JS-824 Add rule S7639 (#5919)

Author: loris-s-sonarsource

its/ruling/src/test/expected/jsts/file-for-rules/javascript-S1451.json

@@ -209,6 +209,9 @@
 "file-for-rules:S6859.js": [
 0
 ],
+"file-for-rules:S7639.js": [
+0
+],
 "file-for-rules:boundOrAssignedEvalOrArguments.js": [
 0
 ]

its/ruling/src/test/expected/jsts/file-for-rules/javascript-S7639.json

@@ -0,0 +1,5 @@
+{
+"file-for-rules:S7639.js": [
+3
+]
+}

its/sources/jsts/custom/S7639.js

@@ -0,0 +1,4 @@
+import { HDNodeWallet } from 'ethers';
+
+const mnemonic = 'Powerful Burning Muppets Betrayed Clerks Meanwhile Superb Spies Denounced Silly Leeks Cautiously'; // Noncompliant
+const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic);

packages/jsts/src/rules/S7639/cb.fixture.ts

@@ -0,0 +1,36 @@
+import { Wallet, HDNodeWallet } from 'ethers';
+import { mnemonicToAccount } from 'viem/accounts';
+import TronWeb from 'tronweb';
+
+// Variable used instead of hardcoded string
+const seedPhrase = process.env.SEED_PHRASE;
+const wallet = Wallet.fromPhrase(seedPhrase);
+
+// Function call result used
+const wallet = Wallet.fromPhrase(getSeedPhrase());
+
+// No arguments passed
+const wallet = Wallet.fromPhrase();
+
+// Template literal with expression
+const account = mnemonicToAccount(`${getPhrase()}`);
+
+// Ethers with hardcoded string literal
+const wallet = Wallet.fromPhrase("Round Outgoing Yanni Gripped Buoyant Iodine Victoriously"); // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+
+// Viem with hardcoded string
+const account = mnemonicToAccount('test test test test test test test test test test test junk'); // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+
+// TronWeb with hardcoded string
+const wallet = TronWeb.fromMnemonic("candy sugar pudding cream honey rich smooth crumble sweet treat"); // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+
+// Template literal without expressions
+const wallet = Wallet.fromPhrase(`abandon abandon abandon abandon abandon abandon abandon abandon about`); // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+
+// CommonJS require
+const ethers = require('ethers');
+const wallet = ethers.HDNodeWallet.fromPhrase("fake test test test test test test test test test test junk"); // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+
+// HDNodeWallet with named import and variable assignment
+const mnemonic = 'Pigeons Petted Bushes Effectively Once Krusty Defeated Grapes'; // Noncompliant {{Revoke and change this seed phrase, as it is compromised.}}
+const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic);

packages/jsts/src/rules/S7639/cb.test.ts

@@ -0,0 +1,25 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+// https://sonarsource.github.io/rspec/#/rspec/S7639/javascript
+import { test } from '../../../tests/tools/testers/comment-based/checker.js';
+import { rule } from './index.js';
+import { describe } from 'node:test';
+import * as meta from './generated-meta.js';
+
+describe(`Rule S7639`, () => {
+  test(meta, rule, import.meta.dirname);
+});

packages/jsts/src/rules/S7639/index.ts

@@ -0,0 +1,17 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+export { rule } from './rule.js';

packages/jsts/src/rules/S7639/meta.ts

@@ -0,0 +1,19 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+// https://sonarsource.github.io/rspec/#/rspec/S7639/javascript
+export const implementation = 'original';
+export const eslintId = 'review-blockchain-mnemonic';

packages/jsts/src/rules/S7639/rule.ts

@@ -0,0 +1,117 @@
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+// https://sonarsource.github.io/rspec/#/rspec/S7639/javascript
+
+import type { Rule } from 'eslint';
+import type estree from 'estree';
+import {
+  generateMeta,
+  isIdentifier,
+  isMemberWithProperty,
+  isRequireModule,
+} from '../helpers/index.js';
+import * as meta from './generated-meta.js';
+
+const BLOCKCHAIN_MODULES = ['ethers', 'viem/accounts', 'tronweb'];
+const MNEMONIC_FUNCTIONS = ['fromPhrase', 'mnemonicToAccount', 'fromMnemonic'];
+
+export const rule: Rule.RuleModule = {
+  meta: generateMeta(meta, {
+    messages: {
+      reviewBlockchainSeedPhrase: `Revoke and change this seed phrase, as it is compromised.`,
+    },
+  }),
+  create(context: Rule.RuleContext) {
+    let isBlockchainModuleImported = false;
+    const hardcodedVariables = new Map<string, estree.Node>();
+
+    function isHardcodedString(expr: estree.Expression): boolean {
+      switch (expr.type) {
+        case 'Literal':
+          return typeof expr.value === 'string';
+        case 'TemplateLiteral':
+          return expr.expressions.length === 0;
+        case 'Identifier':
+          return hardcodedVariables.has(expr.name);
+        default:
+          return false;
+      }
+    }
+
+    function getReportNode(expr: estree.Expression): estree.Node {
+      // If it's an identifier that references a hardcoded string, report the original declaration
+      if (expr.type === 'Identifier' && hardcodedVariables.has(expr.name)) {
+        const nodeName = hardcodedVariables.get(expr.name);
+        if (nodeName) {
+          return nodeName;
+        }
+      }
+      return expr;
+    }
+
+    function isMnemonicFunction(callee: estree.Expression | estree.Super): boolean {
+      return MNEMONIC_FUNCTIONS.some(
+        func => isMemberWithProperty(callee, func) || isIdentifier(callee, func),
+      );
+    }
+
+    return {
+      Program() {
+        isBlockchainModuleImported = false;
+        hardcodedVariables.clear();
+      },
+
+      ImportDeclaration(node: estree.ImportDeclaration) {
+        if (BLOCKCHAIN_MODULES.includes(node.source.value as string)) {
+          isBlockchainModuleImported = true;
+        }
+      },
+
+      VariableDeclarator(node: estree.VariableDeclarator) {
+        if (
+          isBlockchainModuleImported &&
+          node.id.type === 'Identifier' &&
+          node.init &&
+          ((node.init.type === 'Literal' && typeof node.init.value === 'string') ||
+            (node.init.type === 'TemplateLiteral' && node.init.expressions.length === 0))
+        ) {
+          hardcodedVariables.set(node.id.name, node.init);
+        }
+      },
+
+      CallExpression(node: estree.CallExpression) {
+        if (isRequireModule(node, ...BLOCKCHAIN_MODULES)) {
+          isBlockchainModuleImported = true;
+          return;
+        }
+
+        if (
+          isBlockchainModuleImported &&
+          isMnemonicFunction(node.callee) &&
+          node.arguments.length > 0 &&
+          node.arguments[0].type !== 'SpreadElement' &&
+          isHardcodedString(node.arguments[0])
+        ) {
+          context.report({
+            messageId: 'reviewBlockchainSeedPhrase',
+            node: getReportNode(node.arguments[0]),
+          });
+        }
+      },
+    };
+  },
+};