smart-review 1.0.2 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/install.js +418 -416
- package/lib/default-config.js +16 -15
- package/lib/reviewer.js +22 -0
- package/lib/utils/i18n.js +2 -8
- package/package.json +1 -1
- package/templates/rules/en-US/best-practices.js +24 -12
- package/templates/rules/en-US/performance.js +24 -11
- package/templates/rules/en-US/security.js +67 -33
- package/templates/rules/zh-CN/best-practices.js +24 -12
- package/templates/rules/zh-CN/performance.js +24 -11
- package/templates/rules/zh-CN/security.js +67 -33
- package/templates/smart-review.json +3 -1
|
@@ -8,6 +8,7 @@ export default [
|
|
|
8
8
|
message: 'Hard-coded password or secret detected',
|
|
9
9
|
suggestion: 'Use environment variables or a secure secret manager',
|
|
10
10
|
flags: 'gi',
|
|
11
|
+
extensions: ['.js', '.ts', '.py', '.java', '.php', '.rb', '.cs'],
|
|
11
12
|
excludePatterns: ['//.*', '/\\*[\\s\\S]*?\\*/', '(example|test|demo|placeholder|xxx|123|abc|password|secret)']
|
|
12
13
|
},
|
|
13
14
|
{
|
|
@@ -17,7 +18,8 @@ export default [
|
|
|
17
18
|
risk: 'critical',
|
|
18
19
|
message: 'String-concatenated SQL detected; injection risk',
|
|
19
20
|
suggestion: 'Use parameterized queries or the ORM’s safe APIs',
|
|
20
|
-
flags: 'gi'
|
|
21
|
+
flags: 'gi',
|
|
22
|
+
extensions: ['.js', '.ts', '.py', '.java', '.php', '.rb', '.cs']
|
|
21
23
|
},
|
|
22
24
|
{
|
|
23
25
|
id: 'SEC003',
|
|
@@ -26,7 +28,8 @@ export default [
|
|
|
26
28
|
risk: 'high',
|
|
27
29
|
message: 'Direct HTML manipulation detected; possible XSS',
|
|
28
30
|
suggestion: 'Use textContent or safe DOM APIs',
|
|
29
|
-
flags: 'gi'
|
|
31
|
+
flags: 'gi',
|
|
32
|
+
extensions: ['.js', '.ts']
|
|
30
33
|
},
|
|
31
34
|
{
|
|
32
35
|
id: 'SEC004',
|
|
@@ -35,7 +38,8 @@ export default [
|
|
|
35
38
|
risk: 'critical',
|
|
36
39
|
message: 'Command execution with possible user input detected',
|
|
37
40
|
suggestion: 'Avoid constructing commands from user input; validate strictly',
|
|
38
|
-
flags: 'gi'
|
|
41
|
+
flags: 'gi',
|
|
42
|
+
extensions: ['.js', '.ts']
|
|
39
43
|
}
|
|
40
44
|
,
|
|
41
45
|
{
|
|
@@ -45,7 +49,8 @@ export default [
|
|
|
45
49
|
risk: 'high',
|
|
46
50
|
message: 'Potential path traversal or unvalidated file path usage',
|
|
47
51
|
suggestion: 'Normalize and whitelist paths; never concatenate untrusted input',
|
|
48
|
-
flags: 'gi'
|
|
52
|
+
flags: 'gi',
|
|
53
|
+
extensions: ['.js', '.ts', '.java', '.php', '.py']
|
|
49
54
|
},
|
|
50
55
|
{
|
|
51
56
|
id: 'SEC006',
|
|
@@ -54,7 +59,8 @@ export default [
|
|
|
54
59
|
risk: 'high',
|
|
55
60
|
message: 'HTTP request with certificate verification disabled detected',
|
|
56
61
|
