npm - smart-review - Versions diffs - 1.0.1 → 1.0.2 - Mend

smart-review 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.en-US.md +580 -0
package/README.md +93 -54
package/bin/install.js +192 -55
package/bin/review.js +42 -47
package/index.js +0 -1
package/lib/ai-client-pool.js +63 -25
package/lib/ai-client.js +262 -415
package/lib/config-loader.js +35 -7
package/lib/default-config.js +33 -24
package/lib/reviewer.js +267 -97
package/lib/segmented-analyzer.js +102 -126
package/lib/utils/git-diff-parser.js +9 -8
package/lib/utils/i18n.js +986 -0
package/package.json +2 -10
package/templates/rules/en-US/best-practices.js +111 -0
package/templates/rules/en-US/performance.js +123 -0
package/templates/rules/en-US/security.js +311 -0
package/templates/rules/zh-CN/best-practices.js +111 -0
package/templates/rules/zh-CN/performance.js +123 -0
package/templates/rules/zh-CN/security.js +311 -0
package/templates/smart-review.json +2 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "smart-review",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "AI智能代码审查工具，支持静态规则和AI分析",
   "type": "module",
   "main": "index.js",
@@ -16,16 +16,8 @@
     "debug": "node --inspect ./bin/review.js --files test/src/test-file.js"
   },
   "keywords": ["code-review", "ai", "git-hook", "security"],
-  "author": "vlinr",
+  "author": "",
   "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/vlinr/smart-review.git"
-  },
-  "homepage": "https://github.com/vlinr/smart-review#readme",
-  "bugs": {
-    "url": "https://github.com/vlinr/smart-review/issues"
-  },
   "dependencies": {
     "chalk": "^5.3.0",
     "glob": "^10.3.10",

package/templates/rules/en-US/best-practices.js ADDED Viewed

@@ -0,0 +1,111 @@
+// Best practices rules (en-US)
+export default [
+  {
+    id: 'BP001',
+    name: 'Debug code',
+    pattern: 'console\\.log|print\\(|alert\\(',
+    risk: 'low',
+    message: 'Debug code found; remove before committing',
+    suggestion: 'Use a logging system instead of console.log',
+    flags: 'gi'
+  },
+  {
+    id: 'BP002',
+    name: 'Magic numbers',
+    pattern: '\\b(?<!\\.) (?!(?:0|1|10|12|24|30|60|100|200|201|300|400|401|403|404|500|503|1000|3000|5000|8080|9000)\\b) \\d{3,}(?!\\.\\d)\\b'.replace(/\s+/g, ''),
+    risk: 'low',
+    message: 'Magic numbers detected; define them as constants',
+    suggestion: 'Define numbers as meaningful constants',
+    flags: 'g'
+  },
+  {
+    id: 'BP003',
+    name: 'Empty catch block',
+    pattern: 'catch\\s*\\([^)]*\\)\\s*\\{\\s*\\}',
+    risk: 'medium',
+    message: 'Empty catch may hide errors and cause unpredictable behavior',
+    suggestion: 'Log or take remedial actions instead of swallowing exceptions',
+    flags: 'gi'
+  },
+  {
+    id: 'BP004',
+    name: 'Ignore TypeScript type checking',
+    pattern: '\\/\\/\\s*@ts-ignore',
+    risk: 'medium',
+    message: 'Detected @ts-ignore; may conceal type errors',
+    suggestion: 'Fix type issues or use precise type definitions',
+    flags: 'gi'
+  },
+  {
+    id: 'BP005',
+    name: 'Use of any type',
+    pattern: ':\\s*any\\b',
+    risk: 'medium',
+    message: 'Using any weakens type safety guarantees',
+    suggestion: 'Use concrete types or generics to improve safety',
+    flags: 'gi'
+  },
+  {
+    id: 'BP006',
+    name: 'ESLint rule disabled',
+    pattern: '\\/\\/\\s*eslint-disable',
+    risk: 'medium',
+    message: 'Disabling ESLint may hide code quality issues',
+    suggestion: 'Disable locally only when necessary, and explain the reason',
+    flags: 'gi'
+  },
+  {
+    id: 'BP007',
+    name: 'Debugger statement left',
+    pattern: '\\bdebugger\\b',
+    risk: 'medium',
+    message: 'Debugger statement found; may affect production behavior',
