getdoorman 1.0.0

package/src/rules/compliance/education.js

@@ -0,0 +1,322 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+
+const educationPattern = /(?:student|grade|transcript|enrollment|gpa|course|classroom|school|university|campus|academic|diploma|semester)/i;
+const studentDataPattern = /(?:student[_\-.]?(?:id|name|record|data|info|email|grade|score|gpa|address)|grade[_\-.]?(?:book|report|point|average)|transcript|enrollment|academic[_\-.]?record)/i;
+
+function hasEducationContext(files) {
+  return [...files.entries()].some(([f, c]) => isSourceFile(f) && educationPattern.test(c));
+}
+
+const rules = [
+  {
+    id: 'COMP-FERPA-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Student Records Without Access Controls',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!studentDataPattern.test(content)) continue;
+        const lines = content.split('\n');
+        const hasAuth = /(?:auth|authenticate|authorize|requireAuth|isAuthenticated|checkPermission|middleware.*auth|@login_required|@requires_auth|protect|guard)/i.test(content);
+        for (let i = 0; i < lines.length; i++) {
+          if (studentDataPattern.test(lines[i]) && /(?:get|fetch|find|query|select|read|endpoint|route|api|handler)/i.test(lines[i])) {
+            if (!hasAuth) {
+              findings.push({
+                ruleId: 'COMP-FERPA-001', category: 'compliance', severity: 'high',
+                title: 'Student records endpoint without access controls',
+                description: 'FERPA requires that access to student education records be restricted to authorized individuals. Ensure authentication and authorization are enforced on all student data endpoints.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Education Records Shared Without Consent',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const thirdPartyPattern = /(?:sendgrid|twilio|mailchimp|slack|webhook|third[_\-]?party|external[_\-]?api|partner[_\-]?api|vendor|analytics\.track|mixpanel|segment|amplitude)/i;
+      const consentPattern = /(?:consent|ferpa[_\-]?consent|parental[_\-]?consent|disclosure[_\-]?agreement|authorized[_\-]?disclosure|opt[_\-]?in)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!studentDataPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (thirdPartyPattern.test(lines[i]) && studentDataPattern.test(content)) {
+            const contextBlock = lines.slice(Math.max(0, i - 15), Math.min(lines.length, i + 15)).join('\n');
+            if (!consentPattern.test(contextBlock)) {
+              findings.push({
+                ruleId: 'COMP-FERPA-002', category: 'compliance', severity: 'high',
+                title: 'Student data shared with third-party without consent verification',
+                description: 'FERPA prohibits disclosure of education records to third parties without prior written consent from the student or parent. Verify consent before sharing student data externally.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Directory Information Without Opt-Out',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const directoryInfoPattern = /(?:directory[_\-]?info|student[_\-]?(?:name|address|phone|email|photo|dob|birth)|public[_\-]?(?:directory|listing|profile))/i;
+      const optOutPattern = /(?:opt[_\-]?out|suppress|exclude|do[_\-]?not[_\-]?share|withhold|directory[_\-]?restriction)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!directoryInfoPattern.test(content)) continue;
+        if (!educationPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (directoryInfoPattern.test(lines[i]) && /(?:public|expose|share|display|list|show)/i.test(lines[i])) {
+            if (!optOutPattern.test(content)) {
+              findings.push({
+                ruleId: 'COMP-FERPA-003', category: 'compliance', severity: 'medium',
+                title: 'Student directory information exposed without opt-out mechanism',
+                description: 'FERPA allows institutions to disclose directory information only if students have been given the opportunity to opt out. Implement an opt-out mechanism before exposing directory data.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-004',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Parental Access Mechanism',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const parentAccessPattern = /(?:parent[_\-]?(?:access|portal|login|view|dashboard)|guardian[_\-]?(?:access|portal|login)|family[_\-]?(?:access|portal)|parental[_\-]?(?:rights|access))/i;
+      const hasParentAccess = [...files.entries()].some(([f, c]) => isSourceFile(f) && parentAccessPattern.test(c));
+      if (!hasParentAccess) {
+        const hasStudentRecords = [...files.entries()].some(([f, c]) =>
+          isSourceFile(f) && studentDataPattern.test(c) && /(?:endpoint|route|api|handler|controller)/i.test(c)
+        );
+        if (hasStudentRecords) {
+          findings.push({
+            ruleId: 'COMP-FERPA-004', category: 'compliance', severity: 'medium',
+            title: 'No parental access mechanism for student records',
+            description: 'FERPA grants parents the right to inspect and review their child\'s education records. Provide a mechanism for parents/guardians to access student records.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Student Data in Analytics Without De-identification',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const analyticsPattern = /(?:analytics|tracking|telemetry|metrics|mixpanel|segment|amplitude|google[_\-]?analytics|gtag|datadog|newrelic)/i;
+      const deidentifyPattern = /(?:de[_\-]?identify|anonymize|pseudonymize|hash|redact|mask|strip[_\-]?pii|remove[_\-]?pii|aggregate)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!analyticsPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (analyticsPattern.test(lines[i]) && studentDataPattern.test(content)) {
+            const contextBlock = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+            if (studentDataPattern.test(contextBlock) && !deidentifyPattern.test(contextBlock)) {
+              findings.push({
+                ruleId: 'COMP-FERPA-005', category: 'compliance', severity: 'high',
+                title: 'Student PII sent to analytics without de-identification',
