npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/go/go.security.tar-path-traversal.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tar-path-traversal
+  title: Sanitize archive entry paths before writing to disk
+  summary: >-
+    Tar extraction must normalize `header.Name` with `filepath.Base` or `filepath.Clean` before opening destination files.
+  rationale: >-
+    Writing `hdr.Name` directly enables `../` traversal that escapes intended extraction directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - go
+    - archive
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tar-path-traversal
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - archive
+  message:
+    title: Normalize tar entry paths in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opens a filesystem path using raw tar header names without `filepath.Base`/`filepath.Clean`."
+  remediation:
+    summary: >-
+      Join destinations using a fixed root with `filepath.Join`, reject absolute paths, and always apply `filepath.Base` before `os.Create`.

package/rules/go/go.security.template-unescaped-request-value.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.template-unescaped-request-value
+  title: Avoid feeding request data into trusted template types
+  summary: >-
+    `template.HTML`, `template.JS`, and `template.CSS` should not wrap request-derived strings unless they were sanitized first.
+  rationale: >-
+    Trusted template types disable escaping and turn reflected input into cross-site scripting when executed in browsers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - templates
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.template-unescaped-request-value
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - templates
+  message:
+    title: Sanitize before using trusted template types in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` wraps request-controlled data in `template.HTML`/`JS`/`CSS` without an obvious sanitizer."
+  remediation:
+    summary: >-
+      Run untrusted strings through an HTML sanitizer such as bluemonday, prefer typed templates, or keep data in plain escaped fields.

package/rules/go/go.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tls-missing-min-version
+  title: Set a TLS minimum version on `tls.Config`
+  summary: >-
+    `tls.Config` literals should set `MinVersion` to a modern protocol (`tls.VersionTLS12` or newer) to avoid downgrade attacks.
+  rationale: >-
+    Without `MinVersion`, the Go standard library accepts legacy TLS versions that are vulnerable to known protocol attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Set `MinVersion` on TLS config
+    summary: "`${captures.issue.text}` constructs a `tls.Config` without an explicit `MinVersion`."
+  remediation:
+    summary: >-
+      Add `MinVersion: tls.VersionTLS12` (or `tls.VersionTLS13`) to the configuration to enforce a modern protocol baseline.

package/rules/go/go.security.unsafe-package-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.unsafe-package-import
+  title: Avoid the `unsafe` package outside vetted boundaries
+  summary: >-
+    Production Go code should not import the `unsafe` package, which bypasses the type system and memory safety guarantees.
+  rationale: >-
+    `unsafe.Pointer` lets callers reinterpret arbitrary memory, hiding undefined behaviour and creating vulnerabilities that escape Go's compiler checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - memory-safety
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.unsafe-package-import
+    bind: issue
+emit:
+  finding:
+    category: security.memory-safety
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - memory-safety
+  message:
+    title: Remove `unsafe` import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports `unsafe`, which bypasses Go's memory safety guarantees."
+  remediation:
+    summary: >-
+      Replace `unsafe.Pointer` usage with typed APIs from `reflect`, `encoding/binary`, or `cgo` boundaries that explicitly document and contain the unsafe scope.

package/rules/go/go.security.weak-bcrypt-cost.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-bcrypt-cost
+  title: Use a strong bcrypt cost factor
+  summary: >-
+    `bcrypt.GenerateFromPassword` (and similar helpers) must use a cost factor of at least `bcrypt.DefaultCost` (10).
+  rationale: >-
+    Low bcrypt costs make password hashes cheap to crack offline and undermine credential storage protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - passwords
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-bcrypt-cost
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - passwords
+  message:
+    title: Raise bcrypt cost in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` hashes passwords with a cost below the bcrypt default."
+  remediation:
+    summary: >-
+      Pass `bcrypt.DefaultCost` (or a higher value tuned to your performance budget) instead of a literal cost less than 10.

package/rules/go/go.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto packages
+  summary: >-
+    Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases; using them as cryptographic primitives degrades confidentiality and integrity.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - hash
+    - cipher
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto package."
+  remediation:
+    summary: >-
+      Use `crypto/sha256` or `crypto/sha512` for hashing, `crypto/aes` with GCM mode for ciphers, and avoid RC4 entirely.

