{ "rules": { "C002": { "id": "C002", "name": "Rule C002", "description": "Auto-migrated rule C002 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-duplicate-code" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C003": { "id": "C003", "name": "Rule C003", "description": "Auto-migrated rule C003 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-vague-abbreviations" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C005": { "name": "Single Responsibility Principle", "description": "Each function should do one thing only", "category": "design", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C005_single_responsibility/analyzer.js", "config": "./rules/common/C005_single_responsibility/config.json", "version": "1.0.0", "status": "stable", "tags": [ "design", "responsibility", "maintainability" ], "engineMappings": { "eslint": [ "max-statements-per-line", "complexity" ] } }, "C006": { "name": "Function Naming Convention", "description": "Tên hàm phải là động từ/verb-noun pattern", "category": "naming", "severity": "warning", "languages": [ "typescript", "dart", "kotlin", "javascript" ], "analyzer": "./rules/C006_function_naming/analyzer.js", "config": "./rules/C006_function_naming/config.json", "version": "1.0.0", "status": "activated", "tags": [ "naming", "convention", "readability" ], "engineMappings": { "eslint": [ "func-names", "func-name-matching", "@typescript-eslint/naming-convention" ] } }, "C007": { "name": "Meaningful Comments", "description": "Avoid comments that just describe the code", "category": "documentation", "severity": "info", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C007_meaningful_comments/analyzer.js", "config": "./rules/common/C007_meaningful_comments/config.json", "version": "1.0.0", "status": "stable", "tags": [ "documentation", "comments", "maintainability" ], "engineMappings": { "eslint": [ "spaced-comment", "no-inline-comments", "no-warning-comments" ] } }, "C008": { "name": "Minimize Variable Scope - Declare Near Usage", "description": "Variables should be declared as close as possible to where they are first used", "category": "code-quality", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "rules/common/C008_variable_declaration_locality/analyzer.js", "config": "rules/common/C008_variable_declaration_locality/config.json", "version": "1.0.0", "status": "active", "tags": [ "readability", "maintainability", "scope", "best-practice" ], "strategy": { "preferred": "semantic", "fallbacks": [ "semantic", "ast" ], "accuracy": { "semantic": 95, "ast": 90 } }, "engineMappings": { "semantic": [ "rules/common/C008_variable_declaration_locality/analyzer.js" ] } }, "C010": { "name": "Limit Block Nesting", "description": "Limit nested blocks (if/for/while/switch) to maximum 3 levels for readability", "category": "complexity", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C010_limit_block_nesting/analyzer.js", "config": "./rules/common/C010_limit_block_nesting/config.json", "version": "1.0.0", "status": "stable", "tags": [ "complexity", "readability", "nesting", "maintainability" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 75 } } }, "C012": { "name": "Command Query Separation", "description": "Separate Command and Query operations (CQS principle)", "category": "design", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C012_command_query_separation/analyzer.js", "config": "./rules/common/C012_command_query_separation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "design", "separation", "maintainability" ], "engineMappings": { "eslint": [ "consistent-return", "no-void", "@typescript-eslint/no-confusing-void-expression" ] } }, "C013": { "name": "No Dead Code", "description": "Detect and remove commented out code, unused variables/functions, and unreachable code", "category": "maintainability", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C013_no_dead_code/analyzer.js", "config": "./rules/common/C013_no_dead_code/config.json", "version": "1.0.0", "status": "stable", "tags": [ "dead-code", "commented-code", "unreachable-code", "cleanup", "maintainability" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 90, "regex": 70 } }, "engineMappings": { "eslint": [ "no-unreachable", "no-unused-vars", "no-unused-expressions" ] } }, "C014": { "name": "Dependency Injection Pattern", "description": "Use Dependency Injection instead of direct instantiation in business logic. Increases testability and reduces coupling.", "category": "design", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/common/C014_dependency_injection/analyzer.js", "config": "./rules/common/C014_dependency_injection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "design", "dependency-injection", "testability", "coupling", "SOLID" ], "strategy": { "preferred": "ast", "fallbacks": [], "accuracy": { "ast": 95 }, "requirements": { "ast": { "semanticEngine": true, "description": "C014 requires symbol-based analysis for accurate dependency injection pattern detection" } } }, "engineMappings": { "eslint": [ "no-new", "no-new-wrappers", "@typescript-eslint/no-unnecessary-constructor" ] } }, "C015": { "name": "Domain Language", "description": "Use domain language in class/function names", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C015_domain_language/analyzer.js", "config": "./rules/common/C015_domain_language/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C017": { "id": "C017", "name": "Rule C017", "description": "Auto-migrated rule C017 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/common/C017_constructor_logic/analyzer.js", "config": "./rules/common/C017_constructor_logic/config.json", "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/limit-constructor-logic" ] }, "strategy": { "preferred": "semantic", "fallbacks": [ "semantic", "ast", "regex" ], "accuracy": { "semantic": 95, "ast": 85, "regex": 70 } } }, "C018": { "name": "Do not throw generic errors", "description": "Always provide detailed messages and context.", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C018_no_throw_generic_error/analyzer.js", "config": "./rules/common/C018_no_throw_generic_error/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C019": { "name": "Log Level Usage", "description": "Không sử dụng log mức error cho lỗi không nghiêm trọng", "category": "logging", "severity": "warning", "languages": [ "typescript", "dart", "kotlin", "javascript" ], "analyzer": "./rules/common/C019_log_level_usage/analyzer.js", "config": "./rules/common/C019_log_level_usage/config.json", "version": "1.0.0", "status": "stable", "tags": [ "logging", "error-handling", "severity" ], "engineMappings": { "eslint": [ "no-console", "no-alert", "no-debugger" ], "heuristic": [ "rules/common/C019_log_level_usage/analyzer.js" ] } }, "C020": { "name": "Unused Imports", "description": "Không import các module hoặc symbol không sử dụng", "category": "code-quality", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/common/C020_unused_imports/analyzer.js", "config": "./rules/common/C020_unused_imports/config.json", "version": "1.0.0", "status": "stable", "tags": [ "imports", "cleanup", "unused-code" ], "engineMappings": { "eslint": [ "no-unused-vars", "@typescript-eslint/no-unused-vars" ], "heuristic": [ "rules/common/C020_unused_imports/analyzer.js" ] } }, "C021": { "name": "Import Organization", "description": "Tổ chức và sắp xếp imports theo nhóm và thứ tự