+    suggestion: 'Remove debugger before commit; use logs or assertions',
+    flags: 'gi'
+  },
+  {
+    id: 'BP008',
+    name: 'Overly broad exception catch',
+    pattern: 'catch\\s*\\(\\s*(Exception|Throwable|Error|BaseException)\\s+\\w+\\s*\\)\\s*\\{[^}]*(?!.*(?:log|throw|rethrow))[^}]*\\}',
+    risk: 'medium',
+    message: 'Catching broad exception types without proper handling',
+    suggestion: 'Catch specific types and ensure logging or rethrowing as needed',
+    flags: 'gi'
+  },
+  {
+    id: 'BP009',
+    name: 'Print stack instead of logging',
+    pattern: '\\.printStackTrace\\s*\\(',
+    risk: 'medium',
+    message: 'Direct stack printing may lose context and produce uncontrolled output',
+    suggestion: 'Use structured logging with context information',
+    flags: 'gi'
+  },
+  {
+    id: 'BP010',
+    name: 'Process-level exit call',
+    pattern: 'System\\.exit\\s*\\(',
+    risk: 'high',
+    message: 'System.exit detected; may cause unexpected service termination',
+    suggestion: 'Use graceful shutdown, signal handling, and resource cleanup',
+    flags: 'gi'
+  },
+  {
+    id: 'BP011',
+    name: 'Use root database user',
+    pattern: '(user|username)\\s*=\\s*root\\b',
+    risk: 'medium',
+    message: 'Using root as DB user introduces security and audit risks',
+    suggestion: 'Use a least-privileged application account and separate duties',
+    flags: 'gi'
+  },
+  {
+    id: 'BP012',
+    name: 'Disable CSRF (Spring Security)',
+    pattern: 'csrf\\s*\\(\\)\\.disable\\s*\\(\\)',
+    risk: 'high',
+    message: 'Globally disabling CSRF may cause CSRF vulnerabilities',
+    suggestion: 'Use token/same-origin policies where needed; avoid global disable',
+    flags: 'gi'
+  }
+];

package/templates/rules/en-US/performance.js ADDED Viewed

@@ -0,0 +1,123 @@
+// Performance rules (en-US)
+export default [
+  {
+    id: 'PERF001',
+    name: 'Database queries inside loops',
+    pattern: '(for|while)\\s*\\([^)]*\\)\\s*\\{[^}]*\\b(find|query|select|findOne|findMany|findFirst|findUnique|create|update|delete|save)\\s*\\([^}]*\\}',
+    risk: 'medium',
+    message: 'Executing DB queries in loops may cause N+1 problems',
+    suggestion: 'Use batch queries or preload data',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF002',
+    name: 'Memory leak risk (timers)',
+    pattern: 'setInterval\\s*\\([^)]*\\)|setTimeout\\s*\\([^)]*\\)',
+    risk: 'medium',
+    message: 'Timers without cleanup may cause leaks or lingering tasks',
+    suggestion: 'Call clearInterval/clearTimeout at the proper lifecycle point',
+    flags: 'gi',
+    // To override built-in PERF002, external rule adds cleanup detection; skip if any cleanup exists in file
+    requiresAbsent: ['clearInterval\\s*\\(', 'clearTimeout\\s*\\(']
+  },
+  {
+    id: 'PERF003',
+    name: 'Synchronous file I/O blocking',
+    pattern: 'fs\\.(readFileSync|writeFileSync|appendFileSync|existsSync|statSync|readdirSync)\\s*\\(',
+    risk: 'high',
+    message: 'Sync file I/O may block the event loop and hurt throughput',
+    suggestion: 'Prefer async I/O or queued processing; avoid blocking the main thread',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF004',
+    name: 'Network requests inside loops',
+    pattern: 'for\\s*\\([^)]*\\)\\s*\\{[^}]*\\b(fetch|axios\\.(get|post|put|delete)|requests\\.(get|post|put|delete)|http\\.get)\\b[^}]*\\}',
+    risk: 'high',
+    message: 'Requests inside loops can cause cascading latency and congestion',
+    suggestion: 'Merge requests, control concurrency, or batch to reduce round-trips',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF005',
+    name: 'JSON serialization inside loops',
+    pattern: 'for\\s*\\([^)]*\\)\\s*\\{[^}]*JSON\\.stringify[^}]*\\}',
+    risk: 'medium',
