npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/java/java.security.jwt-without-verification.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.jwt-without-verification
+  title: Verify JWT signatures before trusting claims
+  summary: Decoding a JWT without verifying its signature allows attackers to forge tokens and impersonate users.
+  rationale: Methods like `JWT.decode` and `Jwts.parser().parseClaimsJwt` do not check the cryptographic signature; downstream claims cannot be trusted.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.jwt-without-verification
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.88
+    tags:
+      - security
+      - java
+      - jwt
+  message:
+    title: Verify JWT signature near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` reads a JWT without verifying its signature."
+  remediation:
+    summary: "Use `JWT.require(algorithm).build().verify(token)` or `Jwts.parser().setSigningKey(key).parseClaimsJws(token)` to authenticate the token before trusting claims."

package/rules/java/java.security.null-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.null-cipher
+  title: Do not use NullCipher
+  summary: "Constructing `new NullCipher()` or `Cipher.getInstance(\"Null\")` performs no encryption."
+  rationale: NullCipher returns plaintext unchanged, providing no confidentiality and often disguising an intentional bypass of crypto.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.null-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: critical
+    confidence: 0.97
+    tags:
+      - security
+      - java
+      - cryptography
+  message:
+    title: Replace NullCipher usage `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses NullCipher, which leaves data unencrypted."
+  remediation:
+    summary: "Use an authenticated cipher such as `AES/GCM/NoPadding` with a properly managed key."

package/rules/java/java.security.permissive-cors.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.permissive-cors
+  title: Avoid wildcard CORS allow-origins
+  summary: "Spring `@CrossOrigin(\"*\")`, `allowedOrigins(\"*\")`, and `addAllowedOriginPattern(\"*\")` open the API to any origin."
+  rationale: Wildcard origins disable browser-enforced same-origin protection and can allow untrusted sites to call the API with credentials.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
+  tags:
+    - security
+    - java
+    - spring
+    - cors
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.permissive-cors
+    bind: issue
+emit:
+  finding:
+    category: security.web
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - java
+      - cors
+  message:
+    title: Restrict CORS allow-origin near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` accepts every origin via a wildcard CORS configuration."
+  remediation:
+    summary: "Allow only the specific origins your service trusts; never combine `allowCredentials(true)` with a wildcard origin."

package/rules/java/java.security.predictable-securerandom.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.predictable-securerandom
+  title: Avoid seeding SecureRandom with predictable values
+  summary: >-
+    `new SecureRandom(byte[])` should not be initialized with literal byte arrays, short fixed buffers, or string-derived seeds.
+  rationale: >-
+    A hardcoded or short seed reduces SecureRandom entropy to a guessable space, making downstream tokens, keys, and salts predictable.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - random
+    - cryptography
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.predictable-securerandom
+    bind: issue
+emit:
+  finding:
+    category: security.random
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - java
+      - random
+      - cryptography
+  message:
+    title: Seed SecureRandom from a strong source at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` seeds `SecureRandom` from a literal or short buffer, which lowers effective entropy.
+  remediation:
+    summary: >-
+      Construct `SecureRandom` without arguments to use the system entropy source, or call `SecureRandom.getInstanceStrong()` and `generateSeed` for high-entropy material.

package/rules/java/java.security.reflected-output-from-request.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid reflecting servlet request data through response writers
   summary: Servlet writers should not emit raw request parameters or headers without encoding or policy checks.
   rationale: Writing request-controlled strings directly into HTTP responses is a common reflected XSS vector for servlet stacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` forwards request-derived content through the servlet response writer without an obvious encoding guard."
   remediation:
     summary: Contextually encode output for HTML or JSON consumers, validate redirect-like flows separately, and prefer templating APIs that auto-escape.

package/rules/java/java.security.servlet-insecure-cookie.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Harden servlet session and auth cookies
   summary: Session-like cookies must not disable HttpOnly or Secure, and explicit insecure builder flags should be removed.
   rationale: Missing HttpOnly and Secure flags expose cookies to XSS and network interception; disabling them makes theft materially easier.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - session
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` builds or adjusts cookies with risky defaults or explicitly weakened HttpOnly/Secure flags."
   remediation:
     summary: Prefer ResponseCookie with Secure and HttpOnly enabled, SameSite appropriate for your topology, and minimize lifetime on authentication cookies.