alphabet", "category": "code-quality", "severity": "info", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/common/C021_import_organization/analyzer.js", "config": "./rules/common/C021_import_organization/config.json", "version": "1.0.0", "status": "stable", "tags": [ "imports", "organization", "readability" ], "engineMappings": { "eslint": [ "import/order", "sort-imports" ], "heuristic": [ "rules/common/C021_import_organization/analyzer.js" ] } }, "C023": { "name": "Do not declare duplicate variable", "description": "Do not declare duplicate variable names in the same scope", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C023_no_duplicate_variable/analyzer.js", "config": "./rules/common/C023_no_duplicate_variable/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C024": { "name": "Do not scatter hardcoded constants throughout the logic", "description": "The rule prevents scattering hardcoded constants throughout the logic. Instead, constants should be defined in a single place to improve maintainability and readability.", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C024_no_scatter_hardcoded_constants/analyzer.js", "config": "./rules/common/C024_no_scatter_hardcoded_constants/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C029": { "name": "Catch Block Error Logging", "description": "Mọi catch block phải log nguyên nhân lỗi đầy đủ", "category": "error-handling", "severity": "error", "languages": [ "typescript", "dart", "kotlin", "javascript" ], "analyzer": "./rules/C029_catch_block_logging/analyzer.js", "config": "./rules/C029_catch_block_logging/config.json", "version": "1.0.0", "status": "activated", "tags": [ "error-handling", "logging", "debugging", "monitoring" ] }, "C030": { "id": "C030", "name": "Rule C030", "description": "Auto-migrated rule C030 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/use-custom-error-classes" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C031": { "name": "Validation Logic Separation", "description": "Logic kiểm tra dữ liệu (validate) phải nằm riêng biệt", "category": "validation", "severity": "error", "languages": [ "typescript", "dart", "kotlin", "javascript" ], "analyzer": "./rules/C031_validation_separation/analyzer.js", "config": "./rules/C031_validation_separation/config.json", "version": "1.0.0", "status": "experimental", "tags": [ "validation", "separation", "architecture" ], "engineMappings": { "eslint": [ "no-implicit-coercion", "eqeqeq", "@typescript-eslint/strict-boolean-expressions" ] } }, "C032": { "name": "No External APIs in Constructors", "description": "Don't call external APIs in constructors or static blocks", "category": "design", "severity": "error", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C032_no_constructor_api/analyzer.js", "config": "./rules/common/C032_no_constructor_api/config.json", "version": "1.0.0", "status": "stable", "tags": [ "design", "constructor", "initialization" ], "engineMappings": { "eslint": [ "no-new", "@typescript-eslint/no-floating-promises", "no-constructor-return" ] } }, "C033": { "name": "Separate Processing Logic and Data Queries", "description": "Separate processing logic and data queries in service layer", "category": "architecture", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C033_separate_logic_data/analyzer.js", "config": "./rules/common/C033_separate_logic_data/config.json", "version": "1.0.0", "status": "stable", "tags": [ "architecture", "separation", "service" ], "engineMappings": { "eslint": [ "prefer-const", "no-var", "@typescript-eslint/prefer-readonly" ] } }, "C034": { "name": "Limit Direct Access to Global State", "description": "Limit direct access to global state in domain logic", "category": "architecture", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C034_limit_global_state/analyzer.js", "config": "./rules/common/C034_limit_global_state/config.json", "version": "1.0.0", "status": "stable", "tags": [ "architecture", "global-state", "design" ], "engineMappings": { "eslint": [ "no-global-assign", "no-implicit-globals", "@typescript-eslint/no-namespace" ] } }, "C035": { "name": "Log all relevant context when handling errors", "description": "When handling errors, must log full information related - structured logging with context", "category": "error-handling", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C035_error_logging_context/analyzer.js", "config": "./rules/common/C035_error_logging_context/config.json", "version": "1.0.0", "status": "stable", "tags": [ "logging", "error-handling", "observability", "debugging" ], "engineMappings": { "eslint": [ "no-empty-catch", "@typescript-eslint/no-unused-vars" ] } }, "C037": { "name": "Standard Response Objects", "description": "API handlers should return standard response objects (not raw strings)", "category": "api", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C037_standard_response/analyzer.js", "config": "./rules/common/C037_standard_response/config.json", "version": "1.0.0", "status": "stable", "tags": [ "api", "response", "standardization" ], "engineMappings": { "eslint": [ "consistent-return", "@typescript-eslint/explicit-function-return-type", "@typescript-eslint/explicit-module-boundary-types" ] } }, "C038": { "name": "No File Loading Order Dependency", "description": "Avoid logic depending on file/module loading order", "category": "architecture", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C038_no_loading_order/analyzer.js", "config": "./rules/common/C038_no_loading_order/config.json", "version": "1.0.0", "status": "stable", "tags": [ "architecture", "loading", "dependency" ], "engineMappings": { "eslint": [ "import/no-dynamic-require", "import/order", "@typescript-eslint/no-var-requires" ] } }, "C040": { "name": "Centralized Validation Logic", "description": "Don't scatter validation logic across multiple classes", "category": "validation", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C040_centralized_validation/analyzer.js", "config": "./rules/common/C040_centralized_validation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "validation", "centralization", "architecture" ], "engineMappings": { "eslint": [ "no-duplicate-imports", "import/no-duplicates", "@typescript-eslint/no-duplicate-imports" ] } }, "C041": { "name": "Do not hardcode or push sensitive information (token, API key, secret, URL) into the repo", "description": "Protect sensitive application data, avoid security risks, and comply with security standards. Exposing sensitive information can lead to serious security and privacy issues.