+    message: 'Frequent serialization in loops causes excessive CPU overhead',
+    suggestion: 'Move serialization out of the loop or cache/batch it',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF006',
+    name: 'Regex compilation inside loops',
+    pattern: 'for\\s*\\([^)]*\\)\\s*\\{[^}]*new\\s+RegExp\\s*\\([^}]*\\}',
+    risk: 'medium',
+    message: 'Repeated regex compilation adds unnecessary overhead',
+    suggestion: 'Precompile or constantize regexes; avoid creating them in loops',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF007',
+    name: 'Busy-wait loops',
+    pattern: '(while\\s*\\(\\s*true\\s*\\)|for\\s*\\(\\s*;\\s*;\\s*\\))\\s*\\{[^}]*(?!.*(?:sleep|wait|await|setTimeout|setInterval|yield|break|return))[^}]*\\}',
+    risk: 'high',
+    message: 'Possible busy-wait detected; can spike CPU and waste resources',
+    suggestion: 'Use event-driven or blocking waits; avoid empty loops',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF008',
+    name: 'Layout thrashing in loops',
+    pattern: 'for\\s*\\([^)]*\\)\\s*\\{[^}]*(offsetWidth|offsetHeight|getBoundingClientRect)[^}]*\\}',
+    risk: 'high',
+    message: 'Reading layout in loops triggers frequent reflow/repaint',
+    suggestion: 'Batch DOM reads/writes; reduce synchronous layout queries',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF009',
+    name: 'Blocking sleep',
+    pattern: '(Thread\\.sleep\\s*\\(|time\\.sleep\\s*\\()',
+    risk: 'medium',
+    message: 'Blocking waits reduce throughput and responsiveness',
+    suggestion: 'Use async waits or rate-limiting/queues; avoid blocking',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF010',
+    name: 'Unbounded thread pool',
+    pattern: 'Executors\\.newCachedThreadPool\\s*\\(',
+    risk: 'high',
+    message: 'Unbounded pools can explode thread count and exhaust resources',
+    suggestion: 'Use bounded pools with sane maximums and queue lengths',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF011',
+    name: 'String concatenation inside loops',
+    pattern: '(for|while)\\s*\\([^)]*\\)\\s*\\{[^}]*\\b\\w+\\s*\\+=\\s*[\'"`]',
+    risk: 'medium',
+    message: 'Frequent concatenation in loops consumes CPU and memory',
+    suggestion: 'Use StringBuilder/collect in lists then join, or batch strategies',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF012',
+    name: 'Create DB connections in loops',
+    pattern: 'for\\s*\\([^)]*\\)\\s*\\{[^}]*\\b(getConnection|openConnection|new\\s+SqlConnection|mysql_connect|pg_connect|MongoClient\\s*\\()\\b',
+    risk: 'high',
+    message: 'Repeatedly creating DB connections causes severe performance issues',
+    suggestion: 'Use connection pools and reuse; acquire connections outside loops',
+    flags: 'gi'
+  },
+  {
+    id: 'PERF013',
+    name: 'HTTP requests without timeout (Python)',
+    pattern: 'requests\\.(get|post|put|delete)\\s*\\(',
+    risk: 'medium',
+    message: 'Requests without timeout can hang resources and reduce throughput',
+    suggestion: 'Set reasonable timeout; control retries and circuit breaking',
+    flags: 'gi',
+    requiresAbsent: ['timeout\\s*=']
+  }
+];

package/templates/rules/en-US/security.js ADDED Viewed

@@ -0,0 +1,311 @@
+// Security rules (en-US)
+export default [
+  {
+    id: 'SEC001',
+    name: 'Hard-coded password detection',
+    pattern: '(password|pwd|pass)\\s*[=:]\\s*[\'\"][^\'\\\"]{6,}[\'\\\"]',
+    risk: 'high',
+    message: 'Hard-coded password or secret detected',
+    suggestion: 'Use environment variables or a secure secret manager',
+    flags: 'gi',
+    excludePatterns: ['//.*', '/\\*[\\s\\S]*?\\*/', '(example|test|demo|placeholder|xxx|123|abc|password|secret)']
+  },
+  {
+    id: 'SEC002',
+    name: 'SQL injection risk',