suggestion: 'Enable verification and use trusted CAs; avoid MITM attacks',
|
|
57
|
-
flags: 'gi'
|
|
62
|
+
flags: 'gi',
|
|
63
|
+
extensions: ['.py']
|
|
58
64
|
},
|
|
59
65
|
{
|
|
60
66
|
id: 'SEC007',
|
|
@@ -63,7 +69,8 @@ export default [
|
|
|
63
69
|
risk: 'high',
|
|
64
70
|
message: 'Detected use of weak algorithms such as MD5/SHA-1',
|
|
65
71
|
suggestion: 'Use stronger algorithms: SHA-256/512, Argon2, bcrypt, scrypt',
|
|
66
|
-
flags: 'gi'
|
|
72
|
+
flags: 'gi',
|
|
73
|
+
extensions: ['.js', '.ts', '.java']
|
|
67
74
|
},
|
|
68
75
|
{
|
|
69
76
|
id: 'SEC008',
|
|
@@ -72,7 +79,8 @@ export default [
|
|
|
72
79
|
risk: 'high',
|
|
73
80
|
message: 'Hard-coded secret or access token detected',
|
|
74
81
|
suggestion: 'Store secrets in a manager or environment variables',
|
|
75
|
-
flags: 'gi'
|
|
82
|
+
flags: 'gi',
|
|
83
|
+
extensions: ['.js', '.ts', '.py', '.java', '.php', '.rb', '.cs']
|
|
76
84
|
},
|
|
77
85
|
{
|
|
78
86
|
id: 'SEC009',
|
|
@@ -81,7 +89,8 @@ export default [
|
|
|
81
89
|
risk: 'critical',
|
|
82
90
|
message: 'Potentially unsafe deserialization detected',
|
|
83
91
|
suggestion: 'Use safe methods (e.g., yaml.safe_load); never deserialize untrusted data',
|
|
84
|
-
flags: 'gi'
|
|
92
|
+
flags: 'gi',
|
|
93
|
+
extensions: ['.py', '.java', '.php']
|
|
85
94
|
},
|
|
86
95
|
{
|
|
87
96
|
id: 'SEC010',
|
|
@@ -90,7 +99,8 @@ export default [
|
|
|
90
99
|
risk: 'high',
|
|
91
100
|
message: 'User-controlled URL request detected; SSRF risk',
|
|
92
101
|
suggestion: 'Whitelist external URLs; prohibit access to internal addresses',
|
|
93
|
-
flags: 'gi'
|
|
102
|
+
flags: 'gi',
|
|
103
|
+
extensions: ['.js', '.ts', '.py']
|
|
94
104
|
},
|
|
95
105
|
{
|
|
96
106
|
id: 'SEC011',
|
|
@@ -99,7 +109,8 @@ export default [
|
|
|
99
109
|
risk: 'high',
|
|
100
110
|
message: 'Possible NoSQL injection (dynamically concatenated conditions)',
|
|
101
111
|
suggestion: 'Use parameterized queries or safe builders; avoid concatenation',
|
|
102
|
-
flags: 'gi'
|
|
112
|
+
flags: 'gi',
|
|
113
|
+
extensions: ['.js', '.ts', '.py', '.rb', '.php']
|
|
103
114
|
},
|
|
104
115
|
{
|
|
105
116
|
id: 'SEC012',
|
|
@@ -108,7 +119,8 @@ export default [
|
|
|
108
119
|
risk: 'high',
|
|
109
120
|
message: 'User-controlled redirection detected; open-redirect risk',
|
|
110
121
|
suggestion: 'Whitelist target URLs or fix them to safe destinations',
|
|
111
|
-
flags: 'gi'
|
|
122
|
+
flags: 'gi',
|
|
123
|
+
extensions: ['.js', '.ts', '.java']
|
|
112
124
|
},
|
|
113
125
|
{
|
|
114
126
|
id: 'SEC013',
|
|
@@ -117,7 +129,8 @@ export default [
|
|
|
117
129
|
risk: 'critical',
|
|
118
130
|
message: 'System command execution detected; injection risk if user input involved',
|
|
119
131
|