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C041_no_sensitive_hardcode/analyzer.js", "config": "./rules/common/C041_no_sensitive_hardcode/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C042": { "id": "C042", "name": "Rule C042", "description": "Auto-migrated rule C042 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/boolean-name-prefix" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C043": { "name": "No Console Or Print", "description": "Do not use console.log or print in production code", "category": "logging", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/common/C043_no_console_or_print/analyzer.js", "version": "1.0.0", "status": "stable", "tags": [ "logging", "production", "debugging", "console" ], "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": { "regex": 90 } } }, "C047": { "id": "C047", "name": "Rule C047", "description": "Auto-migrated rule C047 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-duplicate-retry-logic" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C048": { "name": "Do not bypass architectural layers (controller/service/repository)", "description": "Maintain a clear layered architecture, ensuring logic and data flow are well-structured and maintainable.", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C048_no_bypass_architectural_layers/analyzer.js", "config": "./rules/common/C048_no_bypass_architectural_layers/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C052": { "name": "Parsing or data transformation logic must be separated from controllers", "description": "Enforce separation of concerns — controllers should only handle requests and delegate processing, improving testability, maintainability, and reuse.", "category": "naming", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C052_parsing_or_data_transformation/analyzer.js", "config": "./rules/common/C052_parsing_or_data_transformation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "naming", "domain", "readability" ], "engineMappings": { "eslint": [ "@typescript-eslint/naming-convention", "camelcase" ] } }, "C060": { "name": "Do not override superclass methods and ignore critical logic", "description": "Preserve important behavior or lifecycle logic defined in the superclass to ensure correctness and prevent silent errors.", "category": "logging", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/common/C060_no_override_superclass/analyzer.js", "version": "1.0.0", "status": "stable", "tags": [ "logging", "production", "debugging", "console" ], "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": { "regex": 90 } } }, "C065": { "name": "One Behavior per Test (AAA Pattern)", "description": "Enforce single behavior testing - each test should verify exactly one action/behavior with clear Arrange-Act-Assert structure", "category": "common", "severity": "warning", "languages": [ "typescript", "javascript", "java", "csharp", "swift", "kotlin", "python" ], "analyzer": "./rules/common/C065_one_behavior_per_test/analyzer.js", "config": "./rules/common/C065_one_behavior_per_test/config.json", "version": "1.0.0", "status": "stable", "tags": [ "testing", "aaa", "behavior", "maintainability", "clarity" ], "engineMappings": { "heuristic": [ "./rules/common/C065_one_behavior_per_test/analyzer.js" ] } }, "C067": { "name": "No Hardcoded Configuration", "description": "Improve configurability, reduce risk when changing environments, and make configuration management flexible and maintainable.", "category": "configuration", "severity": "warning", "languages": [ "typescript", "javascript", "dart", "kotlin" ], "analyzer": "./rules/common/C067_no_hardcoded_config/analyzer.js", "config": "./rules/common/C067_no_hardcoded_config/config.json", "version": "1.0.0", "status": "stable", "tags": [ "configuration", "hardcode", "environment", "maintainability", "security" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast" ], "accuracy": { "ast": 90 } }, "engineMappings": { "heuristic": [ "rules/common/C067_no_hardcoded_config/analyzer.js" ] } }, "C070": { "name": "No Real Time Tests", "description": "Tests should not depend on real time delays or sleeps. Use fake timers, clock injection, or condition-based waits to improve test reliability and speed.", "category": "testing", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "../rules/common/C070_no_real_time_tests/regex-analyzer.js", "config": "../rules/common/C070_no_real_time_tests/config.json", "version": "1.0.0", "status": "stable", "tags": [ "testing", "flaky-tests", "timing", "fake-timers", "reliability" ], "strategy": { "preferred": "ast", "fallbacks": [ "regex" ], "accuracy": { "ast": 95, "regex": 88 } }, "engineMappings": { "heuristic": [ "../rules/common/C070_no_real_time_tests/regex-analyzer.js" ] } }, "C072": { "id": "C072", "name": "Single Test Behavior", "description": "Each test should assert only one behavior", "category": "testing", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "stable", "tags": [ "testing", "unit-test", "single-behavior" ], "engineMappings": { "eslint": [ "custom/c072-one-assert-per-test" ], "heuristic": [ "rules/common/C072_single_test_behavior/analyzer.js" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C073": { "id": "C073", "name": "Validate Required Configuration on Startup", "description": "C073 - Validate mandatory configuration at startup and fail fast on invalid/missing values", "category": "configuration", "severity": "error", "languages": [ "typescript", "javascript", "java", "go" ], "version": "1.0.0", "status": "stable", "tags": [ "configuration", "validation", "startup", "fail-fast" ], "engineMappings": { "heuristic": [ "rules/common/C073_validate_required_config_on_startup/analyzer.js" ], "semantic": [ "rules/common/C073_validate_required_config_on_startup/symbol-based-analyzer.js" ] }, "strategy": { "preferred": "semantic", "fallbacks": [ "heuristic" ], "accuracy": { "semantic": 0.9, "heuristic": 0.7 } } }, "C075": { "id": "C075", "name": "Rule C075", "description": "Auto-migrated rule C075 from ESLint mapping", "category": "general", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/explicit-function-return-types" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "C076": { "id": "C076", "name": "Explicit Function Argument Types", "description": "All public functions must declare explicit types for arguments", "category": "type-safety", "severity": "error", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "stable", "tags": [ "type-safety", "public-api", "explicit-types" ], "engineMappings": { "heuristic": [ "rules/common/C076_explicit_function_types/semantic-analyzer.js" ] }, "strategy": { "preferred": "symbol", "fallbacks": [ "symbol" ], "accuracy": {} } }, "R001": { "id": "R001", "name": "Rule R001", "description": "Auto-migrated rule R001 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react/no-this-in-sfc", "no-param-reassign", "react/function-component-definition", "react/forbid-component-props" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R002": { "id": "R002", "name": "Rule R002", "description": "Auto-migrated rule R002 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react-hooks/rules-of-hooks", "react-hooks/exhaustive-deps", "react/no-did-mount-set-state", "react/no-did-update-set-state" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R003": { "id": "R003", "name": "Rule R003", "description": "Auto-migrated rule R003 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react/no-direct-mutation-state", "react/jsx-no-constructed-context-values", "react/forbid-dom-props" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R004": { "id": "R004", "name": "Rule R004", "description": "Auto-migrated rule R004 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "no-param-reassign", "react/forbid-foreign-prop-types" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R005": { "id": "R005", "name": "Rule R005", "description": "Auto-migrated rule R005 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react/jsx-no-bind" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R006": { "id": "R006", "name": "Rule R006", "description": "Auto-migrated rule R006 