npm - @critiq/rules - Versions diffs - 0.0.1 → 0.1.0 - Mend

@critiq/rules 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/rules/go/go.testing.t-skip-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.t-skip-without-ticket-reference
+  title: t.Skip should cite a ticket or suppression
+  summary: Go tests that call t.Skip without a nearby tracker reference are easy to forget.
+  rationale: Skips without traceability tend to linger and hide regressions.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.t-skip-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.7
+    tags:
+      - testing
+      - go
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`t.Skip` is used without an adjacent issue key or accepted suppression comment."
+  remediation:
+    summary: Link the skip to a tracker id or document why the suite is intentionally bypassed.

package/rules/go/go.testing.time-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.time-sleep-in-unit-test
+  title: Avoid time.Sleep in Go unit tests
+  summary: Sleeping in _test.go files slows CI and hides synchronization bugs.
+  rationale: Prefer fake clocks, polling helpers, or integration suites for real delays.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.time-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.62
+    tags:
+      - testing
+      - go
+  message:
+    title: Replace `time.Sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks a goroutine on real wall-clock time."
+  remediation:
+    summary: Inject a clock interface, shorten waits, or move the scenario to an integration test harness.

package/rules/java/java.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no regex construction in loop in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no sync fs in request path in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no unbounded concurrency in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.security.android-screenshot-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.android-screenshot-exposure
+  title: Protect sensitive Android screens from screenshots and recents
+  summary: Sensitive activities should enable FLAG_SECURE or avoid clearing it so screen content is harder to capture.
+  rationale: Finance, authentication, and secret-bearing screens can leak through screenshots, screen recording, and recent-task previews when FLAG_SECURE is missing or cleared.
+  tags:
+    - security
+    - privacy
+    - android
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.android-screenshot-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - privacy
+      - android
+  message:
+    title: Harden Android UI capture policy for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears on a sensitive Android surface without an effective FLAG_SECURE posture."
+  remediation:
+    summary: Enable FLAG_SECURE for sensitive screens, avoid clearing it at runtime, and document exceptions only after explicit threat modeling.

package/rules/java/java.security.android-world-readable-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.android-world-readable-mode
+  title: Avoid Android world-readable or world-writable IO modes
+  summary: Context files and shared preferences must not use MODE_WORLD_READABLE or MODE_WORLD_WRITABLE.
+  rationale: Legacy Android modes expose application data to other packages on the device and break sandbox expectations for secrets.
+  tags:
+    - security
+    - privacy
+    - android
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.android-world-readable-mode
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - storage
+      - android
+  message:
+    title: Replace unsafe Android IO mode in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opts into MODE_WORLD_READABLE or MODE_WORLD_WRITABLE, which weakens app sandbox isolation."
+  remediation:
+    summary: Use MODE_PRIVATE or scoped storage APIs instead of world-readable or world-writable modes.

package/rules/java/java.security.jpa-concatenated-query.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.jpa-concatenated-query
+  title: Do not build JPA or JDBC queries by concatenating user-controlled input
+  summary: >-
+    `createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.
+  rationale: >-
+    Dynamic SQL built from untrusted fragments is a direct injection surface; parameterized queries and named parameters are the safe default.
+  tags:
+    - security
+    - java
+    - jpa
+    - jdbc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.jpa-concatenated-query
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: critical
+    confidence: 0.84
+    tags:
+      - security
+      - java
+      - sql-injection
+  message:
+    title: Replace dynamic SQL construction in `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` builds a query from concatenated or formatted fragments; bind parameters instead of embedding user-controlled text.
+  remediation:
+    summary: >-
+      Use JPQL named parameters, `CriteriaUpdate`, or prepared JDBC statements with bound parameters; never interpolate request values into query text.

