@codacy/gate-cli 0.1.0 → 0.3.0

package/data/skills/gate-setup/patterns-reference.yaml

@@ -0,0 +1,586 @@
+# GATE.md — Patterns Reference
+# Research-backed catalog used by /gate-setup to synthesize project Standards.
+# This is NOT a Standard — it is the reference from which Standards are built.
+
+# =============================================================================
+# 1. Quality Dimensions (always 4)
+# =============================================================================
+
+quality_dimensions:
+  - id: comprehensibility
+    description: "Code readable in one context load"
+    signals:
+      - metric: file_length
+        threshold: 300
+        unit: lines
+        rationale: "AI context windows degrade on large files (>300 lines ~ 3,000 tokens)"
+        source: "Stanford 'Lost in the Middle' — >30% accuracy drop for mid-context info"
+      - metric: cyclomatic_complexity
+        threshold: 15
+        unit: per_function
+        rationale: "Complexity-aware feedback improves AI Pass@1 by 35.71%"
+        source: "Multiple studies on CCN and LLM performance"
+      - metric: function_length
+        threshold: 50
+        unit: lines
+        rationale: "Short functions are easier for agents to modify safely"
+      - metric: naming_quality
+        tool: ai
+        rationale: "Descriptive names: 34.2% AI match rate vs 16.6% obfuscated (r=0.945)"
+        source: "JetBrains AI-Friendly Code Report"
+
+  - id: modularity
+    description: "Modify one concern without touching 3+ files"
+    signals:
+      - metric: single_responsibility
+        tool: ai
+        rationale: "AI performance drops sharply at 3+ files requiring modification"
+        source: "CodeScene, JetBrains, Factory.ai, Marmelab consensus"
+      - metric: shallow_abstractions
+        tool: ai
+        rationale: "LLMs achieve only 38.81% accuracy on design pattern recognition"
+        source: "Deep inheritance vs shallow composition studies"
+
+  - id: type_safety
+    description: "Type system catches errors before runtime"
+    signals:
+      - metric: strict_types
+        languages: [typescript, python]
+        rationale: ">50% reduction in compilation errors with type constraints"
+        source: "ETH Zurich type annotation study"
+        rules_by_language:
+          typescript:
+            tool: eslint
+            rules:
+              - "@typescript-eslint/no-explicit-any"
+              - "@typescript-eslint/explicit-function-return-type"
+          python:
+            tool: ruff
+            rules:
+              - "ANN001"  # missing type annotation for function argument
+              - "ANN201"  # missing return type annotation
+
+  - id: test_adequacy
+    description: "Tests define expected behavior for agents"
+    signals:
+      - metric: test_coverage
+        threshold: 80
+        unit: percent
+        ai_threshold: 90
+        rationale: "SonarQube recommends 90% for AI-generated code (vs 80% human)"
+        source: "SonarQube AI code quality guidelines"
+      - metric: test_quality
+        tool: ai
+        rationale: "Tests are the primary safety net for AI agents"
+        source: "OpenObserve: AI test agents grew 380 to 700+ tests, 85% flaky reduction"
+
+# =============================================================================
+# 2. Security Patterns (always all 7)
+# =============================================================================
+
+security_patterns:
+  # --- Critical severity (tool-enforceable) ---
+
+  - id: no-hardcoded-secrets
+    description: "No secrets, API keys, passwords, or tokens in source code"
+    severity: critical
+    cwe: [CWE-798]
+    enforced_by:
+      - tool: Trivy
+        config:
+          scanners: [secret]
+      - tool: Semgrep