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react/jsx-pascal-case", "react/jsx-uses-react", "react/jsx-uses-vars" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R007": { "id": "R007", "name": "Rule R007", "description": "Auto-migrated rule R007 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react-hooks/rules-of-hooks" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R008": { "id": "R008", "name": "Rule R008", "description": "Auto-migrated rule R008 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react-hooks/rules-of-hooks" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "R009": { "id": "R009", "name": "Rule R009", "description": "Auto-migrated rule R009 from ESLint mapping", "category": "react", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "react-hooks/rules-of-hooks" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "S001": { "name": "Fail Securely", "description": "Verify that if there is an error in access control, the system fails securely", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s001", "version": "1.0.0", "status": "stable", "tags": [ "security", "access-control", "fail-safe" ], "strategy": { "preferred": "regex", "fallbacks": [ "regex", "ast" ], "accuracy": { "regex": 85, "ast": 90 } }, "analyzerPath": "rules/security/S001_backend_auth_communications" }, "S002": { "name": "IDOR Check", "description": "Insecure Direct Object Reference prevention", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s002", "version": "1.0.0", "status": "stable", "tags": [ "security", "idor", "access-control" ], "analyzerPath": "rules/security/S002_os_command_injection" }, "S003": { "name": "Open Redirect Protection", "description": "URL redirects must validate against an allow list to prevent open redirect vulnerabilities", "category": "security", "severity": "error", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S003_open_redirect_protection/index.js", "config": "./rules/security/S003_open_redirect_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "owasp", "injection", "open-redirect", "phishing", "url-validation" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 95 } }, "engineMappings": { "heuristic": [ "rules/security/S003_open_redirect_protection/index.js" ] }, "metadata": { "owaspCategory": "A03:2021 - Injection", "cweId": "CWE-601", "frameworks": [ "Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot" ], "detectionPatterns": 28, "testCases": 118 } }, "S004": { "name": "Sensitive Data Logging Protection", "description": "Prevent logging of sensitive information like passwords, tokens, and payment data without proper redaction", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S004_sensitive_data_logging/analyzer.js", "config": "./rules/security/S004_sensitive_data_logging/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "owasp", "logging", "sensitive-data", "pii", "credentials", "data-exposure" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 90 } }, "engineMappings": { "heuristic": [ "rules/security/S004_sensitive_data_logging/analyzer.js" ] }, "metadata": { "owaspCategory": "A09:2021 - Security Logging and Monitoring Failures", "cweId": "CWE-532", "frameworks": [ "Express", "NestJS", "Next.js", "Nuxt.js", "Spring Boot", "Winston", "Pino", "Bunyan" ], "detectionPatterns": 90, "testCases": 45 } }, "S005": { "name": "No Origin Header Authentication", "description": "Do not use Origin header for authentication/access control", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S005_no_origin_auth/analyzer.js", "version": "1.0.0", "status": "stable", "tags": [ "security", "authentication", "headers" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "eslint": [ "custom/typescript_s005" ] } }, "S006": { "name": "No Plaintext Recovery/Activation Codes", "description": "Do not send recovery or activation codes in plaintext", "category": "security", "severity": "error", "languages": [ "All languages" ], "analyzer": "./rules/security/S006_no_plaintext_recovery_codes/analyzer.js", "config": "./rules/security/S006_no_plaintext_recovery_codes/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "owasp", "cryptographic-failures", "authentication" ], "strategy": { "preferred": "regex", "fallback": "heuristic" }, "engineMappings": { "heuristic": "S006_no_plaintext_recovery_codes" } }, "S007": { "name": "No Plaintext OTP", "description": "One-Time Passwords must not be stored in plaintext", "category": "security", "severity": "error", "languages": [ "typescript", "javascript", "dart", "kotlin", "java", "python", "go", "swift" ], "analyzer": "./rules/security/S007_no_plaintext_otp/analyzer.js", "config": "./rules/security/S007_no_plaintext_otp/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "otp", "encryption", "owasp", "cryptographic-failures", "authentication" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic", "regex" ], "accuracy": { "heuristic": 90, "regex": 75 } }, "engineMappings": { "heuristic": "S007_no_plaintext_otp" } }, "S008": { "name": "Crypto Agility", "description": "Ensure cryptographic agility and algorithm flexibility", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s008", "version": "1.0.0", "status": "stable", "tags": [ "security", "cryptography", "agility" ], "analyzerPath": "rules/security/S008_svg_content_validation" }, "S009": { "name": "No Insecure Crypto", "description": "Prevent usage of insecure cryptographic methods", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s009", "version": "1.0.0", "status": "stable", "tags": [ "security", "cryptography", "insecure" ] }, "S010": { "name": "No Insecure Random in Sensitive Context", "description": "Prevent insecure random generator usage in sensitive contexts", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s010", "version": "1.0.0", "status": "stable", "tags": [ "security", "random", "sensitive" ] }, "S011": { "name": "No Insecure UUID", "description": "UUID must be version 4 and use CSPRNG", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s011", "version": "1.0.0", "status": "stable", "tags": [ "security", "uuid", "random" ] }, "S012": { "name": "Hardcoded Secrets Protection", "description": "Detects hardcoded secrets, API keys, passwords, tokens, and credentials in source code to prevent accidental exposure through version control", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S012_hardcoded_secrets/analyzer.js", "config": "./rules/security/S012_hardcoded_secrets/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "owasp", "secrets", "credentials", "cryptographic-failures", "hardcoded-secrets", "api-keys", "passwords", "tokens" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 92 } }, "engineMappings": { "heuristic": [ "rules/security/S012_hardcoded_secrets/analyzer.js" ] }, "metadata": { "owaspCategory": "A02:2021 - Cryptographic Failures", "cweId": "CWE-798", "frameworks": [ "Node.js", "Express", "NestJS", "Next.js", "React", "Vue", "Angular" ], "secretTypes": [ "API Keys", "Passwords", "Access Tokens", "Private Keys", "JWT Secrets", "Database Credentials", "OAuth Secrets", "AWS Keys", "GitHub Tokens", "Slack Tokens" ], "detectionPatterns": 50, "testCases": 30 } }, "S013": { "name": "Verify TLS Connection", "description": "Verify that TLS connections are properly established and validated", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s013", "version": "1.0.0", "status": "stable", "tags": [ "security", "tls", "connection" ] }, "S014": { "name": "Insecure