Silent data loss makes bugs invisible.',
+              file: fp, line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SILENT-003: Python bare except with pass
+  {
+    id: 'BUG-SILENT-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'except/pass silently swallows all errors',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isPy(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // except (optional type): followed by pass on next line
+          if (/^\s*except\s*(?:\w+(?:\s+as\s+\w+)?)?\s*:\s*$/.test(lines[i])) {
+            const nextLine = (lines[i + 1] || '').trim();
+            if (nextLine === 'pass' || nextLine === '...') {
+              findings.push({
+                ruleId: 'BUG-SILENT-003', category: 'bugs', severity: 'high',
+                title: 'except/pass silently swallows all errors',
+                description: 'This except block catches errors and does nothing. At minimum log: except Exception as e: logging.error(e). Silent failures hide bugs.',
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SILENT-004: Go error ignored (err = ... without check)
+  {
+    id: 'BUG-SILENT-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Go error value ignored — not checked after assignment',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!fp.endsWith('.go')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Pattern: _, err := someFunc() or val, err := someFunc()
+          // Then next line doesn't check err
+          if (/,\s*err\s*:?=/.test(line) || /\berr\s*:?=\s*\w+/.test(line)) {
+            const nextLines = lines.slice(i + 1, Math.min(lines.length, i + 4)).join(' ');
+            if (!nextLines.includes('err') && !nextLines.includes('if err')) {
+              findings.push({
+                ruleId: 'BUG-SILENT-004', category: 'bugs', severity: 'high',
+                title: 'Go error returned but never checked',
+                description: 'Error from function call is assigned but not checked. Always handle errors: if err != nil { return err }.',
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SILENT-005: Promise without .catch() or try/catch
+  {
+    id: 'BUG-SILENT-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Promise chain without .catch() — unhandled rejection risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // .then() at end of statement (no .catch after)
+          if (/\.then\s*\(/.test(line) && /[);]\s*$/.test(line) && !line.includes('.catch')) {
+            // Check next line for .catch
+            const nextLine = (lines[i + 1] || '').trim();
+            if (!nextLine.startsWith('.catch') && !nextLine.startsWith('.finally')) {
+              // Check if inside a try block (look back up to 10 lines)
+              let inTry = false;
+              for (let j = Math.max(0, i - 10); j < i; j++) {
+                if (/\btry\s*\{/.test(lines[j])) inTry = true;
+                if (/\bcatch\s*\(/.test(lines[j])) inTry = false;
+              }
+              if (!inTry) {
+                findings.push({
+                  ruleId: 'BUG-SILENT-005', category: 'bugs', severity: 'high',
+                  title: 'Promise .then() without .catch() — unhandled rejection',
+                  description: 'This promise chain has no .catch() handler. Unhandled rejections will crash Node.js. Add .catch(err => ...) or use async/await with try/catch.',
+                  file: fp, line: i + 1,
+                  fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SILENT-006: JSON.parse without try/catch
+  {
+    id: 'BUG-SILENT-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'JSON.parse without try/catch — will crash on malformed input',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          if (!/JSON\.parse\s*\(/.test(line)) continue;
+          // Skip if it's a static/hardcoded JSON string
+          if (/JSON\.parse\s*\(\s*['"`]\s*\{/.test(line)) continue;
+          // Check if we're inside a try block
+          let inTry = false;
+          for (let j = Math.max(0, i - 15); j < i; j++) {
+            if (/\btry\s*\{/.test(lines[j])) inTry = true;
+            if (/\}\s*catch/.test(lines[j])) inTry = false;
+          }
+          if (!inTry) {
+            findings.push({
+              ruleId: 'BUG-SILENT-006', category: 'bugs', severity: 'high',
+              title: 'JSON.parse() without try/catch — crashes on malformed input',
+              description: 'JSON.parse throws SyntaxError on invalid JSON. Wrap in try/catch or use a safe parser. Unhandled parse errors will crash the process.',
+              file: fp, line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/ts-bugs.js

@@ -0,0 +1,235 @@
+// Bug detection: TypeScript-specific traps and anti-patterns
+const TS_EXT = ['.ts', '.tsx'];
+function isTS(f) { return TS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-TS-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Type assertion used to bypass type safety (as any)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\bas\s+any\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-TS-001', category: 'bugs', severity: 'high',
+              title: '"as any" bypasses type safety — defeats purpose of TypeScript',
+              description: 'AI generators use "as any" to silence errors instead of fixing types. This hides real bugs at compile time.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Non-null assertion operator (!) on potentially null value',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // variable!.property or variable!.method() — non-null assertion
+          if (/\w+!\.\w+/.test(lines[i]) && !/\/\//.test(lines[i].split('!.')[0])) {
+            // Skip common safe patterns
+            if (/document\.getElementById|querySelector/.test(lines[i])) continue;
+            findings.push({
+              ruleId: 'BUG-TS-002', category: 'bugs', severity: 'high',
+              title: 'Non-null assertion (!) — will throw if value is actually null',
+              description: 'The ! operator tells TypeScript to trust you, but the value can still be null at runtime. Use optional chaining (?.) or null checks instead.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: '@ts-ignore suppressing type error',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/@ts-ignore|@ts-nocheck/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-TS-003', category: 'bugs', severity: 'medium',
+              title: `${lines[i].includes('@ts-nocheck') ? '@ts-nocheck disables ALL type checking' : '@ts-ignore hides a type error'}`,