+        rules: [generic.secrets]
+    secrets_patterns:
+      - name: AWS Access Key
+        pattern: 'AKIA[0-9A-Z]{16}'
+      - name: AWS Secret Key
+        pattern: '(?i)aws_secret_access_key\s*[:=]\s*[A-Za-z0-9/+=]{40}'
+      - name: GitHub Token
+        pattern: '(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}'
+      - name: Generic API Key
+        pattern: '(?i)(api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*[''""][A-Za-z0-9+/=]{20,}[''""]'
+      - name: Database URL
+        pattern: '(postgres|mysql|mongodb|redis)://[^\s''"]{10,}'
+      - name: Private Key
+        pattern: '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----'
+      - name: JWT Secret
+        pattern: '(?i)(jwt[_-]?secret|jwt[_-]?key)\s*[:=]\s*[''""][^''"]{8,}[''""]'
+      - name: Slack Token
+        pattern: 'xox[bpors]-[0-9]{10,}-[A-Za-z0-9-]+'
+      - name: Stripe Key
+        pattern: '(sk|pk)_(test|live)_[A-Za-z0-9]{24,}'
+
+  - id: input-sanitization
+    description: "All user input validated and sanitized before use"
+    severity: critical
+    cwe: [CWE-20, CWE-80, CWE-89, CWE-117]
+    enforced_by:
+      - tool: Semgrep
+        rules:
+          - typescript.express.security
+          - python.flask.security
+          - python.django.security
+
+  - id: parameterized-queries
+    description: "Database queries use parameters, never string concatenation"
+    severity: critical
+    cwe: [CWE-89]
+    enforced_by:
+      - tool: Semgrep
+        rules:
+          - javascript.lang.security.audit.sqli
+          - python.lang.security.audit.sqli
+
+  # --- High severity (mixed tool + AI) ---
+
+  - id: dependency-verification
+    description: "No known-vulnerable dependencies"
+    severity: high
+    cwe: [CWE-1395]
+    enforced_by:
+      - tool: Trivy
+        config:
+          scanners: [vuln]
+          severity: [HIGH, CRITICAL]
+
+  - id: no-unsafe-deserialization
+    description: "No unsafe deserialization of untrusted data"
+    severity: high
+    cwe: [CWE-502]
+    enforced_by:
+      - tool: Semgrep
+        rules:
+          - python.lang.security.deserialization
+          - java.lang.security.deserialization
+
+  - id: access-control-checks
+    description: "Authorization verified on all sensitive operations"
+    severity: high
+    cwe: [CWE-639]
+    enforced_by: []  # AI-only — requires business context
+
+  - id: config-file-integrity
+    description: "Configuration files not manipulable by untrusted input"
+    severity: high
+    cwe: [CWE-15]
+    enforced_by: []  # AI-only
+
+# =============================================================================
+# 3. Language-Specific Security Anti-Patterns
+# =============================================================================
+
+language_security_patterns:
+  typescript:
+    - pattern: "eval()"
+      risk: "Arbitrary code execution"
+      cwe: CWE-94
+    - pattern: "innerHTML ="
+      risk: "Cross-site scripting (XSS)"
+      cwe: CWE-79
+    - pattern: "child_process.exec()"
+      risk: "Command injection"
+      cwe: CWE-78
+    - pattern: "new Function()"
+      risk: "Dynamic code generation"
+      cwe: CWE-94
+    - pattern: "document.write()"
+      risk: "DOM-based XSS"
+      cwe: CWE-79
+    - pattern: "String concatenation in SQL"
+      risk: "SQL injection"
+      cwe: CWE-89
+
+  python:
+    - pattern: "exec() / eval()"
+      risk: "Arbitrary code execution"
+      cwe: CWE-94
+    - pattern: "pickle.loads()"
+      risk: "Unsafe deserialization"
+      cwe: CWE-502
+    - pattern: "subprocess(shell=True)"
+      risk: "Command injection"
+      cwe: CWE-78
+    - pattern: "yaml.load() without SafeLoader"
+      risk: "Unsafe YAML deserialization"
+      cwe: CWE-502