TLS Version", "description": "Prevent usage of insecure TLS versions", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s014", "version": "1.0.0", "status": "stable", "tags": [ "security", "tls", "encryption" ] }, "S015": { "name": "Insecure TLS Certificate", "description": "Prevent usage of insecure TLS certificate configurations", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s015", "version": "1.0.0", "status": "stable", "tags": [ "security", "tls", "certificates" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 80 } } }, "S016": { "name": "Sensitive Query Parameter", "description": "Prevent sensitive data in URL query parameters", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S016_no_sensitive_querystring/analyzer.js", "config": "./rules/security/S016_no_sensitive_querystring/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "sensitive-data", "url" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 80 } } }, "S017": { "name": "No SQL Injection", "description": "Prevent SQL injection vulnerabilities", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S017_use_parameterized_queries/analyzer.js", "config": "./rules/security/S017_use_parameterized_queries/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "sql-injection", "database" ] }, "S018": { "name": "Positive Input Validation", "description": "Ensure positive input validation patterns", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s018", "version": "1.0.0", "status": "stable", "tags": [ "security", "validation", "input" ], "analyzerPath": "rules/security/S018_no_sensitive_browser_storage" }, "S019": { "name": "SMTP Injection Protection", "description": "Detects potential SMTP/IMAP injection vulnerabilities by identifying unsanitized user input in email fields and direct SMTP protocol manipulation", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S019_smtp_injection_protection/analyzer.js", "config": "./rules/security/S019_smtp_injection_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "owasp", "injection", "smtp", "email", "crlf" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 90 } }, "engineMappings": { "heuristic": [ "rules/security/S019_smtp_injection_protection/analyzer.js" ] }, "metadata": { "owaspCategory": "A03:2021 - Injection", "cweId": "CWE-93, CWE-144", "frameworks": [ "Node.js", "Express", "NestJS", "Next.js" ], "emailLibraries": [ "nodemailer", "sendgrid", "mailgun", "aws-ses", "postmark" ], "detectionTypes": [ "Unsanitized email fields", "SMTP command injection", "CRLF injection" ], "testCases": 40 } }, "S020": { "name": "Avoid using eval() or executing dynamic code", "description": "Avoid using eval() or executing dynamic code as it can lead to code injection vulnerabilities and compromise application security.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S020_no_eval_dynamic_code/analyzer.js", "config": "./rules/security/S020_no_eval_dynamic_code/config.json", "version": "1.0.0", "status": "experimental", "tags": [ "security", "eval", "dynamic-execution", "code-injection" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S020_no_eval_dynamic_code/analyzer.js" ] } }, "S022": { "name": "Output Encoding Required", "description": "Require output encoding for user input", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s022", "version": "1.0.0", "status": "stable", "tags": [ "security", "encoding", "xss" ] }, "S023": { "name": "No JSON Injection", "description": "Prevent JSON injection vulnerabilities", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s023", "version": "1.0.0", "status": "stable", "tags": [ "security", "json", "injection" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 60 } } }, "S024": { "name": "Protect against XPath Injection and XML External Entity (XXE)", "description": "Protect against XPath Injection and XML External Entity (XXE) attacks. XPath injection occurs when user input is used to construct XPath queries without proper sanitization. XXE attacks exploit XML parsers that process external entities, potentially leading to data disclosure, server-side request forgery, or denial of service.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S024_xpath_xxe_protection/analyzer.js", "config": "./rules/security/S024_xpath_xxe_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "xpath", "xxe", "xml", "injection", "owasp" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S024_xpath_xxe_protection/analyzer.js" ] } }, "S025": { "name": "Always validate client-side data on the server", "description": "Ensure all client-side data is validated on the server. Client-side validation is not sufficient for security as it can be bypassed by attackers. Server-side validation is mandatory for data integrity and security.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S025_server_side_validation/analyzer.js", "config": "./rules/security/S025_server_side_validation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "validation", "server-side", "owasp", "input-validation" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S025_server_side_validation/analyzer.js" ] } }, "S026": { "name": "Use TLS encryption for all inbound and outbound connections", "description": "Ensure all application connections use encrypted TLS protocol. Detect insecure HTTP, WS, unencrypted database connections, and disabled SSL/TLS settings.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S026_tls_all_connections/typescript/analyzer.js", "config": "./rules/security/S026_tls_all_connections/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "tls", "encryption", "https", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 90 } }, "engineMappings": { "heuristic": [ "rules/security/S026_tls_all_connections/typescript/analyzer.js" ] } }, "S027": { "name": "Validate mTLS client certificates before allowing authenticated operations", "description": "Ensure mutual TLS (mTLS) client certificate validation is properly implemented before allowing authenticated operations. Detect missing certificate validation, disabled verification, and improper mTLS configuration.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S027_mtls_certificate_validation/typescript/analyzer.js", "config": "./rules/security/S027_mtls_certificate_validation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "mtls", "certificate", "authentication", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S027_mtls_certificate_validation/typescript/analyzer.js" ] } }, "S028": { "name": "Limit upload file size and number of files per user", "description": "File uploads must enforce size limits and file quantity limits to prevent resource exhaustion and DoS attacks. Both file size and number of files should be limited at the server-side.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript", "java" ], "analyzer": "./rules/security/S028_file_upload_size_limits/analyzer.js", "version": "1.0.0", "status": "stable", "tags": [ "security", "file-upload", "dos-prevention", "resource-limits", "owasp" ] }, "S029": { "name": "Require CSRF Protection", "description": "Require CSRF protection for state-changing operations", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "eslint", "eslintRule": "custom/typescript_s029", "version": "1.0.0", "status": "stable", "tags": [ "security", "csrf", "protection" ] }, "S030": { "name": "Disable directory browsing and protect sensitive metadata files", "description": "Disable directory browsing and protect sensitive metadata files (.git/, .env, config files, etc.) to prevent information disclosure and potential security vulnerabilities.