suggestion: 'Avoid direct system calls; use safe libraries or strict whitelists',
|
|
120
|
-
flags: 'gi'
|
|
132
|
+
flags: 'gi',
|
|
133
|
+
extensions: ['.py']
|
|
121
134
|
},
|
|
122
135
|
{
|
|
123
136
|
id: 'SEC014',
|
|
@@ -126,7 +139,8 @@ export default [
|
|
|
126
139
|
risk: 'medium',
|
|
127
140
|
message: 'Non-cryptographic RNG used in security-sensitive contexts',
|
|
128
141
|
suggestion: 'Use cryptographically secure RNGs (crypto.randomBytes, secrets.SystemRandom)',
|
|
129
|
-
flags: 'gi'
|
|
142
|
+
flags: 'gi',
|
|
143
|
+
extensions: ['.js', '.ts', '.py', '.java']
|
|
130
144
|
},
|
|
131
145
|
{
|
|
132
146
|
id: 'SEC015',
|
|
@@ -135,7 +149,8 @@ export default [
|
|
|
135
149
|
risk: 'high',
|
|
136
150
|
message: 'Dynamic execution that may lead to code injection',
|
|
137
151
|
suggestion: 'Avoid eval/Function; use safe parsing/mapping logic',
|
|
138
|
-
flags: 'gi'
|
|
152
|
+
flags: 'gi',
|
|
153
|
+
extensions: ['.js', '.ts']
|
|
139
154
|
},
|
|
140
155
|
{
|
|
141
156
|
id: 'SEC016',
|
|
@@ -144,7 +159,8 @@ export default [
|
|
|
144
159
|
risk: 'high',
|
|
145
160
|
message: 'Direct assignment to object prototypes; may cause pollution',
|
|
146
161
|
suggestion: 'Avoid merging untrusted data into prototypes; use safe merging',
|
|
147
|
-
flags: 'gi'
|
|
162
|
+
flags: 'gi',
|
|
163
|
+
extensions: ['.js', '.ts']
|
|
148
164
|
},
|
|
149
165
|
{
|
|
150
166
|
id: 'SEC017',
|
|
@@ -153,7 +169,8 @@ export default [
|
|
|
153
169
|
risk: 'critical',
|
|
154
170
|
message: 'SQL execution built via string concatenation detected',
|
|
155
171
|
suggestion: 'Use PreparedStatement with placeholders',
|
|
156
|
-
flags: 'gi'
|
|
172
|
+
flags: 'gi',
|
|
173
|
+
extensions: ['.java']
|
|
157
174
|
},
|
|
158
175
|
{
|
|
159
176
|
id: 'SEC018',
|
|
@@ -162,7 +179,8 @@ export default [
|
|
|
162
179
|
risk: 'high',
|
|
163
180
|
message: 'Direct HTML injection detected; possible XSS',
|
|
164
181
|
suggestion: 'Use text() or trusted templating with escaping',
|
|
165
|
-
flags: 'gi'
|
|
182
|
+
flags: 'gi',
|
|
183
|
+
extensions: ['.js']
|
|
166
184
|
},
|
|
167
185
|
{
|
|
168
186
|
id: 'SEC019',
|
|
@@ -171,7 +189,8 @@ export default [
|
|
|
171
189
|
risk: 'high',
|
|
172
190
|
message: 'Setting wide-open file permissions detected',
|
|
173
191
|
suggestion: 'Apply least privilege; avoid 777 and similar modes',
|
|
174
|
-
flags: 'gi'
|
|
192
|
+
flags: 'gi',
|
|
193
|
+
extensions: ['.php']
|
|
175
194
|
},
|
|
176
195
|
{
|
|
177
196
|
id: 'SEC020',
|
|
@@ -180,7 +199,8 @@ export default [
|
|
|
180
199
|
risk: 'critical',
|
|
181
200
|
message: 'System command execution detected; injection risk with user input',
|
|
182
201
|