+              description: 'AI generators add @ts-ignore to bypass errors instead of fixing them. Use @ts-expect-error with a comment explaining why, or fix the type.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Enum used where union type is better',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Numeric enum (not string enum)
+          if (/^\s*(?:export\s+)?enum\s+\w+\s*\{/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 15, lines.length); j++) {
+              block += lines[j] + '\n';
+              if (lines[j].includes('}')) break;
+            }
+            // If it's a simple enum without computed values, a union type is safer
+            const members = block.match(/\w+\s*[,}]/g) || [];
+            const hasValues = /=\s*['"`]/.test(block);
+            if (!hasValues && members.length <= 8) {
+              findings.push({
+                ruleId: 'BUG-TS-004', category: 'bugs', severity: 'medium',
+                title: 'Numeric enum generates runtime code — prefer union type',
+                description: 'Numeric enums produce JavaScript objects. String unions (type Status = "active" | "inactive") are simpler, tree-shakeable, and don\'t have the reverse-mapping footgun.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Optional chaining with function call may silently return undefined',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Chaining on optional call result: obj?.method().property
+          if (/\w+\?\.\w+\(\)\./.test(lines[i]) && !/\?\.\w+\(\)\?\./.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-TS-005', category: 'bugs', severity: 'high',
+              title: 'Optional chain on method call but not on result — crashes if method returns undefined',
+              description: 'obj?.method().prop will crash if obj is null (optional chaining stops) but also if method() returns undefined (.prop throws). Use obj?.method()?.prop.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Type assertion instead of type guard',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // (variable as SpecificType).method() — unsafe assertion before method call
+          if (/\(\w+\s+as\s+\w+\)\.\w+/.test(lines[i]) && !/as\s+(string|number|boolean|any|unknown)/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-TS-006', category: 'bugs', severity: 'medium',
+              title: 'Type assertion before property access — use type guard instead',
+              description: 'Type assertions lie to the compiler. If the type is wrong at runtime, you get a crash. Use a type guard (if ("prop" in obj)) for safety.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-007',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Promise<void> return type hiding errors',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // async function that returns void but does important work
+          if (/async\s+\w+\s*\([^)]*\)\s*:\s*Promise<void>/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 20, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            // Contains save/create/update/delete operations
+            if (/\.(save|create|update|delete|insert|remove|send|write|post|put)\s*\(/.test(block)) {
+              if (!/try\s*\{/.test(block)) {
+                findings.push({
+                  ruleId: 'BUG-TS-007', category: 'bugs', severity: 'high',
+                  title: 'async function with side effects returns void — callers can\'t know if it failed',
+                  description: 'Returning void from async functions that do important work hides failures. Return a result type or throw on error.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-TS-008',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Record/object type with string index allows any key',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isTS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Record<string, any> or { [key: string]: any }
+          if (/Record\s*<\s*string\s*,\s*any\s*>/.test(lines[i]) || /\[\s*\w+\s*:\s*string\s*\]\s*:\s*any/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-TS-008', category: 'bugs', severity: 'medium',
+              title: 'Record<string, any> provides no type safety',
+              description: 'This type accepts any key and any value. Use specific key unions and value types, or at least Record<string, unknown>.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/unused-vars.js

@@ -0,0 +1,65 @@
+// Bug detection: Unused destructured variables
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  // BUG-UNUSED-001: Destructured variable never used
+  {
+    id: 'BUG-UNUSED-001',
+    category: 'bugs',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Destructured variable appears unused — possible typo',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Match: const { a, b, c } = expr  or  const [ a, b, c ] = expr
+          const objDestructure = line.match(/(?:const|let|var)\s+\{\s*([^}]+)\}\s*=/);
+          const arrDestructure = line.match(/(?:const|let|var)\s+\[\s*([^\]]+)\]\s*=/);
+          const match = objDestructure || arrDestructure;
+          if (!match) continue;
+
+          // Extract variable names
+          const names = match[1]
+            .split(',')
+            .map(part => {
+              const p = part.trim();
+              // Handle { key: alias } — the alias is the binding
+              if (p.includes(':')) {
+                return p.split(':')[1].trim().split(/[\s=]/)[0].trim();
+              }
+              // Handle { key = default } — key is the binding
+              return p.split('=')[0].trim();
+            })
+            .filter(n => n && /^\w+$/.test(n) && n !== '...');
+
+          // Check rest of file for each name
+          const restOfFile = content.slice(content.indexOf(line) + line.length);
+          for (const name of names) {
+            // Skip common intentionally unused patterns
+            if (name.startsWith('_')) continue;
+            // Check if name appears in the rest of the file (as word boundary)
+            const re = new RegExp(`\\b${name}\\b`);
+            if (!re.test(restOfFile)) {
+              findings.push({
+                ruleId: 'BUG-UNUSED-001', category: 'bugs', severity: 'low',
+                title: `Destructured variable "${name}" is never used — possible typo`,
+                description: `"${name}" is declared via destructuring but never referenced. This could be a typo or a variable that should be removed. Prefix with _ to mark as intentionally unused.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;