npm - @critiq/rules - Versions diffs - 0.1.0 → 0.2.0 - Mend

@critiq/rules 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/rules/java/java.correctness.empty-catch.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.empty-catch
+  title: Do not use empty catch blocks
+  summary: Catch blocks should handle or rethrow exceptions.
+  rationale: Empty catches hide failures and make debugging difficult.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.empty-catch
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Handle exception in `${captures.issue.text}`
+    summary: "A catch block swallows an exception without handling it."
+  remediation:
+    summary: Log, recover, or rethrow the exception with context.

package/rules/java/java.correctness.equals-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.equals-on-array
+  title: Compare arrays with Arrays.equals
+  summary: Array.equals compares references, not contents.
+  rationale: Reference equality on arrays is almost always a logic bug.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.equals-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.equality
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Fix array comparison in `${captures.issue.text}`
+    summary: "Array.equals compares references instead of elements."
+  remediation:
+    summary: Use Arrays.equals or Arrays.deepEquals for array content comparison.

package/rules/java/java.correctness.return-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.return-in-finally
+  title: Avoid control flow in finally blocks
+  summary: return, break, continue, and throw in finally alter normal flow.
+  rationale: Control flow in finally can suppress exceptions and confuse readers.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.return-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove control flow from finally in `${captures.issue.text}`
+    summary: "A finally block contains return, break, continue, or throw."
+  remediation:
+    summary: Keep finally blocks limited to cleanup without altering control flow.

package/rules/java/java.correctness.sync-on-string-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.sync-on-string-literal
+  title: Do not synchronize on string literals
+  summary: String literals are interned and shared across the JVM.
+  rationale: Synchronizing on interned strings can cause unexpected deadlocks.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.sync-on-string-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Avoid synchronizing on string literal in `${captures.issue.text}`
+    summary: "A synchronized block locks on a string literal."
+  remediation:
+    summary: Synchronize on a private final lock object instead.

package/rules/java/java.correctness.unsafe-optional-get.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.unsafe-optional-get
+  title: Check Optional before calling get
+  summary: Optional.get without a presence check can throw.
+  rationale: Unchecked Optional access causes runtime failures.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.unsafe-optional-get
+    bind: issue
+emit:
+  finding:
+    category: correctness.nullability
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Guard Optional.get in `${captures.issue.text}`
+    summary: "Optional.get is called without a nearby presence check."
+  remediation:
+    summary: Use orElse, orElseThrow, or isPresent before calling get.

package/rules/java/java.security.android-screenshot-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Protect sensitive Android screens from screenshots and recents
   summary: Sensitive activities should enable FLAG_SECURE or avoid clearing it so screen content is harder to capture.
   rationale: Finance, authentication, and secret-bearing screens can leak through screenshots, screen recording, and recent-task previews when FLAG_SECURE is missing or cleared.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: url
+      title: Android App Security Best Practices
+      url: https://developer.android.com/privacy-and-security/risks
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
   tags:
     - security
     - privacy
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` appears on a sensitive Android surface without an effective FLAG_SECURE posture."
   remediation:
     summary: Enable FLAG_SECURE for sensitive screens, avoid clearing it at runtime, and document exceptions only after explicit threat modeling.

package/rules/java/java.security.android-world-readable-mode.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid Android world-readable or world-writable IO modes
   summary: Context files and shared preferences must not use MODE_WORLD_READABLE or MODE_WORLD_WRITABLE.
   rationale: Legacy Android modes expose application data to other packages on the device and break sandbox expectations for secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
   tags:
     - security
     - privacy
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` opts into MODE_WORLD_READABLE or MODE_WORLD_WRITABLE, which weakens app sandbox isolation."
   remediation:
     summary: Use MODE_PRIVATE or scoped storage APIs instead of world-readable or world-writable modes.

package/rules/java/java.security.hibernate-sql-concatenation.rule.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.hibernate-sql-concatenation
+  title: Bind Hibernate query parameters instead of concatenating SQL
+  summary: >-
+    Hibernate `Session.createQuery`, `createNativeQuery`, and `createSQLQuery` calls must not build their query text from string concatenation or `String.format`.
+  rationale: >-
+    Dynamic SQL fragments stitched into Hibernate query strings are an injection sink whenever any segment came from request, environment, or upload input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - hibernate
+    - sql-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.hibernate-sql-concatenation
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: critical
+    confidence: 0.84
+    tags:
+      - security
+      - java
+      - hibernate
+      - sql-injection
+  message:
+    title: Bind parameters in Hibernate query at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` constructs a Hibernate query by concatenating or formatting strings instead of binding parameters.
+  remediation:
+    summary: >-
+      Use named or positional parameters via `setParameter`, the Criteria API, or typed query DSLs instead of interpolating values into the HQL or SQL text.