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S030_directory_browsing_protection/analyzer.js", "config": "./rules/security/S030_directory_browsing_protection/config.json", "version": "1.0.0", "status": "experimental", "tags": [ "security", "directory-browsing", "information-disclosure", "metadata-protection" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 90, "regex": 75 } }, "engineMappings": { "heuristic": [ "rules/security/S030_directory_browsing_protection/analyzer.js" ] } }, "S031": { "name": "Set Secure flag for Session Cookies", "description": "Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S031_secure_session_cookies/analyzer.js", "config": "./rules/security/S031_secure_session_cookies/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "cookies", "session", "https", "secure" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S031_secure_session_cookies/analyzer.js" ] } }, "S032": { "name": "Set HttpOnly attribute for Session Cookies", "description": "Set HttpOnly attribute for Session Cookies to prevent JavaScript access. This protects against XSS attacks by preventing client-side script access to sensitive cookies.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S032_httponly_session_cookies/analyzer.js", "config": "./rules/security/S032_httponly_session_cookies/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "cookies", "session", "httponly", "xss" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S032_httponly_session_cookies/analyzer.js" ] } }, "S033": { "name": "Set SameSite attribute for Session Cookies", "description": "Set SameSite attribute for Session Cookies to reduce CSRF risk. This prevents the browser from sending cookies along with cross-site requests, mitigating CSRF attacks.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S033_samesite_session_cookies/analyzer.js", "config": "./rules/security/S033_samesite_session_cookies/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "cookies", "session", "samesite", "csrf" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S033_samesite_session_cookies/analyzer.js" ] } }, "S034": { "name": "Use __Host- prefix for Session Cookies", "description": "Use __Host- prefix for Session Cookies to prevent subdomain sharing. The __Host- prefix ensures cookies are only sent to the exact domain that set them, preventing subdomain cookie sharing attacks.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S034_host_prefix_session_cookies/analyzer.js", "config": "./rules/security/S034_host_prefix_session_cookies/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "cookies", "session", "host-prefix", "subdomain" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S034_host_prefix_session_cookies/analyzer.js" ] } }, "S035": { "name": "Host separate applications on different hostnames to leverage same-origin policy", "description": "Detect applications sharing hostnames or domains which bypasses browser same-origin policy protection. Separate apps should use different hostnames for security isolation.", "category": "security", "severity": "medium", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S035_separate_app_hostnames/typescript/analyzer.js", "config": "./rules/security/S035_separate_app_hostnames/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "same-origin", "hostname", "isolation", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 80 } }, "engineMappings": { "heuristic": [ "rules/security/S035_separate_app_hostnames/typescript/analyzer.js" ] } }, "S036": { "name": "Use internal data for file paths, validate user filenames strictly", "description": "Prevent path traversal, LFI, RFI, and SSRF attacks by validating file paths and user-provided filenames. Use allowlists, reject path separators, and resolve paths securely.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S036_lfi_rfi_protection/typescript/analyzer.js", "config": "./rules/security/S036_lfi_rfi_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "file-inclusion", "path-traversal", "lfi", "rfi", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S036_lfi_rfi_protection/typescript/analyzer.js" ] } }, "S037": { "name": "Configure comprehensive cache headers to prevent sensitive data leakage", "description": "Configure comprehensive cache headers (Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, Expires: 0) for sensitive responses to avoid caching sensitive data in browsers or intermediaries.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S037_cache_headers/analyzer.js", "config": "./rules/security/S037_cache_headers/config.json", "version": "1.0.0", "status": "experimental", "tags": [ "security", "caching", "headers", "privacy" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 90, "regex": 75 } }, "engineMappings": { "heuristic": [ "rules/security/S037_cache_headers/analyzer.js" ] } }, "S038": { "name": "Do not expose version information in response headers", "description": "Prevent exposure of server version information through response headers (Server, X-Powered-By, X-AspNet-Version, etc.) to reduce information disclosure and potential attack vectors.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S038_no_version_headers/analyzer.js", "config": "./rules/security/S038_no_version_headers/config.json", "version": "1.0.0", "status": "experimental", "tags": [ "security", "information-disclosure", "version", "headers" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 90, "regex": 75 } }, "engineMappings": { "heuristic": [ "rules/security/S038_no_version_headers/analyzer.js" ] } }, "S039": { "name": "TLS clients must validate server certificates to prevent MitM attacks", "description": "Ensure TLS clients properly validate server certificates. Detect disabled certificate verification, missing CA validation, and insecure TLS configurations that allow man-in-the-middle attacks.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S039_tls_certificate_validation/typescript/analyzer.js", "config": "./rules/security/S039_tls_certificate_validation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "tls", "certificate", "mitm", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 90 } }, "engineMappings": { "heuristic": [ "rules/security/S039_tls_certificate_validation/typescript/analyzer.js" ] } }, "S041": { "name": "Session Tokens must be invalidated after logout or expiration", "description": "Session tokens must be properly invalidated after logout or expiration to prevent session hijacking and unauthorized access. This includes clearing session data, invalidating JWT tokens, and ensuring proper session cleanup.