@sun-asterisk/sunlint/rules/security/S011_secure_guid_generation/config.json

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

{
  "ruleId": "S011",
  "name": "Secure GUID Generation",
  "description": "GUIDs used for security purposes must be generated according to UUID v4 standard with CSPRNG",
  "category": "security",
  "severity": "error",
  "languages": ["All languages"],
  "tags": [
    "security",
    "owasp",
    "cryptographic-failures",
    "uuid",
    "guid",
    "randomness"
  ],
  "enabled": true,
  "fixable": false,
  "engine": "heuristic",
  "metadata": {
    "owaspCategory": "A02:2021 - Cryptographic Failures",
    "cweId": "CWE-338",
    "description": "Using weak or predictable methods to generate GUIDs/UUIDs for security purposes (session tokens, API keys, reset tokens) can lead to security vulnerabilities. Security-critical GUIDs must be generated using UUID v4 with Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).",
    "impact": "High - Session hijacking, token prediction, unauthorized access",
    "likelihood": "Medium",
    "remediation": "Use UUID v4 with CSPRNG libraries: crypto.randomUUID() (Node.js 14.17+), uuid v4, or equivalent secure random generators"
  },
  "patterns": {
    "vulnerable": [
      "Using Math.random() for GUID generation",
      "Using Date.now() or timestamp-based GUIDs for security tokens",
      "Using non-cryptographic UUID libraries",
      "Using UUID v1 (time-based) for security purposes",
      "Custom GUID generation without CSPRNG"
    ],
    "secure": [
      "crypto.randomUUID() for Node.js 14.17+",
      "uuid v4 library with proper CSPRNG",
      "crypto.randomBytes() for custom implementation",
      "Platform-specific secure random: SecureRandom (Java), secrets (Python)"
    ]
  },
  "examples": {
    "violations": [
      "const sessionId = Math.random().toString(36);",
      "const token = Date.now() + '-' + Math.random();",
      "const apiKey = uuidv1(); // Time-based UUID",
      "const resetToken = generateGuid(); // Custom weak implementation"
    ],
    "fixes": [
      "const sessionId = crypto.randomUUID();",
      "const token = require('uuid').v4();",
      "const apiKey = crypto.randomBytes(32).toString('hex');",
      "const resetToken = crypto.randomUUID();"
    ]
  }
}