+    pattern: '(execute|query)\\s*\\(\\s*[fF]?[\'\"][^\']*\\+.*[\'\"]',
+    risk: 'critical',
+    message: 'String-concatenated SQL detected; injection risk',
+    suggestion: 'Use parameterized queries or the ORM’s safe APIs',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC003',
+    name: 'XSS risk',
+    pattern: 'innerHTML\\s*=|document\\.write\\s*\\(',
+    risk: 'high',
+    message: 'Direct HTML manipulation detected; possible XSS',
+    suggestion: 'Use textContent or safe DOM APIs',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC004',
+    name: 'Command injection risk',
+    pattern: '(exec|spawn|execSync)\\s*\\([^\\)]*(req\\.|request\\.|params\\.|query\\.|input|user|\\+.*(?:req|input|user|params)|\\$\\{.*(?:req|input|user|params))',
+    risk: 'critical',
+    message: 'Command execution with possible user input detected',
+    suggestion: 'Avoid constructing commands from user input; validate strictly',
+    flags: 'gi'
+  }
+,
+  {
+    id: 'SEC005',
+    name: 'Path traversal risk',
+    pattern: '(fs\\.(readFile|writeFile|appendFile|mkdir|rmdir|unlink)|open|fopen|FileInputStream|Files\\.newInputStream)\\s*\\([^\\)]*(\\.\\.\/|\\+|\\$\\{)',
+    risk: 'high',
+    message: 'Potential path traversal or unvalidated file path usage',
+    suggestion: 'Normalize and whitelist paths; never concatenate untrusted input',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC006',
+    name: 'Disable SSL certificate verification',
+    pattern: 'requests\\.(get|post|put|delete)\\s*\\([^\\)]*verify\\s*=\\s*False',
+    risk: 'high',
+    message: 'HTTP request with certificate verification disabled detected',
+    suggestion: 'Enable verification and use trusted CAs; avoid MITM attacks',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC007',
+    name: 'Weak cryptographic algorithm',
+    pattern: 'crypto\\.(createHash|createCipheriv)\\s*\\(\\s*[\'\"](md5|sha1)[\'\"\\)]|MessageDigest\\.getInstance\\(\\s*[\'\"](MD5|SHA-1)[\'\"\\)]',
+    risk: 'high',
+    message: 'Detected use of weak algorithms such as MD5/SHA-1',
+    suggestion: 'Use stronger algorithms: SHA-256/512, Argon2, bcrypt, scrypt',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC008',
+    name: 'Hard-coded secret/Token',
+    pattern: '\\b(api[_-]?key|secret|token)\\b\\s*[:=]\\s*[\'\"][A-Za-z0-9_\\-\\/\\+=]{16,}[\'\"]',
+    risk: 'high',
+    message: 'Hard-coded secret or access token detected',
+    suggestion: 'Store secrets in a manager or environment variables',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC009',
+    name: 'Unsafe deserialization',
+    pattern: 'pickle\\.loads\\s*\\(|yaml\\.load\\s*\\(|ObjectInputStream\\.readObject\\s*\\(|unserialize\\s*\\(',
+    risk: 'critical',
+    message: 'Potentially unsafe deserialization detected',
+    suggestion: 'Use safe methods (e.g., yaml.safe_load); never deserialize untrusted data',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC010',
+    name: 'SSRF risk',
+    pattern: '(requests\\.(get|post|put|delete)|http\\.get|fetch|urlopen)\\s*\\([^\\)]*(req\\.|request\\.|params\\.|query\\.|input|user|\\+.*req|\\+.*input|\\$\\{.*req|\\$\\{.*input)',
+    risk: 'high',
+    message: 'User-controlled URL request detected; SSRF risk',
+    suggestion: 'Whitelist external URLs; prohibit access to internal addresses',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC011',
+    name: 'NoSQL injection risk',
+    pattern: '(db|collection)\\.[a-zA-Z]+\\s*\\([^\\)]*\\+[^\\)]*\\)',
+    risk: 'high',
+    message: 'Possible NoSQL injection (dynamically concatenated conditions)',
+    suggestion: 'Use parameterized queries or safe builders; avoid concatenation',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC012',