package/rules/java/java.security.reflected-output-from-request.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.reflected-output-from-request
+  title: Avoid reflecting servlet request data through response writers
+  summary: Servlet writers should not emit raw request parameters or headers without encoding or policy checks.
+  rationale: Writing request-controlled strings directly into HTTP responses is a common reflected XSS vector for servlet stacks.
+  tags:
+    - security
+    - xss
+    - servlet
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.java-reflected-output-from-request
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.76
+    tags:
+      - security
+      - xss
+      - servlet
+  message:
+    title: Encode or validate output before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` forwards request-derived content through the servlet response writer without an obvious encoding guard."
+  remediation:
+    summary: Contextually encode output for HTML or JSON consumers, validate redirect-like flows separately, and prefer templating APIs that auto-escape.

package/rules/java/java.security.servlet-insecure-cookie.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.servlet-insecure-cookie
+  title: Harden servlet session and auth cookies
+  summary: Session-like cookies must not disable HttpOnly or Secure, and explicit insecure builder flags should be removed.
+  rationale: Missing HttpOnly and Secure flags expose cookies to XSS and network interception; disabling them makes theft materially easier.
+  tags:
+    - security
+    - session
+    - servlet
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.servlet-insecure-cookie
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - cookie
+      - servlet
+  message:
+    title: Review insecure cookie construction in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds or adjusts cookies with risky defaults or explicitly weakened HttpOnly/Secure flags."
+  remediation:
+    summary: Prefer ResponseCookie with Secure and HttpOnly enabled, SameSite appropriate for your topology, and minimize lifetime on authentication cookies.

package/rules/java/java.security.spring-actuator-health-details-always.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-actuator-health-details-always
+  title: Avoid always-on Spring Boot health details in external profiles
+  summary: >-
+    `management.endpoint.health.show-details=always` (or YAML equivalent) publishes detailed health payloads to any caller, which often leaks dependency and infrastructure facts.
+  rationale: >-
+    Detailed health should be reserved for authenticated operators or internal networks; `always` removes that gate for anonymous clients.
+  tags:
+    - security
+    - java
+    - spring-boot
+    - actuator
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.security.spring-actuator-health-details-always
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.76
+    tags:
+      - security
+      - java
+      - actuator
+  message:
+    title: Scope health detail visibility for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` always exposes detailed health information; prefer `when-authorized` or role-based access outside tightly controlled environments.
+  remediation:
+    summary: >-
+      Switch to `when-authorized`, protect `/actuator/**` with Spring Security, and keep verbose health on internal-only ports or profiles.

package/rules/java/java.security.spring-actuator-sensitive-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-actuator-sensitive-exposure
+  title: Restrict Spring Boot actuator web exposure to non-sensitive endpoints
+  summary: >-
+    Actuator `management.endpoints.web.exposure.include` should not expose wildcards or high-risk endpoints (such as `env`, `beans`, or `heapdump`) without deliberate access control.
+  rationale: >-
+    Over-exposed actuators leak configuration, secrets material, and JVM internals that attackers can use to pivot or crash the service.
+  tags:
+    - security
+    - java
+    - spring-boot
+    - actuator
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.security.spring-actuator-sensitive-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - java
+      - actuator
+  message:
+    title: Narrow actuator exposure for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` exposes sensitive actuator endpoints; enumerate only what you need and protect them with authentication and network controls.
+  remediation:
+    summary: >-
+      Replace wildcards with explicit endpoint lists, move sensitive endpoints off public networks, and pair exposure with Spring Security rules or management port isolation.

package/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-csrf-globally-disabled
+  title: Avoid disabling Spring CSRF protection without a stateless API hardening story
+  summary: >-
+    Disabling CSRF globally is unsafe for cookie-backed browser sessions unless the app is clearly hardened as a stateless API (for example OAuth2 resource server with stateless sessions).
+  rationale: >-
+    CSRF protects browser clients that send session cookies; turning it off without token-based or stateless mitigations invites cross-site request forgery against privileged actions.
+  tags:
+    - security
+    - java
+    - spring
+    - spring-security
+    - csrf
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-csrf-globally-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - java
+      - spring-security
+      - csrf
+  message:
+    title: Revisit CSRF configuration near `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` disables CSRF; keep it enabled for session-backed MVC, or move to explicit stateless API patterns and document the threat model.
+  remediation:
+    summary: >-
+      Prefer CSRF tokens for cookie sessions, use `oauth2ResourceServer` with JWT for APIs, or set `SessionCreationPolicy.STATELESS` with a reviewed token story instead of blanket `csrf().disable()`.