+    - pattern: "os.system()"
+      risk: "Command injection"
+      cwe: CWE-78
+    - pattern: "f-string in SQL"
+      risk: "SQL injection"
+      cwe: CWE-89
+
+  go:
+    - pattern: "fmt.Sprintf in SQL"
+      risk: "SQL injection"
+      cwe: CWE-89
+    - pattern: "exec.Command with user input"
+      risk: "Command injection"
+      cwe: CWE-78
+    - pattern: "template.HTML()"
+      risk: "XSS via unescaped HTML"
+      cwe: CWE-79
+    - pattern: "net/http without TLS"
+      risk: "Cleartext transmission"
+      cwe: CWE-319
+
+  java:
+    - pattern: "Runtime.exec()"
+      risk: "Command injection"
+      cwe: CWE-78
+    - pattern: "ObjectInputStream.readObject()"
+      risk: "Unsafe deserialization"
+      cwe: CWE-502
+    - pattern: "Statement.execute() with concatenation"
+      risk: "SQL injection"
+      cwe: CWE-89
+    - pattern: "XMLParser without disabling external entities"
+      risk: "XXE injection"
+      cwe: CWE-611
+
+# =============================================================================
+# 4. Critical File Patterns (paths deserving deeper review)
+# =============================================================================
+
+critical_file_patterns:
+  - "auth/**"
+  - "middleware/**"
+  - "config/**"
+  - ".env*"
+  - "Dockerfile*"
+  - "docker-compose*"
+  - "migrations/**"
+  - "api/**"
+  - "routes/**"
+  - "security/**"
+  - "crypto/**"
+  - "**/secrets*"
+  - "**/credentials*"
+  - "*.pem"
+  - "*.key"
+
+# =============================================================================
+# 5. OWASP Top 10 (2021) Mapping
+# =============================================================================
+
+owasp_mapping:
+  A01_Broken_Access_Control:
+    standard_patterns: [access-control-checks]
+    description: "Missing or improper authorization checks"
+
+  A02_Cryptographic_Failures:
+    standard_patterns: [no-hardcoded-secrets, config-file-integrity]
+    description: "Weak crypto, exposed secrets, insecure transmission"
+
+  A03_Injection:
+    standard_patterns: [parameterized-queries, input-sanitization]
+    description: "SQL, NoSQL, OS, LDAP injection"
+
+  A04_Insecure_Design:
+    standard_patterns: [access-control-checks]
+    description: "Missing security controls in design"
+
+  A05_Security_Misconfiguration:
+    standard_patterns: [config-file-integrity, dependency-verification]
+    description: "Default configs, unnecessary features, missing hardening"
+
+  A06_Vulnerable_Components:
+    standard_patterns: [dependency-verification]
+    description: "Known CVEs in dependencies"
+
+  A07_Auth_Failures:
+    standard_patterns: [access-control-checks, no-hardcoded-secrets]
+    description: "Broken authentication, weak credentials"
+
+  A08_Software_Integrity:
+    standard_patterns: [dependency-verification, no-unsafe-deserialization]
+    description: "Untrusted data deserialization, compromised dependencies"
+
+  A09_Logging_Failures:
+    standard_patterns: [input-sanitization]
+    description: "Insufficient logging, log injection"
+
+  A10_SSRF:
+    standard_patterns: [input-sanitization]
+    description: "Server-side request forgery"
+
+# =============================================================================
+# 6. Tool Recommendations by Language
+#    Adapter IDs match @codacy/analysis-cli (from CODACY-ANALYSIS-CLI.md)
+# =============================================================================
+
+tool_recommendations:
+  typescript:
+    lightweight: [Trivy]
+    balanced: [ESLint9, Semgrep, Trivy]
+    thorough: [ESLint9, Semgrep, Trivy, Lizard]
+
+  javascript:
+    lightweight: [Trivy]
+    balanced: [ESLint9, Semgrep, Trivy]
+    thorough: [ESLint9, Semgrep, Trivy, Lizard]
+
+  python:
+    lightweight: [Trivy]