+    name: 'Open redirect',
+    pattern: '(res\\.redirect|response\\.sendRedirect)\\s*\\([^\\)]*(\\+|\\$\\{)',
+    risk: 'high',
+    message: 'User-controlled redirection detected; open-redirect risk',
+    suggestion: 'Whitelist target URLs or fix them to safe destinations',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC013',
+    name: 'System command execution (Python)',
+    pattern: '(os\\.system|subprocess\\.(Popen|call|run))\\s*\\(',
+    risk: 'critical',
+    message: 'System command execution detected; injection risk if user input involved',
+    suggestion: 'Avoid direct system calls; use safe libraries or strict whitelists',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC014',
+    name: 'Insecure randomness',
+    pattern: '(Math\\.random\\(|random\\.random\\(|new\\s+Random\\s*\\().*(?:token|key|secret|password|salt|nonce|session|auth|uuid)',
+    risk: 'medium',
+    message: 'Non-cryptographic RNG used in security-sensitive contexts',
+    suggestion: 'Use cryptographically secure RNGs (crypto.randomBytes, secrets.SystemRandom)',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC015',
+    name: 'Dangerous eval/Function usage',
+    pattern: '\\beval\\s*\\(|new\\s+Function\\s*\\(',
+    risk: 'high',
+    message: 'Dynamic execution that may lead to code injection',
+    suggestion: 'Avoid eval/Function; use safe parsing/mapping logic',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC016',
+    name: 'Prototype pollution',
+    pattern: '(?:__proto__|constructor|prototype)\\s*[:=]',
+    risk: 'high',
+    message: 'Direct assignment to object prototypes; may cause pollution',
+    suggestion: 'Avoid merging untrusted data into prototypes; use safe merging',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC017',
+    name: 'Java string-concatenated SQL execution',
+    pattern: 'Statement\\s*\\.\\s*(execute|executeQuery|executeUpdate)\\s*\\([^\\)]*(\\+|%s)',
+    risk: 'critical',
+    message: 'SQL execution built via string concatenation detected',
+    suggestion: 'Use PreparedStatement with placeholders',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC018',
+    name: 'jQuery.html causing XSS risk',
+    pattern: '\\$\\([^\\)]*\\)\\.html\\s*\\(',
+    risk: 'high',
+    message: 'Direct HTML injection detected; possible XSS',
+    suggestion: 'Use text() or trusted templating with escaping',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC019',
+    name: 'Overly permissive file mode (777)',
+    pattern: 'chmod\\s*\\([^\\)]*777',
+    risk: 'high',
+    message: 'Setting wide-open file permissions detected',
+    suggestion: 'Apply least privilege; avoid 777 and similar modes',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC020',
+    name: 'System command execution (multi-language)',
+    pattern: '(system\\s*\\(|passthru\\s*\\(|shell_exec\\s*\\(|Process\\.Start\\s*\\()',
+    risk: 'critical',
+    message: 'System command execution detected; injection risk with user input',
+    suggestion: 'Avoid shell commands; use safe libraries and whitelist parameters',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC021',
+    name: 'Disable TLS verification (Node)',
+    pattern: '(rejectUnauthorized\\s*:\\s*false|process\\.env\\.NODE_TLS_REJECT_UNAUTHORIZED\\s*=\\s*[\'\"]0[\'\"])',
+    risk: 'high',
+    message: 'TLS certificate verification disabled detected',
+    suggestion: 'Enable verification and use trusted CA to avoid MITM',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC022',
+    name: 'CORS allows any origin',
+    pattern: '(Access-Control-Allow-Origin\\s*:\\s*\\*|cors\\s*\\(\\s*\\{[^}]*origin\\s*:\\s*[\'\"\\*\'\"])',
+    risk: 'medium',
+    message: 'CORS allows "*"; may lead to cross-origin data leaks',