suggestion: 'Avoid shell commands; use safe libraries and whitelist parameters',
|
|
183
|
-
flags: 'gi'
|
|
202
|
+
flags: 'gi',
|
|
203
|
+
extensions: ['.php', '.cs']
|
|
184
204
|
},
|
|
185
205
|
{
|
|
186
206
|
id: 'SEC021',
|
|
@@ -189,7 +209,8 @@ export default [
|
|
|
189
209
|
risk: 'high',
|
|
190
210
|
message: 'TLS certificate verification disabled detected',
|
|
191
211
|
suggestion: 'Enable verification and use trusted CA to avoid MITM',
|
|
192
|
-
flags: 'gi'
|
|
212
|
+
flags: 'gi',
|
|
213
|
+
extensions: ['.js', '.ts']
|
|
193
214
|
},
|
|
194
215
|
{
|
|
195
216
|
id: 'SEC022',
|
|
@@ -198,7 +219,8 @@ export default [
|
|
|
198
219
|
risk: 'medium',
|
|
199
220
|
message: 'CORS allows "*"; may lead to cross-origin data leaks',
|
|
200
221
|
suggestion: 'Only allow trusted origins; use tokens and fine-grained policy',
|
|
201
|
-
flags: 'gi'
|
|
222
|
+
flags: 'gi',
|
|
223
|
+
extensions: ['.js', '.ts']
|
|
202
224
|
},
|
|
203
225
|
{
|
|
204
226
|
id: 'SEC023',
|
|
@@ -207,7 +229,8 @@ export default [
|
|
|
207
229
|
risk: 'high',
|
|
208
230
|
message: 'String-concatenated LDAP filters detected',
|
|
209
231
|
suggestion: 'Build filters safely and bind parameters; avoid concatenation',
|
|
210
|
-
flags: 'gi'
|
|
232
|
+
flags: 'gi',
|
|
233
|
+
extensions: ['.java', '.py']
|
|
211
234
|
},
|
|
212
235
|
{
|
|
213
236
|
id: 'SEC024',
|
|
@@ -216,7 +239,8 @@ export default [
|
|
|
216
239
|
risk: 'high',
|
|
217
240
|
message: 'XML parsing with external entities not disabled',
|
|
218
241
|
suggestion: 'Disable external entities or use safe libraries (e.g., defusedxml)',
|
|
219
|
-
flags: 'gi'
|
|
242
|
+
flags: 'gi',
|
|
243
|
+
extensions: ['.py', '.java', '.php']
|
|
220
244
|
},
|
|
221
245
|
{
|
|
222
246
|
id: 'SEC025',
|
|
@@ -225,7 +249,8 @@ export default [
|
|
|
225
249
|
risk: 'high',
|
|
226
250
|
message: 'Hostname verification bypass detected for HTTPS',
|
|
227
251
|
suggestion: 'Implement strict hostname verification to avoid permissive behavior',
|
|
228
|
-
flags: 'gi'
|
|
252
|
+
flags: 'gi',
|
|
253
|
+
extensions: ['.java']
|
|
229
254
|
},
|
|
230
255
|
{
|
|
231
256
|
id: 'SEC026',
|
|
@@ -234,7 +259,8 @@ export default [
|
|
|
234
259
|
risk: 'critical',
|
|
235
260
|
message: 'Global env disables certificate errors detected',
|
|
236
261
|
suggestion: 'Remove the setting and use valid certs or isolate in test env',
|
|
237
|
-
flags: 'gi'
|
|
262
|
+
flags: 'gi',
|
|
263
|
+
extensions: ['.js', '.ts']
|
|
238
264
|
},
|
|
239
265
|
{
|
|
240
266
|
id: 'SEC027',
|
|
@@ -243,7 +269,8 @@ export default [
|
|
|
243
269
|
risk: 'high',
|
|
244
270
|
message: 'Username/password hard-coded in connection string detected',
|
|
245
271
|