+    balanced: [Ruff, Semgrep, Trivy]
+    thorough: [Ruff, Semgrep, Bandit, Trivy, Lizard]
+
+  go:
+    lightweight: [Trivy]
+    balanced: [Semgrep, Trivy]
+    thorough: [Semgrep, Trivy, Lizard]
+
+  java:
+    lightweight: [Trivy]
+    balanced: [PMD7, Semgrep, Trivy]
+    thorough: [PMD7, Checkstyle, Semgrep, Trivy, Lizard]
+
+  kotlin:
+    lightweight: [Trivy]
+    balanced: [detekt, Semgrep, Trivy]
+    thorough: [detekt, Semgrep, Trivy]
+
+  ruby:
+    lightweight: [Trivy]
+    balanced: [Semgrep, Trivy]
+    thorough: [Semgrep, Trivy, Lizard]
+
+  rust:
+    lightweight: [Trivy]
+    balanced: [Semgrep, Trivy]
+    thorough: [Semgrep, Trivy]
+
+  c:
+    lightweight: [Trivy]
+    balanced: [cppcheck, Semgrep, Trivy]
+    thorough: [cppcheck, flawfinder, Semgrep, Trivy, Lizard]
+
+  cpp:
+    lightweight: [Trivy]
+    balanced: [cppcheck, Semgrep, Trivy]
+    thorough: [cppcheck, flawfinder, Semgrep, Trivy, Lizard]
+
+  shell:
+    lightweight: []
+    balanced: [shellcheck]
+    thorough: [shellcheck]
+
+  dockerfile:
+    lightweight: [Trivy]
+    balanced: [Hadolint, Trivy]
+    thorough: [Hadolint, Trivy]
+
+# =============================================================================
+# 7. Analysis Modes
+# =============================================================================
+
+analysis_modes:
+  lightweight:
+    description: "Critical security only. Fastest (~3s)."
+    tools: "Trivy only"
+    patterns: "Critical security patterns"
+
+  balanced:
+    description: "Security + key quality. Good balance (~8s)."
+    tools: "Trivy + 1-2 language-specific tools"
+    patterns: "Curated high-signal patterns only (see curated_patterns below)"
+
+  thorough:
+    description: "All tools, all rules. Most comprehensive (~15s)."
+    tools: "All applicable tools"
+    patterns: "Curated patterns + tool defaults for secondary tools"
+
+# =============================================================================
+# 8. Curated Patterns Per Tool
+#    IMPORTANT: patterns: [] means ALL defaults (thousands of rules, massive
+#    token consumption and slow runs). Always use these curated lists instead.
+#    Pattern IDs match @codacy/analysis-cli patternId format.
+# =============================================================================
+
+curated_patterns:
+
+  # --- ESLint9 (2900+ available → ~25 high-signal) ---
+  ESLint9:
+    description: "Security + error-prone + TypeScript strictness. Skips style/formatting."
+    patterns:
+      # Security (MUST have)
+      - patternId: "no-eval"
+      - patternId: "no-implied-eval"
+      - patternId: "no-new-func"
+      - patternId: "no-script-url"
+      # Error-prone (high value)
+      - patternId: "no-unused-vars"
+      - patternId: "no-undef"
+      - patternId: "no-unreachable"
+      - patternId: "no-constant-condition"
+      - patternId: "no-dupe-keys"
+      - patternId: "no-duplicate-case"
+      - patternId: "no-fallthrough"
+      - patternId: "no-self-assign"
+      - patternId: "no-self-compare"
+      - patternId: "use-isnan"
+      - patternId: "valid-typeof"
+      - patternId: "no-loss-of-precision"
+      - patternId: "no-unsafe-optional-chaining"
+      # TypeScript (if applicable)
+      - patternId: "@typescript-eslint/no-explicit-any"
+      - patternId: "@typescript-eslint/no-unused-vars"
+      - patternId: "@typescript-eslint/no-unsafe-assignment"
+      - patternId: "@typescript-eslint/no-unsafe-call"
+      - patternId: "@typescript-eslint/no-unsafe-return"
+      # Best practice
+      - patternId: "eqeqeq"
+      - patternId: "no-var"
+      - patternId: "prefer-const"
+
+  # --- Semgrep / Opengrep (2517 available → security-focused subset) ---
+  # Semgrep patterns use registry rule IDs. These target OWASP Top 10.
