npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/go/go.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-rsa-key-size
+  title: Use at least 2048-bit RSA keys
+  summary: >-
+    `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` should request a key size of 2048 bits or higher.
+  rationale: >-
+    RSA moduli below 2048 bits are considered cryptographically weak and feasible to attack with modern resources.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - go
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` initializes RSA with fewer than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new code where appropriate.

package/rules/go/go.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-tls-cipher
+  title: Remove weak TLS cipher suites
+  summary: >-
+    `tls.Config.CipherSuites` should not include RC4, DES, 3DES, NULL, or export-grade cipher constants.
+  rationale: >-
+    These ciphers are deprecated and break confidentiality (RC4 biases, Sweet32 against 3DES, NULL/export-grade weaknesses).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - go
+      - tls
+  message:
+    title: Remove deprecated cipher from TLS configuration
+    summary: "`${captures.issue.text}` enables a weak or deprecated cipher suite in `tls.Config.CipherSuites`."
+  remediation:
+    summary: >-
+      Drop RC4/DES/3DES/NULL/export ciphers. Prefer the TLS 1.3 defaults or modern AEAD suites such as `TLS_AES_128_GCM_SHA256`.

package/rules/java/java.correctness.catch-null-pointer.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.catch-null-pointer
+  title: Do not catch NullPointerException
+  summary: NullPointerException indicates a programming error.
+  rationale: Catching NPE masks bugs that should be fixed at the source.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.catch-null-pointer
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: low
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove NullPointerException catch in `${captures.issue.text}`
+    summary: "NullPointerException is caught instead of preventing null access."
+  remediation:
+    summary: Add null checks or Optional handling at the source of the failure.

package/rules/java/java.correctness.empty-catch.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.empty-catch
+  title: Do not use empty catch blocks
+  summary: Catch blocks should handle or rethrow exceptions.
+  rationale: Empty catches hide failures and make debugging difficult.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.empty-catch
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Handle exception in `${captures.issue.text}`
+    summary: "A catch block swallows an exception without handling it."
+  remediation:
+    summary: Log, recover, or rethrow the exception with context.

package/rules/java/java.correctness.equals-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.equals-on-array
+  title: Compare arrays with Arrays.equals
+  summary: Array.equals compares references, not contents.
+  rationale: Reference equality on arrays is almost always a logic bug.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.equals-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.equality
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Fix array comparison in `${captures.issue.text}`
+    summary: "Array.equals compares references instead of elements."
+  remediation:
+    summary: Use Arrays.equals or Arrays.deepEquals for array content comparison.

package/rules/java/java.correctness.return-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.return-in-finally
+  title: Avoid control flow in finally blocks
+  summary: return, break, continue, and throw in finally alter normal flow.
+  rationale: Control flow in finally can suppress exceptions and confuse readers.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.return-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Remove control flow from finally in `${captures.issue.text}`
+    summary: "A finally block contains return, break, continue, or throw."
+  remediation:
+    summary: Keep finally blocks limited to cleanup without altering control flow.

package/rules/java/java.correctness.sync-on-string-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.sync-on-string-literal
+  title: Do not synchronize on string literals
+  summary: String literals are interned and shared across the JVM.
+  rationale: Synchronizing on interned strings can cause unexpected deadlocks.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.sync-on-string-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Avoid synchronizing on string literal in `${captures.issue.text}`
+    summary: "A synchronized block locks on a string literal."
+  remediation:
+    summary: Synchronize on a private final lock object instead.

package/rules/java/java.correctness.unsafe-optional-get.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.unsafe-optional-get
+  title: Check Optional before calling get
+  summary: Optional.get without a presence check can throw.
+  rationale: Unchecked Optional access causes runtime failures.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.unsafe-optional-get
+    bind: issue
+emit:
+  finding:
+    category: correctness.nullability
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - java
+  message:
+    title: Guard Optional.get in `${captures.issue.text}`
+    summary: "Optional.get is called without a nearby presence check."
+  remediation:
+    summary: Use orElse, orElseThrow, or isPresent before calling get.

package/rules/java/java.security.android-screenshot-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Protect sensitive Android screens from screenshots and recents
   summary: Sensitive activities should enable FLAG_SECURE or avoid clearing it so screen content is harder to capture.
   rationale: Finance, authentication, and secret-bearing screens can leak through screenshots, screen recording, and recent-task previews when FLAG_SECURE is missing or cleared.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: url
+      title: Android App Security Best Practices
+      url: https://developer.android.com/privacy-and-security/risks
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
   tags:
     - security
     - privacy
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` appears on a sensitive Android surface without an effective FLAG_SECURE posture."
   remediation:
     summary: Enable FLAG_SECURE for sensitive screens, avoid clearing it at runtime, and document exceptions only after explicit threat modeling.