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S041_session_token_invalidation/analyzer.js", "config": "./rules/security/S041_session_token_invalidation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "session", "token", "logout", "invalidation", "owasp" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S041_session_token_invalidation/analyzer.js" ] } }, "S042": { "name": "Require Periodic Reauthentication", "description": "Require periodic re-authentication for sensitive operations", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S042_require_re_authentication_for_long_lived/analyzer.js", "config": "./rules/security/S042_require_re_authentication_for_long_lived/config.json", "eslintRule": "custom/typescript_s042", "version": "1.0.0", "status": "stable", "tags": [ "security", "authentication", "periodic" ] }, "S043": { "name": "Terminate Sessions on Password Change", "description": "Terminate all sessions when password changes", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S043_password_changes_invalidate_all_sessions/analyzer.js", "config": "./rules/security/S043_password_changes_invalidate_all_sessions/config.json", "eslintRule": "custom/typescript_s043", "version": "1.0.0", "status": "stable", "tags": [ "security", "session", "password" ] }, "S044": { "name": "Re-authentication Required for Sensitive Operations", "description": "Require re-authentication before performing sensitive operations such as password changes, email changes, profile updates, and other critical account modifications. This prevents unauthorized access to sensitive account functions even if a session is compromised.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S044_re_authentication_required/analyzer.js", "config": "./rules/security/S044_re_authentication_required/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "authentication", "re-authentication", "sensitive-operations", "owasp" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S044_re_authentication_required/analyzer.js" ] } }, "S045": { "name": "Brute-force Protection", "description": "Implement protection against brute-force attacks on authentication endpoints. This rule detects missing rate limiting, account lockout mechanisms, and other brute-force protection measures in authentication flows.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S045_brute_force_protection/analyzer.js", "config": "./rules/security/S045_brute_force_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "authentication", "brute-force", "rate-limiting", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 95 } }, "engineMappings": { "heuristic": "rules/security/S045_brute_force_protection/analyzer.js" } }, "S046": { "name": "Use explicit algorithm allowlist for JWT verification", "description": "Ensure JWT verification uses an explicit algorithm allowlist to prevent algorithm confusion attacks. Detect missing or weak algorithm configurations in JWT libraries.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js", "config": "./rules/security/S046_jwt_algorithm_allowlist/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "jwt", "algorithm", "authentication", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 90 } }, "engineMappings": { "heuristic": [ "rules/security/S046_jwt_algorithm_allowlist/typescript/analyzer.js" ] } }, "S047": { "name": "Use PKCE protection for OAuth flows to prevent authorization code interception", "description": "Ensure OAuth implementations use PKCE (Proof Key for Code Exchange) to protect against authorization code interception attacks, especially for public clients and mobile apps.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S047_oauth_pkce_protection/typescript/analyzer.js", "config": "./rules/security/S047_oauth_pkce_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "oauth", "pkce", "authorization", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S047_oauth_pkce_protection/typescript/analyzer.js" ] } }, "S048": { "name": "Validate OAuth redirect URIs with exact string comparison", "description": "Ensure OAuth redirect URIs are validated using exact string comparison to prevent open redirect vulnerabilities. Detect loose pattern matching, regex-based validation, or missing validation.", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js", "config": "./rules/security/S048_oauth_redirect_uri_validation/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "oauth", "redirect", "validation", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S048_oauth_redirect_uri_validation/typescript/analyzer.js" ] } }, "S049": { "name": "Authentication tokens should have short validity periods", "description": "Authentication tokens (JWT, session tokens, etc.) should have appropriately short validity periods to minimize the risk of token compromise. Long-lived tokens increase the attack surface and potential impact of token theft.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S049_short_validity_tokens/analyzer.js", "config": "./rules/security/S049_short_validity_tokens/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "authentication", "tokens", "jwt", "session", "owasp" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 90, "regex": 75 } }, "engineMappings": { "heuristic": [ "rules/security/S049_short_validity_tokens/analyzer.js" ] } }, "S050": { "name": "Reference tokens must have at least 128-bit entropy using CSPRNG", "description": "Ensure reference tokens (session IDs, API tokens, etc.) have sufficient entropy (at least 128 bits) and are generated using cryptographically secure pseudo-random number generators (CSPRNG).", "category": "security", "severity": "critical", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S050_reference_tokens_entropy/typescript/analyzer.js", "config": "./rules/security/S050_reference_tokens_entropy/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "tokens", "entropy", "csprng", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S050_reference_tokens_entropy/typescript/analyzer.js" ] } }, "S051": { "name": "Password length policy enforcement (12-64 chars recommended, reject >128)", "description": "Enforce strong password length policies with multi-signal detection. Prevent weak validators, missing limits, and FE/BE mismatches.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S051_password_length_policy/analyzer.js", "config": "./rules/security/S051_password_length_policy/config.json", "eslintRule": "custom/typescript_s051", "version": "1.0.0", "status": "stable", "tags": [ "security", "password", "validation", "length", "policy" ], "engineMappings": { "eslint": [ "custom/typescript_s051" ], "heuristic": [ "./rules/security/S051_password_length_policy/analyzer.js" ] } }, "S052": { "name": "OTP must have ≥20-bit entropy (≥6 digits) and use CSPRNG", "description": "Prevent guessable OTP by enforcing CSPRNG and minimal entropy. Ban non-crypto RNG and too-short codes.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S052_weak_otp_entropy/analyzer.js", "config": "./rules/security/S052_weak_otp_entropy/config.json", "eslintRule": "custom/typescript_s052", "version": "1.0.0", "status": "stable", "tags": [ "security", "otp", "entropy", "csprng" ], "engines": { "eslint": [ "custom/typescript_s052" ], "heuristic": [ "./rules/security/S052_weak_otp_entropy/analyzer.js" ] } }, "S053": { "name": "Return generic error messages, hide internal details from users", "description": "Prevent exposure of internal error details (stack traces, SQL errors, file paths) to users. Return generic error messages while logging full details server-side.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S053_generic_error_messages/typescript/analyzer.js", "config": "./rules/security/S053_generic_error_messages/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "error-handling", "information-disclosure", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S053_generic_error_messages/typescript/analyzer.js" ] } }, "S054": { "name": "Disallow Default/Built-in Accounts (admin/root/sa/...)", "description": "Prevent use of default or shared accounts. Enforce per-user identities, initial password change, and disabling well-known built-ins.