+  Semgrep:
+    description: "Security-only: injection, XSS, secrets, auth. No style rules."
+    patterns:
+      # Injection (SQL, NoSQL, command)
+      - patternId: "javascript.lang.security.audit.sqli.node-sequelize-sqli"
+      - patternId: "javascript.lang.security.audit.sqli.node-knex-sqli"
+      - patternId: "typescript.lang.security.audit.sqli.node-sequelize-sqli"
+      - patternId: "python.lang.security.audit.sqli.raw-query"
+      - patternId: "python.django.security.injection.sql.sql-injection"
+      - patternId: "go.lang.security.audit.sqli.gosql-sqli"
+      - patternId: "java.lang.security.audit.sqli.jdbc-sqli"
+      # Command injection
+      - patternId: "javascript.lang.security.audit.command-injection"
+      - patternId: "python.lang.security.audit.dangerous-subprocess-use"
+      # XSS
+      - patternId: "javascript.browser.security.insufficient-postmessage-origin-validation"
+      - patternId: "javascript.lang.security.audit.unsafe-html"
+      # Secrets
+      - patternId: "generic.secrets.security.detected-generic-api-key"
+      - patternId: "generic.secrets.security.detected-aws-account-id"
+      # Deserialization
+      - patternId: "python.lang.security.deserialization.avoid-pickle"
+      - patternId: "python.lang.security.deserialization.avoid-yaml-load"
+      # Auth
+      - patternId: "javascript.express.security.audit.express-jwt-not-revoked"
+      - patternId: "javascript.jsonwebtoken.security.jwt-hardcode"
+
+  # --- Trivy (6 umbrella patterns → use all, already minimal) ---
+  Trivy:
+    description: "Vulnerability + secret scanning. Already minimal at 6 patterns."
+    patterns:
+      - patternId: "trivy_vuln"
+      - patternId: "trivy_secret"
+      - patternId: "trivy_config"
+      - patternId: "trivy_license"
+
+  # --- Ruff (773 available → ~20 high-signal) ---
+  Ruff:
+    description: "Python errors + security. Skips style/formatting (use formatter instead)."
+    patterns:
+      # Pyflakes — error-prone
+      - patternId: "F401"    # unused import
+      - patternId: "F811"    # redefined unused name
+      - patternId: "F841"    # unused variable
+      - patternId: "F821"    # undefined name
+      # Bugbear — likely bugs
+      - patternId: "B006"    # mutable default argument
+      - patternId: "B007"    # unused loop variable
+      - patternId: "B018"    # useless expression
+      # Security
+      - patternId: "S101"    # assert used (not for prod)
+      - patternId: "S102"    # exec used
+      - patternId: "S103"    # bad file permissions
+      - patternId: "S104"    # hardcoded bind all interfaces
+      - patternId: "S105"    # hardcoded password string
+      - patternId: "S106"    # hardcoded password argument
+      - patternId: "S107"    # hardcoded password default
+      - patternId: "S108"    # hardcoded temp file
+      - patternId: "S110"    # try-except-pass
+      - patternId: "S301"    # pickle usage
+      - patternId: "S608"    # SQL injection via string formatting
+      # Type annotations (if desired)
+      - patternId: "ANN001"  # missing type annotation for function argument
+      - patternId: "ANN201"  # missing return type annotation
+
+  # --- ShellCheck (491 available → ~15 high-signal) ---
+  shellcheck:
+    description: "Quoting, globbing, and error-prone shell patterns."