suggestion: 'Use env variables or secure credential storage; avoid plaintext in code',
|
|
246
|
-
flags: 'gi'
|
|
272
|
+
flags: 'gi',
|
|
273
|
+
extensions: ['.js', '.ts', '.py', '.java', '.php', '.rb', '.cs']
|
|
247
274
|
},
|
|
248
275
|
{
|
|
249
276
|
id: 'SEC028',
|
|
@@ -252,7 +279,8 @@ export default [
|
|
|
252
279
|
risk: 'medium',
|
|
253
280
|
message: 'Sensitive information logged',
|
|
254
281
|
suggestion: 'Mask sensitive fields or avoid logging them altogether',
|
|
255
|
-
flags: 'gi'
|
|
282
|
+
flags: 'gi',
|
|
283
|
+
extensions: ['.js', '.ts', '.py', '.java', '.php', '.rb']
|
|
256
284
|
},
|
|
257
285
|
{
|
|
258
286
|
id: 'SEC029',
|
|
@@ -261,7 +289,8 @@ export default [
|
|
|
261
289
|
risk: 'high',
|
|
262
290
|
message: 'Possible mass assignment risk; no whitelist validation',
|
|
263
291
|
suggestion: 'Enable strong parameters/whitelist; only allow safe fields',
|
|
264
|
-
flags: 'gi'
|
|
292
|
+
flags: 'gi',
|
|
293
|
+
extensions: ['.rb', '.php']
|
|
265
294
|
},
|
|
266
295
|
{
|
|
267
296
|
id: 'SEC030',
|
|
@@ -270,7 +299,8 @@ export default [
|
|
|
270
299
|
risk: 'high',
|
|
271
300
|
message: 'TLS certificate verification disabled in Go detected',
|
|
272
301
|
suggestion: 'Enable verification and use trusted CA; avoid MITM attacks',
|
|
273
|
-
flags: 'gi'
|
|
302
|
+
flags: 'gi',
|
|
303
|
+
extensions: ['.go']
|
|
274
304
|
},
|
|
275
305
|
{
|
|
276
306
|
id: 'SEC031',
|
|
@@ -279,7 +309,8 @@ export default [
|
|
|
279
309
|
risk: 'high',
|
|
280
310
|
message: 'Overriding global certificate validation; may accept any certificate',
|
|
281
311
|
suggestion: 'Remove the override and use proper validation mechanisms',
|
|
282
|
-
flags: 'gi'
|
|
312
|
+
flags: 'gi',
|
|
313
|
+
extensions: ['.cs']
|
|
283
314
|
},
|
|
284
315
|
{
|
|
285
316
|
id: 'SEC032',
|
|
@@ -288,7 +319,8 @@ export default [
|
|
|
288
319
|
risk: 'critical',
|
|
289
320
|
message: 'Using FromSqlRaw with string concatenation detected',
|
|
290
321
|
suggestion: 'Use FromSqlInterpolated or parameterized queries to avoid injection',
|
|
291
|
-
flags: 'gi'
|
|
322
|
+
flags: 'gi',
|
|
323
|
+
extensions: ['.cs']
|
|
292
324
|
},
|
|
293
325
|
{
|
|
294
326
|
id: 'SEC033',
|
|
@@ -297,7 +329,8 @@ export default [
|
|
|
297
329
|
risk: 'high',
|
|
298
330
|
message: 'System command execution in Go; injection risk if user input involved',
|
|
299
331
|
suggestion: 'Avoid shell -c and concatenation; whitelist parameters and exec paths',
|
|
300
|
-
flags: 'gi'
|
|
332
|
+
flags: 'gi',
|
|
333
|
+
extensions: ['.go']
|
|
301
334
|
},
|
|
302
335
|
{
|
|
303
336
|
id: 'SEC034',
|
|
@@ -306,6 +339,7 @@ export default [
|
|
|
306
339
|
risk: 'medium',
|
|
307
340
|
message: 'Using math/rand for randomness; not cryptographically secure',