package/rules/go/go.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-rsa-key-size
+  title: Use at least 2048-bit RSA keys
+  summary: >-
+    `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` should request a key size of 2048 bits or higher.
+  rationale: >-
+    RSA moduli below 2048 bits are considered cryptographically weak and feasible to attack with modern resources.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` initializes RSA with fewer than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new code where appropriate.

package/rules/go/go.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-tls-cipher
+  title: Remove weak TLS cipher suites
+  summary: >-
+    `tls.Config.CipherSuites` should not include RC4, DES, 3DES, NULL, or export-grade cipher constants.
+  rationale: >-
+    These ciphers are deprecated and break confidentiality (RC4 biases, Sweet32 against 3DES, NULL/export-grade weaknesses).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove deprecated cipher from TLS configuration
+    summary: "`${captures.issue.text}` enables a weak or deprecated cipher suite in `tls.Config.CipherSuites`."
+  remediation:
+    summary: >-
+      Drop RC4/DES/3DES/NULL/export ciphers. Prefer the TLS 1.3 defaults or modern AEAD suites such as `TLS_AES_128_GCM_SHA256`.

package/rules/go/go.testing.real-network-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.real-network-in-unit-test
+  title: Avoid live network clients in Go unit tests
+  summary: Unit tests should not dial the real network; prefer fakes or httptest servers.
+  rationale: Live network calls make tests flaky and couple CI to external availability.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.68
+    tags:
+      - testing
+      - go
+  message:
+    title: Stub outbound network in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a real HTTP or dial client inside a `_test.go` file."
+  remediation:
+    summary: Use `httptest`, interface fakes, or recorded fixtures instead of live hosts.

package/rules/go/go.testing.t-skip-without-ticket-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.t-skip-without-ticket-reference
+  title: t.Skip should cite a ticket or suppression
+  summary: Go tests that call t.Skip without a nearby tracker reference are easy to forget.
+  rationale: Skips without traceability tend to linger and hide regressions.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.t-skip-without-ticket-reference
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.7
+    tags:
+      - testing
+      - go
+  message:
+    title: Add a ticket reference to `${captures.issue.text}`
+    summary: "`t.Skip` is used without an adjacent issue key or accepted suppression comment."
+  remediation:
+    summary: Link the skip to a tracker id or document why the suite is intentionally bypassed.

package/rules/go/go.testing.time-sleep-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.testing.time-sleep-in-unit-test
+  title: Avoid time.Sleep in Go unit tests
+  summary: Sleeping in _test.go files slows CI and hides synchronization bugs.
+  rationale: Prefer fake clocks, polling helpers, or integration suites for real delays.
+  tags:
+    - testing
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+match:
+  fact:
+    kind: go.testing.time-sleep-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.62
+    tags:
+      - testing
+      - go
+  message:
+    title: Replace `time.Sleep` in unit tests
+    summary: "`${captures.issue.text}` blocks a goroutine on real wall-clock time."
+  remediation:
+    summary: Inject a clock interface, shorten waits, or move the scenario to an integration test harness.

package/rules/java/java.correctness.catch-null-pointer.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.catch-null-pointer
+  title: Do not catch NullPointerException
+  summary: NullPointerException indicates a programming error.
+  rationale: Catching NPE masks bugs that should be fixed at the source.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.catch-null-pointer
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: low
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove NullPointerException catch in `${captures.issue.text}`
+    summary: "NullPointerException is caught instead of preventing null access."
+  remediation:
+    summary: Add null checks or Optional handling at the source of the failure.

package/rules/java/java.correctness.empty-catch.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.empty-catch
+  title: Do not use empty catch blocks
+  summary: Catch blocks should handle or rethrow exceptions.
+  rationale: Empty catches hide failures and make debugging difficult.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.empty-catch
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Handle exception in `${captures.issue.text}`
+    summary: "A catch block swallows an exception without handling it."
+  remediation:
+    summary: Log, recover, or rethrow the exception with context.

package/rules/java/java.correctness.equals-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.equals-on-array
+  title: Compare arrays with Arrays.equals
+  summary: Array.equals compares references, not contents.
+  rationale: Reference equality on arrays is almost always a logic bug.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.equals-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.equality
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Fix array comparison in `${captures.issue.text}`
+    summary: "Array.equals compares references instead of elements."
+  remediation:
+    summary: Use Arrays.equals or Arrays.deepEquals for array content comparison.