package/rules/java/java.security.android-world-readable-mode.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid Android world-readable or world-writable IO modes
   summary: Context files and shared preferences must not use MODE_WORLD_READABLE or MODE_WORLD_WRITABLE.
   rationale: Legacy Android modes expose application data to other packages on the device and break sandbox expectations for secrets.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
+    - kind: url
+      title: Android app security best practices
+      url: https://developer.android.com/privacy-and-security/risk
   tags:
     - security
     - privacy
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` opts into MODE_WORLD_READABLE or MODE_WORLD_WRITABLE, which weakens app sandbox isolation."
   remediation:
     summary: Use MODE_PRIVATE or scoped storage APIs instead of world-readable or world-writable modes.

package/rules/java/java.security.hibernate-sql-concatenation.rule.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.hibernate-sql-concatenation
+  title: Bind Hibernate query parameters instead of concatenating SQL
+  summary: >-
+    Hibernate `Session.createQuery`, `createNativeQuery`, and `createSQLQuery` calls must not build their query text from string concatenation or `String.format`.
+  rationale: >-
+    Dynamic SQL fragments stitched into Hibernate query strings are an injection sink whenever any segment came from request, environment, or upload input.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
+  tags:
+    - security
+    - java
+    - hibernate
+    - sql-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.hibernate-sql-concatenation
+    bind: issue
+emit:
+  finding:
+    category: security.sql-injection
+    severity: critical
+    confidence: 0.84
+    tags:
+      - security
+      - java
+      - hibernate
+      - sql-injection
+  message:
+    title: Bind parameters in Hibernate query at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` constructs a Hibernate query by concatenating or formatting strings instead of binding parameters.
+  remediation:
+    summary: >-
+      Use named or positional parameters via `setParameter`, the Criteria API, or typed query DSLs instead of interpolating values into the HQL or SQL text.

package/rules/java/java.security.insecure-cipher-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-cipher-mode
+  title: Avoid insecure cipher transformations
+  summary: "Java `Cipher.getInstance` should not request ECB mode or legacy algorithms like DES and RC4."
+  rationale: ECB mode leaks structure across blocks, while DES and RC4 are broken or deprecated and unsuitable for confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-cipher-mode
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace insecure cipher transformation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` requests an insecure cipher mode or algorithm."
+  remediation:
+    summary: "Use authenticated modes such as `AES/GCM/NoPadding` and modern algorithms; avoid ECB, DES, and RC4."

package/rules/java/java.security.insecure-network-protocol.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-network-protocol
+  title: Avoid plaintext or legacy network protocols
+  summary: "URL/URI literals should not use `ftp://`, `telnet://`, or `jar:http://`."
+  rationale: These schemes transmit credentials and payloads in cleartext or load remote archives without integrity checks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-network-protocol
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - java
+      - transport
+  message:
+    title: Use a secure protocol instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` opens a URL or URI with a plaintext or legacy protocol."
+  remediation:
+    summary: "Use `https://`, `sftp://`, or `ssh://` and verify integrity for remote archives instead of `jar:http://`."

package/rules/java/java.security.insecure-ssl-context.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.insecure-ssl-context
+  title: Avoid deprecated TLS/SSL protocol versions
+  summary: "`SSLContext.getInstance` should not request SSL, SSLv2, SSLv3, TLSv1.0, or TLSv1.1."
+  rationale: Pre-TLSv1.2 protocols are deprecated and vulnerable to known attacks such as POODLE and BEAST.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.insecure-ssl-context
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - java
+      - tls
+  message:
+    title: Replace deprecated SSL/TLS protocol `${captures.issue.text}`
+    summary: "`${captures.issue.text}` selects a deprecated TLS/SSL protocol version."
+  remediation:
+    summary: "Use `SSLContext.getInstance(\"TLSv1.2\")` or `\"TLSv1.3\"` and rely on platform defaults where possible."

package/rules/java/java.security.jpa-concatenated-query.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.
   rationale: >-
     Dynamic SQL built from untrusted fragments is a direct injection surface; parameterized queries and named parameters are the safe default.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Use JPQL named parameters, `CriteriaUpdate`, or prepared JDBC statements with bound parameters; never interpolate request values into query text.