|
|
308
341
|
suggestion: 'Use crypto/rand or secure RNG libraries for tokens and keys',
|
|
309
|
-
flags: 'gi'
|
|
342
|
+
flags: 'gi',
|
|
343
|
+
extensions: ['.go']
|
|
310
344
|
}
|
|
311
345
|
];
|
|
@@ -7,7 +7,8 @@ export default [
|
|
|
7
7
|
risk: 'low',
|
|
8
8
|
message: '发现调试代码,建议在提交前移除',
|
|
9
9
|
suggestion: '使用日志系统替代console.log',
|
|
10
|
-
flags: 'gi'
|
|
10
|
+
flags: 'gi',
|
|
11
|
+
extensions: ['.js', '.ts', '.py', '.php', '.rb']
|
|
11
12
|
},
|
|
12
13
|
{
|
|
13
14
|
id: 'BP002',
|
|
@@ -16,7 +17,8 @@ export default [
|
|
|
16
17
|
risk: 'low',
|
|
17
18
|
message: '检测到魔法数字,建议使用常量定义',
|
|
18
19
|
suggestion: '将数字定义为有意义的常量',
|
|
19
|
-
flags: 'g'
|
|
20
|
+
flags: 'g',
|
|
21
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php', '.py', '.rb', '.go']
|
|
20
22
|
},
|
|
21
23
|
{
|
|
22
24
|
id: 'BP003',
|
|
@@ -25,7 +27,8 @@ export default [
|
|
|
25
27
|
risk: 'medium',
|
|
26
28
|
message: '检测到空的catch块,可能隐藏错误并导致不可预期行为',
|
|
27
29
|
suggestion: '记录日志或采取补救措施,避免吞掉异常',
|
|
28
|
-
flags: 'gi'
|
|
30
|
+
flags: 'gi',
|
|
31
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php']
|
|
29
32
|
},
|
|
30
33
|
{
|
|
31
34
|
id: 'BP004',
|
|
@@ -34,7 +37,8 @@ export default [
|
|
|
34
37
|
risk: 'medium',
|
|
35
38
|
message: '检测到@ts-ignore,可能掩盖类型错误',
|
|
36
39
|
suggestion: '修复类型问题或使用更精确的类型定义',
|
|
37
|
-
flags: 'gi'
|
|
40
|
+
flags: 'gi',
|
|
41
|
+
extensions: ['.ts']
|
|
38
42
|
},
|
|
39
43
|
{
|
|
40
44
|
id: 'BP005',
|
|
@@ -43,7 +47,8 @@ export default [
|
|
|
43
47
|
risk: 'medium',
|
|
44
48
|
message: '检测到any类型,可能削弱类型系统保护',
|
|
45
49
|
suggestion: '使用具体类型或泛型替代any,提高类型安全',
|
|
46
|
-
flags: 'gi'
|
|
50
|
+
flags: 'gi',
|
|
51
|
+
extensions: ['.ts']
|
|
47
52
|
},
|
|
48
53
|
{
|
|
49
54
|
id: 'BP006',
|
|
@@ -52,7 +57,8 @@ export default [
|
|
|
52
57
|
risk: 'medium',
|
|
53
58
|
message: '检测到禁用ESLint,可能隐藏代码质量问题',
|
|
54
59
|
suggestion: '只在必要范围局部禁用,并给出明确原因',
|
|
55
|
-
flags: 'gi'
|
|
60
|
+
flags: 'gi',
|
|
61
|
+
extensions: ['.js', '.ts']
|
|
56
62
|
},
|
|
57
63
|
{
|
|
58
64
|
id: 'BP007',
|
|
@@ -61,7 +67,8 @@ export default [
|
|
|
61
67
|
risk: 'medium',
|
|
62
68
|
message: '检测到调试断点,可能影响线上行为',
|
|
63
69
|
suggestion: '在提交前移除debugger并使用日志或断言',
|
|
64
|
-
flags: 'gi'
|
|
70
|
+
flags: 'gi',
|
|
71
|
+
extensions: ['.js', '.ts']
|
|
65
72
|
},
|
|
66
73
|
{
|
|
67
74
|
id: 'BP008',
|
|
@@ -70,7 +77,8 @@ export default [
|
|
|
70
77
|
risk: 'medium',
|
|
71
78
|
message: '捕获过于宽泛的异常类型且未进行适当处理',
|
|
72
79
|
suggestion: '捕获具体的异常类型,并确保进行适当的日志记录或重新抛出',
|
|
73
|
-
flags: 'gi'
|
|
80
|
+
flags: 'gi',
|
|
81
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php']
|
|
74
82
|
},
|
|
75
83
|
{
|
|
76
84
|
id: 'BP009',
|
|