+    suggestion: 'Only allow trusted origins; use tokens and fine-grained policy',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC023',
+    name: 'LDAP injection risk',
+    pattern: '((DirContext|InitialDirContext|LdapContext)\\.[a-zA-Z]+\\s*\\([^)]*(\\+|\\$\\{))|(ldap3\\.Connection\\.search\\s*\\([^)]*(\\+|\\$\\{))',
+    risk: 'high',
+    message: 'String-concatenated LDAP filters detected',
+    suggestion: 'Build filters safely and bind parameters; avoid concatenation',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC024',
+    name: 'XXE (XML External Entity) risk',
+    pattern: '(xml\\.etree\\.ElementTree\\.(parse|fromstring)|xml\\.dom\\.minidom\\.(parse|parseString)|DocumentBuilderFactory\\.newInstance\\s*\\(|SAXParserFactory\\.newInstance\\s*\\(|simplexml_load_string\\s*\\(|DOMDocument::loadXML\\s*\\()',
+    risk: 'high',
+    message: 'XML parsing with external entities not disabled',
+    suggestion: 'Disable external entities or use safe libraries (e.g., defusedxml)',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC025',
+    name: 'Java HostnameVerifier always returns true',
+    pattern: 'new\\s+HostnameVerifier\\s*\\(\\)\\s*\\{[\\s\\S]*?return\\s+true;[\\s\\S]*?\\}',
+    risk: 'high',
+    message: 'Hostname verification bypass detected for HTTPS',
+    suggestion: 'Implement strict hostname verification to avoid permissive behavior',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC026',
+    name: 'Node ignore certificate errors',
+    pattern: 'process\\.env\\.NODE_TLS_REJECT_UNAUTHORIZED\\s*=\\s*[\'\"]0[\'\"]',
+    risk: 'critical',
+    message: 'Global env disables certificate errors detected',
+    suggestion: 'Remove the setting and use valid certs or isolate in test env',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC027',
+    name: 'Credentials in connection string',
+    pattern: '(mongodb|mysql|postgres|redis)://[^@]+:[^@]+@',
+    risk: 'high',
+    message: 'Username/password hard-coded in connection string detected',
+    suggestion: 'Use env variables or secure credential storage; avoid plaintext in code',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC028',
+    name: 'Sensitive data in logs',
+    pattern: '(logger\\.(info|debug|warn|error)|console\\.log|print\\()\\s*[^\\)]*(\\b(password|secret|token|api[_\\-]?key)\\s*[=:,]|\\$\\{.*\\b(password|secret|token|api[_\\-]?key)\\b)',
+    risk: 'medium',
+    message: 'Sensitive information logged',
+    suggestion: 'Mask sensitive fields or avoid logging them altogether',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC029',
+    name: 'Mass Assignment (Rails/Laravel)',
+    pattern: '(permit!\\s*\\(|update\\s*\\(\\s*params\\[|::create\\s*\\(\\s*\\$request->all\\s*\\)|->fill\\s*\\(\\s*\\$request->all\\s*\\))',
+    risk: 'high',
+    message: 'Possible mass assignment risk; no whitelist validation',
+    suggestion: 'Enable strong parameters/whitelist; only allow safe fields',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC030',
+    name: 'Disable TLS verification (Go)',
+    pattern: 'InsecureSkipVerify\\s*:\\s*true',
+    risk: 'high',
+    message: 'TLS certificate verification disabled in Go detected',
+    suggestion: 'Enable verification and use trusted CA; avoid MITM attacks',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC031',
+    name: 'Disable certificate validation (C#)',
+    pattern: 'ServicePointManager\\.ServerCertificateValidationCallback',
+    risk: 'high',
+    message: 'Overriding global certificate validation; may accept any certificate',
+    suggestion: 'Remove the override and use proper validation mechanisms',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC032',
+    name: 'EF Core raw SQL concatenation',
+    pattern: 'FromSqlRaw\\s*\\([^\\)]*(\\+|\\$\\{)',