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript", "sql", "terraform", "yaml", "dockerfile", "all" ], "analyzer": "./rules/security/S054_no_default_accounts/analyzer.js", "config": "./rules/security/S054_no_default_accounts/config.json", "eslintRule": "custom/typescript_s054", "version": "1.0.0", "status": "stable", "tags": [ "security", "accounts", "default", "authentication", "authorization" ], "engines": { "eslint": [ "custom/typescript_s054" ], "heuristic": [ "./rules/security/S054_no_default_accounts/analyzer.js" ] } }, "S055": { "name": "REST Content-Type Verification", "description": "Verify incoming Content-Type in REST API endpoints", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S055_content_type_validation/analyzer.js", "config": "./rules/security/S055_content_type_validation/config.json", "eslintRule": "custom/typescript_s055", "version": "1.0.0", "status": "stable", "tags": [ "security", "rest", "content-type" ] }, "S056": { "name": "Protect against Log Injection attacks", "description": "Protect against Log Injection attacks. Log injection occurs when user-controlled data is written to log files without proper sanitization, potentially allowing attackers to manipulate log entries, inject malicious content, or exploit log processing systems.", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S056_log_injection_protection/analyzer.js", "config": "./rules/security/S056_log_injection_protection/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "logging", "injection", "owasp", "crlf" ], "strategy": { "preferred": "ast", "fallbacks": [ "ast", "regex" ], "accuracy": { "ast": 95, "regex": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S056_log_injection_protection/analyzer.js" ] } }, "S057": { "name": "Log with UTC Timestamps", "description": "Ensure all logs use synchronized UTC time with ISO 8601/RFC3339 format to avoid timezone discrepancies across systems", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S057_utc_logging/analyzer.js", "config": "./rules/security/S057_utc_logging/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "logging", "timezone", "utc" ], "engineMappings": { "eslint": [ "custom/typescript_s057" ], "heuristic": [ "./rules/security/S057_utc_logging/analyzer.js" ] } }, "S058": { "name": "No SSRF (Server-Side Request Forgery)", "description": "Prevent SSRF attacks by validating URLs from user input before making HTTP requests", "category": "security", "severity": "error", "languages": [ "typescript", "javascript" ], "analyzer": "./rules/security/S058_no_ssrf/analyzer.js", "config": "./rules/security/S058_no_ssrf/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "ssrf", "url-validation", "http-requests" ], "engineMappings": { "heuristic": [ "./rules/security/S058_no_ssrf/analyzer.js" ], "eslint": [ "custom/typescript_s058" ] } }, "S059": { "name": "Disable debug modes and features in production environments", "description": "Ensure debug modes, verbose logging, and development-only features are disabled in production. Detect hardcoded DEBUG flags, exposed debug endpoints, and development configurations.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S059_disable_debug_mode/typescript/analyzer.js", "config": "./rules/security/S059_disable_debug_mode/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "debug", "production", "configuration", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S059_disable_debug_mode/typescript/analyzer.js" ] } }, "S060": { "name": "Enforce minimum password length of 8 characters, recommend 15+", "description": "Ensure password validation enforces a minimum length of at least 8 characters (NIST recommendation). Detect weak password length requirements and missing length validation.", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript", "dart" ], "analyzer": "./rules/security/S060_password_minimum_length/typescript/analyzer.js", "config": "./rules/security/S060_password_minimum_length/config.json", "version": "1.0.0", "status": "stable", "tags": [ "security", "password", "authentication", "nist", "owasp" ], "strategy": { "preferred": "heuristic", "fallbacks": [ "heuristic" ], "accuracy": { "heuristic": 85 } }, "engineMappings": { "heuristic": [ "rules/security/S060_password_minimum_length/typescript/analyzer.js" ] } }, "T002": { "id": "T002", "name": "Rule T002", "description": "Auto-migrated rule T002 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/interface-prefix-i" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T003": { "id": "T003", "name": "Rule T003", "description": "Auto-migrated rule T003 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/ts-ignore-reason" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T004": { "id": "T004", "name": "Rule T004", "description": "Auto-migrated rule T004 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-empty-type" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T007": { "id": "T007", "name": "Rule T007", "description": "Auto-migrated rule T007 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-fn-in-constructor" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T010": { "id": "T010", "name": "Rule T010", "description": "Auto-migrated rule T010 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-nested-union-tuple" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T019": { "id": "T019", "name": "Rule T019", "description": "Auto-migrated rule T019 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-this-assign" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T020": { "id": "T020", "name": "Rule T020", "description": "Auto-migrated rule T020 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/no-default-multi-export" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "T021": { "id": "T021", "name": "Rule T021", "description": "Auto-migrated rule T021 from ESLint mapping", "category": "typescript", "severity": "warning", "languages": [ "typescript", "javascript" ], "version": "1.0.0", "status": "migrated", "tags": [ "migrated" ], "engineMappings": { "eslint": [ "custom/limit-nested-generics" ] }, "strategy": { "preferred": "regex", "fallbacks": [ "regex" ], "accuracy": {} } }, "S021": { "name": "Referrer Policy", "description": "Set Referrer-Policy to prevent sensitive data leakage via Referer header", "category": "security", "severity": "warning", "languages": [ "typescript", "javascript" ], "analyzer": "heuristic", "analyzerPath": "rules/security/S021_referrer_policy", "version": "1.0.0", "status": "stable", "tags": [ "security", "headers", "privacy" ] }, "D001": { "id": "D001", "name": "Recommended Lint Rules Should Be Enabled", "description": "Ensure recommended lint rules from flutter_lints or very_good_analysis are enabled in analysis_options.yaml with appropriate severity", "category": "dart", "severity": "warning", "languages": [ "dart" ], "analyzer": "dart", "config": "./rules/dart/D001_recommended_lint_rules/config.json", "version": "1.0.0", "status": "stable", "tags": [ "dart", "flutter", "lint", "best-practices", "code-quality" ], "strategy": { "preferred": "dart", "fallbacks": [], "accuracy": { "dart": 95 } }, "engineMappings": { "dart": [ "D001_recommended_lint_rules" ] } } } }