npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/java/java.correctness.return-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.return-in-finally
+  title: Avoid control flow in finally blocks
+  summary: return, break, continue, and throw in finally alter normal flow.
+  rationale: Control flow in finally can suppress exceptions and confuse readers.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.return-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove control flow from finally in `${captures.issue.text}`
+    summary: "A finally block contains return, break, continue, or throw."
+  remediation:
+    summary: Keep finally blocks limited to cleanup without altering control flow.

package/rules/java/java.correctness.sync-on-string-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.sync-on-string-literal
+  title: Do not synchronize on string literals
+  summary: String literals are interned and shared across the JVM.
+  rationale: Synchronizing on interned strings can cause unexpected deadlocks.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.sync-on-string-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Avoid synchronizing on string literal in `${captures.issue.text}`
+    summary: "A synchronized block locks on a string literal."
+  remediation:
+    summary: Synchronize on a private final lock object instead.

package/rules/java/java.correctness.unsafe-optional-get.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.unsafe-optional-get
+  title: Check Optional before calling get
+  summary: Optional.get without a presence check can throw.
+  rationale: Unchecked Optional access causes runtime failures.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.unsafe-optional-get
+    bind: issue
+emit:
+  finding:
+    category: correctness.nullability
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Guard Optional.get in `${captures.issue.text}`
+    summary: "Optional.get is called without a nearby presence check."
+  remediation:
+    summary: Use orElse, orElseThrow, or isPresent before calling get.

package/rules/java/java.performance.no-regex-construction-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-regex-construction-in-loop
+  title: Avoid no regex construction in loop
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-regex-construction-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no regex construction in loop in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-regex-construction-in-loop."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.performance.no-sync-fs-in-request-path.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-sync-fs-in-request-path
+  title: Avoid no sync fs in request path
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-sync-fs-in-request-path
+    bind: issue
+emit:
+  finding:
+    category: performance.io
+    severity: high
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no sync fs in request path in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-sync-fs-in-request-path."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.performance.no-unbounded-concurrency.rule.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.no-unbounded-concurrency
+  title: Avoid no unbounded concurrency
+  summary: Performance hygiene signal for java sources.
+  rationale: Performance hygiene signal for java sources.
+  tags:
+    - performance
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: java.performance.no-unbounded-concurrency
+    bind: issue
+emit:
+  finding:
+    category: performance.async
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - java
+  message:
+    title: Avoid no unbounded concurrency in `java` code
+    summary: "`${captures.issue.text}` matches java.performance.no-unbounded-concurrency."
+  remediation:
+    summary: Refactor this path to reduce avoidable runtime overhead.

package/rules/java/java.security.android-screenshot-exposure.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.android-screenshot-exposure
+  title: Protect sensitive Android screens from screenshots and recents
+  summary: Sensitive activities should enable FLAG_SECURE or avoid clearing it so screen content is harder to capture.
+  rationale: Finance, authentication, and secret-bearing screens can leak through screenshots, screen recording, and recent-task previews when FLAG_SECURE is missing or cleared.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: url
+      title: Android App Security Best Practices
+      url: https://developer.android.com/privacy-and-security/risks
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
+  tags:
+    - security
+    - privacy
+    - android
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.android-screenshot-exposure
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - privacy
+      - android
+  message:
+    title: Harden Android UI capture policy for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` appears on a sensitive Android surface without an effective FLAG_SECURE posture."
+  remediation:
+    summary: Enable FLAG_SECURE for sensitive screens, avoid clearing it at runtime, and document exceptions only after explicit threat modeling.

package/rules/java/java.security.android-world-readable-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.android-world-readable-mode
+  title: Avoid Android world-readable or world-writable IO modes
+  summary: Context files and shared preferences must not use MODE_WORLD_READABLE or MODE_WORLD_WRITABLE.
+  rationale: Legacy Android modes expose application data to other packages on the device and break sandbox expectations for secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
+  tags:
+    - security
+    - privacy
+    - android
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+match:
+  fact:
+    kind: security.android-world-readable-mode
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - storage
+      - android
+  message:
+    title: Replace unsafe Android IO mode in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opts into MODE_WORLD_READABLE or MODE_WORLD_WRITABLE, which weakens app sandbox isolation."
+  remediation:
+    summary: Use MODE_PRIVATE or scoped storage APIs instead of world-readable or world-writable modes.