+    risk: 'critical',
+    message: 'Using FromSqlRaw with string concatenation detected',
+    suggestion: 'Use FromSqlInterpolated or parameterized queries to avoid injection',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC033',
+    name: 'Go system command execution',
+    pattern: 'exec\\.Command\\s*\\(',
+    risk: 'high',
+    message: 'System command execution in Go; injection risk if user input involved',
+    suggestion: 'Avoid shell -c and concatenation; whitelist parameters and exec paths',
+    flags: 'gi'
+  },
+  {
+    id: 'SEC034',
+    name: 'Insecure randomness (Go)',
+    pattern: 'math\/rand|\\brand\\.(Int|Intn|Float|Read)\\b',
+    risk: 'medium',
+    message: 'Using math/rand for randomness; not cryptographically secure',
+    suggestion: 'Use crypto/rand or secure RNG libraries for tokens and keys',
+    flags: 'gi'
+  }
+];

package/templates/rules/zh-CN/best-practices.js ADDED Viewed

@@ -0,0 +1,111 @@
+// 最佳实践规则
+export default [
+  {
+    id: 'BP001',
+    name: '调试代码',
+    pattern: 'console\\.log|print\\(|alert\\(',
+    risk: 'low',
+    message: '发现调试代码，建议在提交前移除',
+    suggestion: '使用日志系统替代console.log',
+    flags: 'gi'
+  },
+  {
+    id: 'BP002',
+    name: '魔法数字',
+    pattern: '\\b(?<!\\.)(?!(?:0|1|10|12|24|30|60|100|200|201|300|400|401|403|404|500|503|1000|3000|5000|8080|9000)\\b)\\d{3,}(?!\\.\\d)\\b',
+    risk: 'low',
+    message: '检测到魔法数字，建议使用常量定义',
+    suggestion: '将数字定义为有意义的常量',
+    flags: 'g'
+  },
+  {
+    id: 'BP003',
+    name: '空的异常捕获块',
+    pattern: 'catch\s*\([^)]*\)\s*\{\s*\}',
+    risk: 'medium',
+    message: '检测到空的catch块，可能隐藏错误并导致不可预期行为',
+    suggestion: '记录日志或采取补救措施，避免吞掉异常',
+    flags: 'gi'
+  },
+  {
+    id: 'BP004',
+    name: '忽略TypeScript类型检查',
+    pattern: '\\/\\/\\s*@ts-ignore',
+    risk: 'medium',
+    message: '检测到@ts-ignore，可能掩盖类型错误',
+    suggestion: '修复类型问题或使用更精确的类型定义',
+    flags: 'gi'
+  },
+  {
+    id: 'BP005',
+    name: '使用any类型',
+    pattern: ':\\s*any\\b',
+    risk: 'medium',
+    message: '检测到any类型，可能削弱类型系统保护',
+    suggestion: '使用具体类型或泛型替代any，提高类型安全',
+    flags: 'gi'
+  },
+  {
+    id: 'BP006',
+    name: '禁用ESLint规则',
+    pattern: '\\/\\/\\s*eslint-disable',
+    risk: 'medium',
+    message: '检测到禁用ESLint，可能隐藏代码质量问题',
+    suggestion: '只在必要范围局部禁用，并给出明确原因',
+    flags: 'gi'
+  },
+  {
+    id: 'BP007',
+    name: '调试断点未移除',
+    pattern: '\\bdebugger\\b',
+    risk: 'medium',
+    message: '检测到调试断点，可能影响线上行为',
+    suggestion: '在提交前移除debugger并使用日志或断言',
+    flags: 'gi'
+  },
+  {
+    id: 'BP008',
+    name: '过于宽泛的异常捕获',
+    pattern: 'catch\\s*\\(\\s*(Exception|Throwable|Error|BaseException)\\s+\\w+\\s*\\)\\s*\\{[^}]*(?!.*(?:log|throw|rethrow))[^}]*\\}',
+    risk: 'medium',
+    message: '捕获过于宽泛的异常类型且未进行适当处理',
+    suggestion: '捕获具体的异常类型，并确保进行适当的日志记录或重新抛出',
+    flags: 'gi'
+  },
+  {
+    id: 'BP009',
+    name: '打印堆栈而非日志记录',
+    pattern: '\\.printStackTrace\\s*\\(',
+    risk: 'medium',
+    message: '检测到直接打印堆栈跟踪，可能导致信息丢失与不可控输出',
+    suggestion: '使用结构化日志记录错误，并附带上下文信息',
+    flags: 'gi'
+  },
+  {
+    id: 'BP010',
+    name: '进程级退出调用',
+    pattern: 'System\\.exit\\s*\\(',
+    risk: 'high',
+    message: '检测到System.exit，可能导致服务非预期中断',
+    suggestion: '使用受控的停止流程（优雅关闭）、信号处理与资源回收',
+    flags: 'gi'
+  },
+  {
+    id: 'BP011',
+    name: '使用root数据库用户',
+    pattern: '(user|username)\\s*=\\s*root\\b',
+    risk: 'medium',
+    message: '检测到使用root作为数据库用户，存在安全与审计风险',
+    suggestion: '使用最小权限的应用专用账户，分离权限与职责',
+    flags: 'gi'
+  },
+  {
+    id: 'BP012',
+    name: '禁用CSRF（Spring Security）',
+    pattern: 'csrf\\s*\\(\\)\\.disable\\s*\\(\\)',
+    risk: 'high',
+    message: '检测到全局禁用CSRF保护，可能导致跨站请求伪造风险',
+    suggestion: '在必要的API上采用令牌/同源策略，避免全局关闭',
+    flags: 'gi'
+  }
+];