+                description: 'FERPA requires that student data used for analytics or research be de-identified. Remove or anonymize student PII before sending to analytics services.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-006',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Education Records Without Audit Trail',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const auditPattern = /(?:audit[_\-]?(?:log|trail|record|entry)|access[_\-]?log|log[_\-]?access|track[_\-]?access|record[_\-]?access|logAccess|auditLog)/i;
+      const hasAudit = [...files.entries()].some(([f, c]) => isSourceFile(f) && auditPattern.test(c));
+      if (!hasAudit) {
+        for (const [filepath, content] of files.entries()) {
+          if (!isSourceFile(filepath)) continue;
+          if (!studentDataPattern.test(content)) continue;
+          if (/(?:get|read|update|delete|modify|access)/i.test(content) && studentDataPattern.test(content)) {
+            findings.push({
+              ruleId: 'COMP-FERPA-006', category: 'compliance', severity: 'high',
+              title: 'Student record access without audit trail',
+              description: 'FERPA requires institutions to maintain a record of each request for access to and disclosure of education records. Implement audit logging for all student record access.',
+              file: filepath, fix: null,
+            });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-007',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Third-Party Access Without Agreement',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const thirdPartyPattern = /(?:vendor|partner|contractor|third[_\-]?party|external[_\-]?(?:service|api|provider)|outsource)/i;
+      const agreementPattern = /(?:agreement|contract|dpa|data[_\-]?processing|mou|memorandum|terms[_\-]?of[_\-]?service|ferpa[_\-]?compliant|school[_\-]?official)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!studentDataPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (thirdPartyPattern.test(lines[i]) && studentDataPattern.test(content)) {
+            const contextBlock = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+            if (!agreementPattern.test(contextBlock) && !agreementPattern.test(content)) {
+              findings.push({
+                ruleId: 'COMP-FERPA-007', category: 'compliance', severity: 'high',
+                title: 'Student data shared with vendor without agreement reference',
+                description: 'FERPA requires written agreements with third parties accessing student records, defining the purpose, data scope, and security requirements. Reference a data processing agreement in vendor integrations.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-008',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Student Data Retained Beyond Enrollment',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const retentionPattern = /(?:retention|cleanup|purge|archive|expir|ttl|delete[_\-]?old|data[_\-]?lifecycle|auto[_\-]?delete|scheduled[_\-]?deletion)/i;
+      const hasRetention = [...files.entries()].some(([f, c]) => isSourceFile(f) && retentionPattern.test(c) && studentDataPattern.test(c));
+      if (!hasRetention) {
+        const hasStudentStorage = [...files.entries()].some(([f, c]) =>
+          isSourceFile(f) && studentDataPattern.test(c) && /(?:save|store|insert|create|persist|database|collection|table)/i.test(c)
+        );
+        if (hasStudentStorage) {
+          findings.push({
+            ruleId: 'COMP-FERPA-008', category: 'compliance', severity: 'medium',
+            title: 'No retention/cleanup policy for student data',
+            description: 'FERPA best practices require institutions to define retention periods for student data and securely dispose of records no longer needed. Implement a data retention and cleanup policy.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-009',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Grade/Transcript Data Without Encryption',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const academicDataPattern = /(?:grade|transcript|gpa|academic[_\-]?record|report[_\-]?card|score|assessment[_\-]?result)/i;
+      const encryptionPattern = /(?:encrypt|cipher|aes|crypto|tls|ssl|https|bcrypt|argon|scrypt|hash(?:ed)?|kms|vault)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!academicDataPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (academicDataPattern.test(lines[i]) && /(?:store|save|send|transmit|write|insert|post|put)/i.test(lines[i])) {
+            const contextBlock = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+            if (!encryptionPattern.test(contextBlock) && !encryptionPattern.test(content)) {
+              findings.push({
+                ruleId: 'COMP-FERPA-009', category: 'compliance', severity: 'high',
+                title: 'Academic records stored/transmitted without encryption',
+                description: 'FERPA requires reasonable safeguards for education records. Grade and transcript data should be encrypted both at rest and in transit to prevent unauthorized access.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-FERPA-010',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing FERPA Notification Reference',
+    check({ files }) {
+      const findings = [];
+      if (!hasEducationContext(files)) return findings;
+      const notificationPattern = /(?:ferpa[_\-]?noti(?:ce|fication)|annual[_\-]?noti(?:ce|fication)|rights[_\-]?noti(?:ce|fication)|ferpa[_\-]?disclosure|family[_\-]?educational[_\-]?rights)/i;
+      const hasNotification = [...files.entries()].some(([f, c]) => notificationPattern.test(c));
+      if (!hasNotification) {
+        const hasStudentApp = [...files.entries()].some(([f, c]) =>
+          isSourceFile(f) && studentDataPattern.test(c) && /(?:endpoint|route|api|handler|controller|app|server)/i.test(c)
+        );
+        if (hasStudentApp) {
+          findings.push({
+            ruleId: 'COMP-FERPA-010', category: 'compliance', severity: 'medium',
+            title: 'Education application without FERPA notification reference',
+            description: 'FERPA requires institutions to provide annual notification to students and parents regarding their rights under FERPA. Include a reference to FERPA rights notification in your education application.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;