npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/go/go.security.insecure-ssl-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-ssl-protocol
+  title: Reject SSLv2 and SSLv3 protocols
+  summary: >-
+    `tls.VersionSSL30`, SSLv2, or SSLv3 string literals indicate use of broken legacy protocols.
+  rationale: >-
+    SSLv2 and SSLv3 contain unrecoverable cryptographic weaknesses (POODLE, DROWN) and must not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-ssl-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove SSL legacy protocol from `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a broken SSLv2/SSLv3 protocol."
+  remediation:
+    summary: >-
+      Use `tls.VersionTLS12` or `tls.VersionTLS13` instead of SSL legacy constants or string literals.

package/rules/go/go.security.insecure-temp-file.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.insecure-temp-file
+  title: Avoid deprecated `ioutil` temporary file helpers
+  summary: >-
+    Go code should use `os.CreateTemp` and `os.MkdirTemp` instead of the deprecated `ioutil.TempFile` / `ioutil.TempDir` helpers.
+  rationale: >-
+    The `ioutil` temp helpers are deprecated and frequently appear alongside race-prone temp-file patterns; the `os` replacements receive ongoing security fixes.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - filesystem
+    - tempfile
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.insecure-temp-file
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - filesystem
+      - tempfile
+  message:
+    title: Replace deprecated temp helper at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a deprecated `ioutil` temporary file helper."
+  remediation:
+    summary: >-
+      Switch to `os.CreateTemp(dir, pattern)` or `os.MkdirTemp(dir, pattern)` and ensure the pattern includes a `*` so a random component is generated.

package/rules/go/go.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: >-
+    Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.
+  rationale: >-
+    Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - go
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` parses a JWT without verifying its signature."
+  remediation:
+    summary: >-
+      Provide a non-nil keyfunc to `jwt.Parse` (or `jwt.ParseWithClaims`) and validate the returned token's `.Valid` flag before reading claims.

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
   rationale: >-
     Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Construct `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`, and prefer `ListenAndServe` on that configured instance.

package/rules/go/go.security.pprof-exposed.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.pprof-exposed
+  title: Do not expose pprof endpoints on shared HTTP mux
+  summary: >-
+    Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.
+  rationale: >-
+    Exposed pprof endpoints leak heap, goroutine, and CPU profiles and can be used for denial-of-service or sensitive data harvesting.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - net/http
+    - pprof
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.pprof-exposed
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.78
+    tags:
+      - security
+      - go
+      - net/http
+  message:
+    title: Move pprof off the public mux near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` exposes profiler endpoints without an authentication guard."
+  remediation:
+    summary: >-
+      Register pprof handlers on a private mux bound to localhost or a separate listener, and gate them behind authentication.

package/rules/go/go.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Outbound `http.Post` bodies should not be built directly from request values without validation or redaction.
   rationale: >-
     Tainted POST bodies can exfiltrate secrets, replay cookies, or forward attacker payloads to internal integrations.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -44,3 +53,4 @@ emit:
   remediation:
     summary: >-
       Allowlist outbound hosts, strip secrets from relayed payloads, and route integrations through audited helpers.

package/rules/go/go.security.tar-path-traversal.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Tar extraction must normalize `header.Name` with `filepath.Base` or `filepath.Clean` before opening destination files.
   rationale: >-
     Writing `hdr.Name` directly enables `../` traversal that escapes intended extraction directories.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Join destinations using a fixed root with `filepath.Join`, reject absolute paths, and always apply `filepath.Base` before `os.Create`.

package/rules/go/go.security.template-unescaped-request-value.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     `template.HTML`, `template.JS`, and `template.CSS` should not wrap request-derived strings unless they were sanitized first.
   rationale: >-
     Trusted template types disable escaping and turn reflected input into cross-site scripting when executed in browsers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - go
@@ -43,3 +52,4 @@ emit:
   remediation:
     summary: >-
       Run untrusted strings through an HTML sanitizer such as bluemonday, prefer typed templates, or keep data in plain escaped fields.