package/rules/java/java.security.spring-debug-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-debug-exposure
+  title: Avoid Spring Boot debug and actuator exposure in shipped configuration
+  summary: Spring Boot configuration should not force debug logging or wildcard actuator exposure.
+  rationale: Debug modes and fully exposed actuator endpoints leak internals and expand remote attack surface when configs ship to production.
+  tags:
+    - security
+    - spring
+    - configuration
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.spring-debug-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.secrets
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - spring
+      - disclosure
+  message:
+    title: Tighten Spring configuration near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` enables verbose debugging or permissive actuator exposure that should stay out of production defaults."
+  remediation:
+    summary: Remove debug=true overrides, scope logging levels deliberately, and enumerate only required actuator endpoints behind authentication.

package/rules/java/java.security.spring-permit-all-default.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-permit-all-default
+  title: Avoid Spring Security chains that leave every request anonymous by default
+  summary: >-
+    Production HTTP security chains should not end with a broad permit-all fallback such as `anyRequest().permitAll()` or `requestMatchers("/**").permitAll()`.
+  rationale: >-
+    Anonymous-by-default authorization lets unauthenticated callers reach handlers that were meant to be protected, which often leads to broken access control and data exposure.
+  tags:
+    - security
+    - java
+    - spring
+    - spring-security
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-permit-all-default
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - java
+      - spring-security
+  message:
+    title: Tighten Spring Security authorization instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` leaves requests broadly permitted; require authentication or explicit scoped rules for non-public routes.
+  remediation:
+    summary: >-
+      Replace broad permit-all with authenticated or role-based rules, keep public paths explicit, and add integration tests that assert unauthorized access is rejected.

package/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.spring-webmvc-unrestricted-data-binding
+  title: Constrain Spring MVC data binding for domain objects
+  summary: >-
+    Binding request parameters directly into entity-like models without `setAllowedFields` / `@InitBinder` controls risks mass-assignment privilege escalation.
+  rationale: >-
+    Attackers can post unexpected fields (for example `role=admin`) that map onto persistent entities unless binding is explicitly allow-listed.
+  tags:
+    - security
+    - java
+    - spring-mvc
+    - mass-assignment
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.spring-webmvc-unrestricted-data-binding
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.74
+    tags:
+      - security
+      - java
+      - spring-mvc
+  message:
+    title: Add binding guards instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` suggests unconstrained binding; use DTOs, `@InitBinder#setAllowedFields`, or constructor binding with immutable commands.
+  remediation:
+    summary: >-
+      Prefer dedicated request DTOs, declare allowed fields explicitly, and avoid binding security-sensitive properties from raw requests.

package/rules/java/java.security.template-unescaped-user-output.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.template-unescaped-user-output
+  title: Escape template output that reflects request or model data
+  summary: >-
+    Thymeleaf `th:utext`, JSP scriptlets, and FreeMarker `?no_esc` patterns must not render untrusted request or model values without an explicit sanitization strategy.
+  rationale: >-
+    Non-escaped template sinks turn reflected input into XSS, which compromises browser sessions and administrative workflows.
+  tags:
+    - security
+    - java
+    - templates
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.html"
+      - "**/*.htm"
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.template-unescaped-user-output
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - java
+      - xss
+  message:
+    title: Prefer escaped template output instead of `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` renders template content without default escaping; switch to escaped directives or sanitize with a trusted library.
+  remediation:
+    summary: >-
+      Use Thymeleaf `th:text`, avoid raw JSP expressions for request data, and keep FreeMarker auto-escaping on unless a vetted sanitizer wraps dynamic HTML.