@@ -79,7 +87,8 @@ export default [
|
|
|
79
87
|
risk: 'medium',
|
|
80
88
|
message: '检测到直接打印堆栈跟踪,可能导致信息丢失与不可控输出',
|
|
81
89
|
suggestion: '使用结构化日志记录错误,并附带上下文信息',
|
|
82
|
-
flags: 'gi'
|
|
90
|
+
flags: 'gi',
|
|
91
|
+
extensions: ['.java']
|
|
83
92
|
},
|
|
84
93
|
{
|
|
85
94
|
id: 'BP010',
|
|
@@ -88,7 +97,8 @@ export default [
|
|
|
88
97
|
risk: 'high',
|
|
89
98
|
message: '检测到System.exit,可能导致服务非预期中断',
|
|
90
99
|
suggestion: '使用受控的停止流程(优雅关闭)、信号处理与资源回收',
|
|
91
|
-
flags: 'gi'
|
|
100
|
+
flags: 'gi',
|
|
101
|
+
extensions: ['.java']
|
|
92
102
|
},
|
|
93
103
|
{
|
|
94
104
|
id: 'BP011',
|
|
@@ -97,7 +107,8 @@ export default [
|
|
|
97
107
|
risk: 'medium',
|
|
98
108
|
message: '检测到使用root作为数据库用户,存在安全与审计风险',
|
|
99
109
|
suggestion: '使用最小权限的应用专用账户,分离权限与职责',
|
|
100
|
-
flags: 'gi'
|
|
110
|
+
flags: 'gi',
|
|
111
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php', '.py', '.rb', '.go']
|
|
101
112
|
},
|
|
102
113
|
{
|
|
103
114
|
id: 'BP012',
|
|
@@ -106,6 +117,7 @@ export default [
|
|
|
106
117
|
risk: 'high',
|
|
107
118
|
message: '检测到全局禁用CSRF保护,可能导致跨站请求伪造风险',
|
|
108
119
|
suggestion: '在必要的API上采用令牌/同源策略,避免全局关闭',
|
|
109
|
-
flags: 'gi'
|
|
120
|
+
flags: 'gi',
|
|
121
|
+
extensions: ['.java']
|
|
110
122
|
}
|
|
111
123
|
];
|
|
@@ -7,7 +7,8 @@ export default [
|
|
|
7
7
|
risk: 'medium',
|
|
8
8
|
message: '在循环内执行数据库查询,可能导致N+1查询问题',
|
|
9
9
|
suggestion: '使用批量查询或预加载数据',
|
|
10
|
-
flags: 'gi'
|
|
10
|
+
flags: 'gi',
|
|
11
|
+
extensions: ['.js', '.ts', '.java', '.py', '.php', '.rb', '.cs', '.go']
|
|
11
12
|
},
|
|
12
13
|
{
|
|
13
14
|
id: 'PERF002',
|
|
@@ -17,6 +18,7 @@ export default [
|
|
|
17
18
|
message: '发现定时器使用,若未清理可能导致内存泄漏或残留任务',
|
|
18
19
|
suggestion: '确保在适当生命周期调用 clearInterval/clearTimeout 进行清理',
|
|
19
20
|
flags: 'gi',
|
|
21
|
+
extensions: ['.js', '.ts'],
|
|
20
22
|
// 为了覆盖内置 PERF002,外部规则增加清理检测,若文件中存在任一清理则跳过此规则
|
|
21
23
|
requiresAbsent: ['clearInterval\\s*\\(', 'clearTimeout\\s*\\(']
|
|
22
24
|
},
|
|
@@ -27,7 +29,8 @@ export default [
|
|
|
27
29
|
risk: 'high',
|
|
28
30
|
message: '检测到同步文件IO,可能阻塞事件循环并影响吞吐',
|
|
29
31
|
suggestion: '优先使用异步IO或队列化处理,避免阻塞主线程',
|
|
30
|
-
flags: 'gi'
|
|
32
|
+
flags: 'gi',
|
|
33
|
+
extensions: ['.js', '.ts']
|
|
31
34
|
},
|
|
32
35
|
{
|
|
33
36
|
id: 'PERF004',
|
|
@@ -36,7 +39,8 @@ export default [
|
|
|
36
39
|
risk: 'high',
|
|
37
40
|
message: '检测到循环内执行网络请求,可能导致级联延迟与拥塞',
|
|
38
41
|
suggestion: '合并请求、并发控制或批量处理,减少往返次数',
|
|
39
|
-
flags: 'gi'
|
|
42
|
+
flags: 'gi',
|
|
43
|
+
extensions: ['.js', '.ts', '.py']
|
|
40
44
|
},
|
|
41
45
|
{
|
|
42
46
|
id: 'PERF005',
|
|
@@ -45,7 +49,8 @@ export default [
|
|
|
45
49
|
risk: 'medium',
|
|
46
50
|
message: '循环内频繁序列化可能导致CPU开销过大',
|
|
47
51
|