+    patterns:
+      - patternId: "shellcheck_SC2086"   # double quote to prevent globbing/splitting
+      - patternId: "shellcheck_SC2046"   # quote to prevent word splitting
+      - patternId: "shellcheck_SC2006"   # use $() instead of backticks
+      - patternId: "shellcheck_SC2034"   # variable unused
+      - patternId: "shellcheck_SC2064"   # use single quotes for trap
+      - patternId: "shellcheck_SC2155"   # declare and assign separately
+      - patternId: "shellcheck_SC2164"   # use cd ... || exit
+      - patternId: "shellcheck_SC2181"   # check exit code directly
+      - patternId: "shellcheck_SC2162"   # read without -r
+      - patternId: "shellcheck_SC2002"   # useless cat
+      - patternId: "shellcheck_SC2004"   # unnecessary $ in arithmetic
+      - patternId: "shellcheck_SC2116"   # useless echo
+      - patternId: "shellcheck_SC2148"   # missing shebang
+      - patternId: "shellcheck_SC2229"   # command not found (typo)
+
+  # --- Bandit (78 available → ~10 high-signal) ---
+  Bandit:
+    description: "Python security only."
+    patterns:
+      - patternId: "B101"    # assert used
+      - patternId: "B102"    # exec used
+      - patternId: "B103"    # set_bad_file_permissions
+      - patternId: "B104"    # hardcoded_bind_all_interfaces
+      - patternId: "B105"    # hardcoded_password_string
+      - patternId: "B301"    # pickle usage
+      - patternId: "B303"    # insecure hash (md5/sha1)
+      - patternId: "B608"    # SQL injection
+      - patternId: "B602"    # subprocess with shell=True
+      - patternId: "B501"    # request with verify=False
+
+  # --- PMD7 (424 available → ~12 high-signal) ---
+  PMD7:
+    description: "Java error-prone + security. No style rules."
+    patterns:
+      - patternId: "UnusedLocalVariable"
+      - patternId: "UnusedPrivateField"
+      - patternId: "UnusedPrivateMethod"
+      - patternId: "EmptyCatchBlock"
+      - patternId: "AvoidReassigningParameters"
+      - patternId: "CloseResource"
+      - patternId: "CompareObjectsWithEquals"
+      - patternId: "EqualsNull"
+      - patternId: "MissingBreakInSwitch"
+      - patternId: "NullAssignment"
+      - patternId: "ReturnEmptyCollectionRatherThanNull"
+      - patternId: "SimplifiedTernary"
+
+  # --- detekt (296 available → ~10 high-signal) ---
+  detekt:
+    description: "Kotlin error-prone + complexity."
+    patterns:
+      - patternId: "EmptyCatchBlock"
+      - patternId: "SwallowedException"
+      - patternId: "UnusedPrivateMember"
+      - patternId: "MagicNumber"
+      - patternId: "ComplexMethod"
+      - patternId: "LongMethod"
+      - patternId: "TooManyFunctions"
+      - patternId: "ReturnCount"
+      - patternId: "ThrowsCount"
+      - patternId: "MaxLineLength"
+
+  # --- Lizard (12 available → all, already minimal) ---
+  Lizard:
+    description: "Complexity metrics only. Already minimal."
+    patterns: []  # All 12 patterns — they are all complexity metrics
+
+  # --- Hadolint (99 available → ~8 high-signal) ---
+  Hadolint:
+    description: "Dockerfile best practices."
+    patterns:
+      - patternId: "DL3006"   # always tag the version of an image
+      - patternId: "DL3007"   # using latest is error-prone
+      - patternId: "DL3008"   # pin versions in apt-get
+      - patternId: "DL3009"   # delete apt-get lists
+      - patternId: "DL3018"   # pin versions in apk add
+      - patternId: "DL3025"   # use JSON for CMD
+      - patternId: "DL3028"   # pin versions in gem install
+      - patternId: "DL4006"   # set SHELL option -o pipefail