package/rules/go/go.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tls-missing-min-version
+  title: Set a TLS minimum version on `tls.Config`
+  summary: >-
+    `tls.Config` literals should set `MinVersion` to a modern protocol (`tls.VersionTLS12` or newer) to avoid downgrade attacks.
+  rationale: >-
+    Without `MinVersion`, the Go standard library accepts legacy TLS versions that are vulnerable to known protocol attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Set `MinVersion` on TLS config
+    summary: "`${captures.issue.text}` constructs a `tls.Config` without an explicit `MinVersion`."
+  remediation:
+    summary: >-
+      Add `MinVersion: tls.VersionTLS12` (or `tls.VersionTLS13`) to the configuration to enforce a modern protocol baseline.

package/rules/go/go.security.unsafe-package-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.unsafe-package-import
+  title: Avoid the `unsafe` package outside vetted boundaries
+  summary: >-
+    Production Go code should not import the `unsafe` package, which bypasses the type system and memory safety guarantees.
+  rationale: >-
+    `unsafe.Pointer` lets callers reinterpret arbitrary memory, hiding undefined behaviour and creating vulnerabilities that escape Go's compiler checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - memory-safety
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.unsafe-package-import
+    bind: issue
+emit:
+  finding:
+    category: security.memory-safety
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - memory-safety
+  message:
+    title: Remove `unsafe` import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports `unsafe`, which bypasses Go's memory safety guarantees."
+  remediation:
+    summary: >-
+      Replace `unsafe.Pointer` usage with typed APIs from `reflect`, `encoding/binary`, or `cgo` boundaries that explicitly document and contain the unsafe scope.

package/rules/go/go.security.weak-bcrypt-cost.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-bcrypt-cost
+  title: Use a strong bcrypt cost factor
+  summary: >-
+    `bcrypt.GenerateFromPassword` (and similar helpers) must use a cost factor of at least `bcrypt.DefaultCost` (10).
+  rationale: >-
+    Low bcrypt costs make password hashes cheap to crack offline and undermine credential storage protections.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - passwords
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-bcrypt-cost
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - passwords
+  message:
+    title: Raise bcrypt cost in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` hashes passwords with a cost below the bcrypt default."
+  remediation:
+    summary: >-
+      Pass `bcrypt.DefaultCost` (or a higher value tuned to your performance budget) instead of a literal cost less than 10.

package/rules/go/go.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto packages
+  summary: >-
+    Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases; using them as cryptographic primitives degrades confidentiality and integrity.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - hash
+    - cipher
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto package."
+  remediation:
+    summary: >-
+      Use `crypto/sha256` or `crypto/sha512` for hashing, `crypto/aes` with GCM mode for ciphers, and avoid RC4 entirely.

package/rules/go/go.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-rsa-key-size
+  title: Use at least 2048-bit RSA keys
+  summary: >-
+    `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` should request a key size of 2048 bits or higher.
+  rationale: >-
+    RSA moduli below 2048 bits are considered cryptographically weak and feasible to attack with modern resources.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` initializes RSA with fewer than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new code where appropriate.

package/rules/go/go.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-tls-cipher
+  title: Remove weak TLS cipher suites
+  summary: >-
+    `tls.Config.CipherSuites` should not include RC4, DES, 3DES, NULL, or export-grade cipher constants.
+  rationale: >-
+    These ciphers are deprecated and break confidentiality (RC4 biases, Sweet32 against 3DES, NULL/export-grade weaknesses).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove deprecated cipher from TLS configuration
+    summary: "`${captures.issue.text}` enables a weak or deprecated cipher suite in `tls.Config.CipherSuites`."
+  remediation:
+    summary: >-
+      Drop RC4/DES/3DES/NULL/export ciphers. Prefer the TLS 1.3 defaults or modern AEAD suites such as `TLS_AES_128_GCM_SHA256`.

package/rules/java/java.correctness.catch-null-pointer.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.catch-null-pointer
+  title: Do not catch NullPointerException
+  summary: NullPointerException indicates a programming error.
+  rationale: Catching NPE masks bugs that should be fixed at the source.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.catch-null-pointer
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: low
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove NullPointerException catch in `${captures.issue.text}`
+    summary: "NullPointerException is caught instead of preventing null access."
+  remediation:
+    summary: Add null checks or Optional handling at the source of the failure.