suggestion: '将序列化移到循环外或进行缓存/批量处理',
|
|
48
|
-
flags: 'gi'
|
|
52
|
+
flags: 'gi',
|
|
53
|
+
extensions: ['.js', '.ts']
|
|
49
54
|
},
|
|
50
55
|
{
|
|
51
56
|
id: 'PERF006',
|
|
@@ -54,7 +59,8 @@ export default [
|
|
|
54
59
|
risk: 'medium',
|
|
55
60
|
message: '循环内重复编译正则会增加不必要的开销',
|
|
56
61
|
suggestion: '将正则常量化或预编译,避免在循环中创建',
|
|
57
|
-
flags: 'gi'
|
|
62
|
+
flags: 'gi',
|
|
63
|
+
extensions: ['.js', '.ts']
|
|
58
64
|
},
|
|
59
65
|
{
|
|
60
66
|
id: 'PERF007',
|
|
@@ -63,7 +69,8 @@ export default [
|
|
|
63
69
|
risk: 'high',
|
|
64
70
|
message: '检测到可能的忙等待循环,可能导致CPU飙升与资源浪费',
|
|
65
71
|
suggestion: '使用事件驱动或阻塞等待机制,避免空循环',
|
|
66
|
-
flags: 'gi'
|
|
72
|
+
flags: 'gi',
|
|
73
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php', '.rb']
|
|
67
74
|
},
|
|
68
75
|
{
|
|
69
76
|
id: 'PERF008',
|
|
@@ -72,7 +79,8 @@ export default [
|
|
|
72
79
|
risk: 'high',
|
|
73
80
|
message: '循环内读取布局信息会触发频繁回流/重绘',
|
|
74
81
|
suggestion: '合并DOM读写、使用批处理、减少同步布局查询',
|
|
75
|
-
flags: 'gi'
|
|
82
|
+
flags: 'gi',
|
|
83
|
+
extensions: ['.js', '.ts']
|
|
76
84
|
},
|
|
77
85
|
{
|
|
78
86
|
id: 'PERF009',
|
|
@@ -81,7 +89,8 @@ export default [
|
|
|
81
89
|
risk: 'medium',
|
|
82
90
|
message: '检测到阻塞等待调用,可能降低服务吞吐和响应',
|
|
83
91
|
suggestion: '改用异步等待或限流/队列机制,避免阻塞主线程',
|
|
84
|
-
flags: 'gi'
|
|
92
|
+
flags: 'gi',
|
|
93
|
+
extensions: ['.java', '.py']
|
|
85
94
|
},
|
|
86
95
|
{
|
|
87
96
|
id: 'PERF010',
|
|
@@ -90,7 +99,8 @@ export default [
|
|
|
90
99
|
risk: 'high',
|
|
91
100
|
message: '检测到无界线程池,可能导致线程爆炸与资源枯竭',
|
|
92
101
|
suggestion: '使用有界线程池并设置合理最大值与队列长度',
|
|
93
|
-
flags: 'gi'
|
|
102
|
+
flags: 'gi',
|
|
103
|
+
extensions: ['.java']
|
|
94
104
|
},
|
|
95
105
|
{
|
|
96
106
|
id: 'PERF011',
|
|
@@ -99,7 +109,8 @@ export default [
|
|
|
99
109
|
risk: 'medium',
|
|
100
110
|
message: '循环内频繁字符串拼接会造成较大CPU与内存开销',
|
|
101
111
|
suggestion: '使用StringBuilder/列表收集再join,或其他批量化策略',
|
|
102
|
-
flags: 'gi'
|
|
112
|
+
flags: 'gi',
|
|
113
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.py', '.rb']
|
|
103
114
|
},
|
|
104
115
|
{
|
|
105
116
|
id: 'PERF012',
|
|
@@ -108,7 +119,8 @@ export default [
|
|
|
108
119
|
risk: 'high',
|
|
109
120
|
message: '循环内反复创建数据库连接会导致严重性能问题',
|
|
110
121
|
suggestion: '使用连接池与复用策略,在循环外预先获取连接',
|
|
111
|
-
flags: 'gi'
|
|
122
|
+
flags: 'gi',
|
|
123
|
+
extensions: ['.js', '.ts', '.java', '.cs', '.php']
|
|
112
124
|
},
|
|
113
125
|
{
|
|
114
126
|
id: 'PERF013',
|
|
@@ -118,6 +130,7 @@ export default [
|
|
|
118
130
|
message: '网络请求未设置超时会造成资源悬挂与吞吐下降',
|
|
119
131
|
suggestion: '设置合理的timeout参数,并对重试与熔断进行控制',
|
|
120
132
|
flags: 'gi',
|
|
133
|
+
extensions: ['.py'],
|
|
121
134
|
requiresAbsent: ['timeout\\s*=']
|
|
122
135
|
}
|
|
123
136
|
];
|