package/rules/java/java.security.hibernate-sql-concatenation.rule.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.hibernate-sql-concatenation
+  title: Bind Hibernate query parameters instead of concatenating SQL
+  summary: >-
+    Hibernate `Session.createQuery`, `createNativeQuery`, and `createSQLQuery` calls must not build their query text from string concatenation or `String.format`.
+  rationale: >-
+    Dynamic SQL fragments stitched into Hibernate query strings are an injection sink whenever any segment came from request, environment, or upload input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - hibernate
+    - sql-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.hibernate-sql-concatenation
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: critical
+    confidence: 0.84
+    tags:
+      - security
+      - java
+      - hibernate
+      - sql-injection
+  message:
+    title: Bind parameters in Hibernate query at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` constructs a Hibernate query by concatenating or formatting strings instead of binding parameters.
+  remediation:
+    summary: >-
+      Use named or positional parameters via `setParameter`, the Criteria API, or typed query DSLs instead of interpolating values into the HQL or SQL text.

package/rules/java/java.security.insecure-cipher-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-cipher-mode
+  title: Avoid insecure cipher transformations
+  summary: "Java `Cipher.getInstance` should not request ECB mode or legacy algorithms like DES and RC4."
+  rationale: ECB mode leaks structure across blocks, while DES and RC4 are broken or deprecated and unsuitable for confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-cipher-mode
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace insecure cipher transformation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` requests an insecure cipher mode or algorithm."
+  remediation:
+    summary: "Use authenticated modes such as `AES/GCM/NoPadding` and modern algorithms; avoid ECB, DES, and RC4."

package/rules/java/java.security.insecure-network-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-network-protocol
+  title: Avoid plaintext or legacy network protocols
+  summary: "URL/URI literals should not use `ftp://`, `telnet://`, or `jar:http://`."
+  rationale: These schemes transmit credentials and payloads in cleartext or load remote archives without integrity checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-network-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - transport
+  message:
+    title: Use a secure protocol instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opens a URL or URI with a plaintext or legacy protocol."
+  remediation:
+    summary: "Use `https://`, `sftp://`, or `ssh://` and verify integrity for remote archives instead of `jar:http://`."

package/rules/java/java.security.insecure-ssl-context.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-ssl-context
+  title: Avoid deprecated TLS/SSL protocol versions
+  summary: "`SSLContext.getInstance` should not request SSL, SSLv2, SSLv3, TLSv1.0, or TLSv1.1."
+  rationale: Pre-TLSv1.2 protocols are deprecated and vulnerable to known attacks such as POODLE and BEAST.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-ssl-context
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - java
+      - tls
+  message:
+    title: Replace deprecated SSL/TLS protocol `${captures.issue.text}`
+    summary: "`${captures.issue.text}` selects a deprecated TLS/SSL protocol version."
+  remediation:
+    summary: "Use `SSLContext.getInstance(\"TLSv1.2\")` or `\"TLSv1.3\"` and rely on platform defaults where possible."

package/rules/java/java.security.jpa-concatenated-query.rule.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.jpa-concatenated-query
+  title: Do not build JPA or JDBC queries by concatenating user-controlled input
+  summary: >-
+    `createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.
+  rationale: >-
+    Dynamic SQL built from untrusted fragments is a direct injection surface; parameterized queries and named parameters are the safe default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - jpa
+    - jdbc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.jpa-concatenated-query
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: critical
+    confidence: 0.84
+    tags:
+      - security
+      - java
+      - sql-injection
+  message:
+    title: Replace dynamic SQL construction in `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` builds a query from concatenated or formatted fragments; bind parameters instead of embedding user-controlled text.
+  remediation:
+    summary: >-
+      Use JPQL named parameters, `CriteriaUpdate`, or prepared JDBC statements with bound parameters; never interpolate request values into query text.

package/rules/java/java.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: Decoding a JWT without verifying its signature allows attackers to forge tokens and impersonate users.
+  rationale: Methods like `JWT.decode` and `Jwts.parser().parseClaimsJwt` do not check the cryptographic signature; downstream claims cannot be trusted.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - java
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reads a JWT without verifying its signature."
+  remediation:
+    summary: "Use `JWT.require(algorithm).build().verify(token)` or `Jwts.parser().setSigningKey(key).parseClaimsJws(token)` to authenticate the token before trusting claims."