package/rules/java/java.security.shell-runtime-exec.rule.yaml ADDED Viewed

@@ -0,0 +1,58 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.shell-runtime-exec
+  title: Prefer Runtime.exec with an argument array
+  summary: >-
+    `Runtime.getRuntime().exec(...)` should not be invoked with a single `String` command argument; the array form (`exec(String[])`) avoids shell-style tokenization.
+  rationale: >-
+    The `exec(String)` overload splits on whitespace and respects no quoting; values containing spaces or shell metacharacters can change the command parsed at runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - execution
+    - shell-injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.shell-runtime-exec
+    bind: issue
+emit:
+  finding:
+    category: security.execution
+    severity: high
+    confidence: 0.86
+    tags:
+      - security
+      - java
+      - execution
+  message:
+    title: Use the array form for `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` calls `Runtime.exec` with a single `String`, which tokenizes on whitespace and can lead to unintended arguments.
+  remediation:
+    summary: >-
+      Pass an explicit `String[]` of command and arguments, or use `ProcessBuilder` with separate arguments and the parent process inheriting no shell.

package/rules/java/java.security.spring-actuator-health-details-always.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     `management.endpoint.health.show-details=always` (or YAML equivalent) publishes detailed health payloads to any caller, which often leaks dependency and infrastructure facts.
   rationale: >-
     Detailed health should be reserved for authenticated operators or internal networks; `always` removes that gate for anonymous clients.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -38,3 +50,4 @@ emit:
   remediation:
     summary: >-
       Switch to `when-authorized`, protect `/actuator/**` with Spring Security, and keep verbose health on internal-only ports or profiles.

package/rules/java/java.security.spring-actuator-sensitive-exposure.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Actuator `management.endpoints.web.exposure.include` should not expose wildcards or high-risk endpoints (such as `env`, `beans`, or `heapdump`) without deliberate access control.
   rationale: >-
     Over-exposed actuators leak configuration, secrets material, and JVM internals that attackers can use to pivot or crash the service.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -38,3 +50,4 @@ emit:
   remediation:
     summary: >-
       Replace wildcards with explicit endpoint lists, move sensitive endpoints off public networks, and pair exposure with Spring Security rules or management port isolation.

package/rules/java/java.security.spring-csrf-globally-disabled.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Disabling CSRF globally is unsafe for cookie-backed browser sessions unless the app is clearly hardened as a stateless API (for example OAuth2 resource server with stateless sessions).
   rationale: >-
     CSRF protects browser clients that send session cookies; turning it off without token-based or stateless mitigations invites cross-site request forgery against privileged actions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-352
+      title: Cross-Site Request Forgery (CSRF)
+    - kind: owasp
+      title: Cross-Site Request Forgery Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -47,3 +59,4 @@ emit:
   remediation:
     summary: >-
       Prefer CSRF tokens for cookie sessions, use `oauth2ResourceServer` with JWT for APIs, or set `SessionCreationPolicy.STATELESS` with a reviewed token story instead of blanket `csrf().disable()`.

package/rules/java/java.security.spring-debug-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Avoid Spring Boot debug and actuator exposure in shipped configuration
   summary: Spring Boot configuration should not force debug logging or wildcard actuator exposure.
   rationale: Debug modes and fully exposed actuator endpoints leak internals and expand remote attack surface when configs ship to production.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-209
+      title: Generation of Error Message Containing Sensitive Information
+    - kind: owasp
+      title: Error Handling Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - spring
@@ -33,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` enables verbose debugging or permissive actuator exposure that should stay out of production defaults."
   remediation:
     summary: Remove debug=true overrides, scope logging levels deliberately, and enumerate only required actuator endpoints behind authentication.