package/rules/java/java.security.insecure-cipher-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-cipher-mode
+  title: Avoid insecure cipher transformations
+  summary: "Java `Cipher.getInstance` should not request ECB mode or legacy algorithms like DES and RC4."
+  rationale: ECB mode leaks structure across blocks, while DES and RC4 are broken or deprecated and unsuitable for confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-cipher-mode
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace insecure cipher transformation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` requests an insecure cipher mode or algorithm."
+  remediation:
+    summary: "Use authenticated modes such as `AES/GCM/NoPadding` and modern algorithms; avoid ECB, DES, and RC4."

package/rules/java/java.security.insecure-network-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-network-protocol
+  title: Avoid plaintext or legacy network protocols
+  summary: "URL/URI literals should not use `ftp://`, `telnet://`, or `jar:http://`."
+  rationale: These schemes transmit credentials and payloads in cleartext or load remote archives without integrity checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-network-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - transport
+  message:
+    title: Use a secure protocol instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opens a URL or URI with a plaintext or legacy protocol."
+  remediation:
+    summary: "Use `https://`, `sftp://`, or `ssh://` and verify integrity for remote archives instead of `jar:http://`."

package/rules/java/java.security.insecure-ssl-context.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-ssl-context
+  title: Avoid deprecated TLS/SSL protocol versions
+  summary: "`SSLContext.getInstance` should not request SSL, SSLv2, SSLv3, TLSv1.0, or TLSv1.1."
+  rationale: Pre-TLSv1.2 protocols are deprecated and vulnerable to known attacks such as POODLE and BEAST.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-ssl-context
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - java
+      - tls
+  message:
+    title: Replace deprecated SSL/TLS protocol `${captures.issue.text}`
+    summary: "`${captures.issue.text}` selects a deprecated TLS/SSL protocol version."
+  remediation:
+    summary: "Use `SSLContext.getInstance(\"TLSv1.2\")` or `\"TLSv1.3\"` and rely on platform defaults where possible."

package/rules/java/java.security.jpa-concatenated-query.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.
   rationale: >-
     Dynamic SQL built from untrusted fragments is a direct injection surface; parameterized queries and named parameters are the safe default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Use JPQL named parameters, `CriteriaUpdate`, or prepared JDBC statements with bound parameters; never interpolate request values into query text.

package/rules/java/java.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: Decoding a JWT without verifying its signature allows attackers to forge tokens and impersonate users.
+  rationale: Methods like `JWT.decode` and `Jwts.parser().parseClaimsJwt` do not check the cryptographic signature; downstream claims cannot be trusted.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - java
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reads a JWT without verifying its signature."
+  remediation:
+    summary: "Use `JWT.require(algorithm).build().verify(token)` or `Jwts.parser().setSigningKey(key).parseClaimsJws(token)` to authenticate the token before trusting claims."

package/rules/java/java.security.null-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.null-cipher
+  title: Do not use NullCipher
+  summary: "Constructing `new NullCipher()` or `Cipher.getInstance(\"Null\")` performs no encryption."
+  rationale: NullCipher returns plaintext unchanged, providing no confidentiality and often disguising an intentional bypass of crypto.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.null-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: critical
+    confidence: 0.97
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace NullCipher usage `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses NullCipher, which leaves data unencrypted."
+  remediation:
+    summary: "Use an authenticated cipher such as `AES/GCM/NoPadding` with a properly managed key."

package/rules/java/java.security.permissive-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.permissive-cors
+  title: Avoid wildcard CORS allow-origins
+  summary: "Spring `@CrossOrigin(\"*\")`, `allowedOrigins(\"*\")`, and `addAllowedOriginPattern(\"*\")` open the API to any origin."
+  rationale: Wildcard origins disable browser-enforced same-origin protection and can allow untrusted sites to call the API with credentials.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+  tags:
+    - security
+    - java
+    - spring
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.permissive-cors
+    bind: issue
+emit:
+  finding:
+    category: security.web
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - java
+      - cors
+  message:
+    title: Restrict CORS allow-origin near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` accepts every origin via a wildcard CORS configuration."
+  remediation:
+    summary: "Allow only the specific origins your service trusts; never combine `allowCredentials(true)` with a wildcard origin."