package/rules/java/java.security.spring-permit-all-default.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Production HTTP security chains should not end with a broad permit-all fallback such as `anyRequest().permitAll()` or `requestMatchers("/**").permitAll()`.
   rationale: >-
     Anonymous-by-default authorization lets unauthenticated callers reach handlers that were meant to be protected, which often leads to broken access control and data exposure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Replace broad permit-all with authenticated or role-based rules, keep public paths explicit, and add integration tests that assert unauthorized access is rejected.

package/rules/java/java.security.spring-webmvc-unrestricted-data-binding.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Binding request parameters directly into entity-like models without `setAllowedFields` / `@InitBinder` controls risks mass-assignment privilege escalation.
   rationale: >-
     Attackers can post unexpected fields (for example `role=admin`) that map onto persistent entities unless binding is explicitly allow-listed.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Spring Boot security
+      url: https://docs.spring.io/spring-boot/reference/web/spring-security.html
   tags:
     - security
     - java
@@ -45,3 +57,4 @@ emit:
   remediation:
     summary: >-
       Prefer dedicated request DTOs, declare allowed fields explicitly, and avoid binding security-sensitive properties from raw requests.

package/rules/java/java.security.template-unescaped-user-output.rule.yaml CHANGED Viewed

@@ -7,6 +7,15 @@ metadata:
     Thymeleaf `th:utext`, JSP scriptlets, and FreeMarker `?no_esc` patterns must not render untrusted request or model values without an explicit sanitization strategy.
   rationale: >-
     Non-escaped template sinks turn reflected input into XSS, which compromises browser sessions and administrative workflows.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - java
@@ -47,3 +56,4 @@ emit:
   remediation:
     summary: >-
       Use Thymeleaf `th:text`, avoid raw JSP expressions for request data, and keep FreeMarker auto-escaping on unless a vetted sanitizer wraps dynamic HTML.

package/rules/java/java.security.trust-all-certificates.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.trust-all-certificates
+  title: Do not trust every TLS certificate
+  summary: "TrustManagers must validate certificates; empty `checkServerTrusted`/`checkClientTrusted` bodies or `TrustAllStrategy` accept any peer."
+  rationale: Disabling certificate validation defeats TLS authentication and enables man-in-the-middle attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.trust-all-certificates
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: critical
+    confidence: 0.93
+    tags:
+      - security
+      - java
+      - tls
+  message:
+    title: Restore certificate validation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` accepts any TLS certificate without verification."
+  remediation:
+    summary: "Use the platform default `TrustManager` or pin specific CAs; never ship a TrustManager whose validation methods are empty."

package/rules/java/java.security.unsafe-jackson-deserialization.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.unsafe-jackson-deserialization
+  title: Avoid enabling Jackson polymorphic deserialization
+  summary: >-
+    Jackson `ObjectMapper` should not call `enableDefaultTyping` or `activateDefaultTyping`, and `@JsonTypeInfo(use = Id.CLASS|MINIMAL_CLASS)` should not be applied without an allowlist.
+  rationale: >-
+    Polymorphic deserialization that encodes class names lets attacker-controlled payloads instantiate gadget chains and pivot to remote code execution.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - jackson
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+      - "**/*Tests.java"
+match:
+  fact:
+    kind: java.security.unsafe-jackson-deserialization
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: critical
+    confidence: 0.88
+    tags:
+      - security
+      - java
+      - jackson
+      - deserialization
+  message:
+    title: Restrict Jackson polymorphic typing at `${captures.issue.text}`
+    summary: >-
+      `${captures.issue.text}` opts into Jackson polymorphic typing without an allowlist; untrusted JSON can then instantiate arbitrary classes.
+  remediation:
+    summary: >-
+      Disable default typing, validate types with a strict subtype resolver, or replace `Id.CLASS` / `Id.MINIMAL_CLASS` with `Id.NAME` and a registered set of allowed subtypes.

package/rules/java/java.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.security.weak-rsa-key-size
+  title: Use at least 2048-bit RSA keys
+  summary: RSA key generation should request a key size of 2048 bits or higher.
+  rationale: RSA moduli below 2048 bits are considered cryptographically weak and feasible to attack with modern resources.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - java
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - java
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` initializes RSA with fewer than 2048 bits."
+  remediation:
+    summary: Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new code where appropriate.