npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/rust/rust.security.tls-missing-min-version.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.tls-missing-min-version
+  title: Set a minimum TLS protocol version in Rust TLS configs
+  summary: >-
+    Rust TLS client and server configuration should set an explicit minimum protocol version (TLS 1.2 or newer).
+  rationale: >-
+    Without a minimum version, legacy SSL/TLS protocols may be negotiated, weakening transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.tls-missing-min-version
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Set minimum TLS version near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` configures TLS without an explicit minimum protocol version."
+  remediation:
+    summary: >-
+      Set `min_protocol_version` (rustls) or `min_tls_version` (reqwest) to TLS 1.2 or newer.

package/rules/rust/rust.security.warp-blocking-or-panic-in-async-handler.rule.yaml CHANGED Viewed

@@ -7,6 +7,18 @@ metadata:
     Warp filters and handlers run on the async runtime; avoid `std::fs`, `thread::sleep`, and `unwrap` on request paths without `spawn_blocking` or proper errors.
   rationale: >-
     Blocking the runtime reduces availability and unwraps turn parse errors into panics; both are amplified under load and hostile traffic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: ANSSI Rust secure development guidelines
+      url: https://anssi-fr.github.io/rust-guide/01-general-principles.html
   tags:
     - security
     - rust
@@ -43,3 +55,4 @@ emit:
   remediation:
     summary: >-
       Use `tokio::fs`, offload blocking work with `spawn_blocking`, and propagate errors with `Rejection` instead of `unwrap`.

package/rules/rust/rust.security.weak-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-crypto-import
+  title: Avoid importing broken or deprecated crypto crates
+  summary: >-
+    Production Rust code should not import `md5`, `sha1`, `des`, or `rc4` for security-sensitive purposes.
+  rationale: >-
+    MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+  message:
+    title: Replace weak crypto import at `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a broken or deprecated crypto crate."
+  remediation:
+    summary: >-
+      Use `sha2`, `blake3`, or `aes-gcm` for modern cryptographic primitives.

package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-rsa-key-size
+  title: Use RSA keys of at least 2048 bits
+  summary: >-
+    RSA key generation must use at least 2048 bits.
+  rationale: >-
+    RSA keys shorter than 2048 bits are vulnerable to factorization attacks with modern compute.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - cryptography
+    - rsa
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-rsa-key-size
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - cryptography
+      - rsa
+  message:
+    title: Increase RSA key size near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` generates an RSA key smaller than 2048 bits."
+  remediation:
+    summary: >-
+      Generate RSA keys with at least 2048 bits, or prefer Ed25519/ECDSA for new designs.

package/rules/rust/rust.security.weak-tls-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.weak-tls-cipher
+  title: Avoid weak TLS cipher suites
+  summary: >-
+    Rust TLS configuration must not include cipher suites using RC4, 3DES, NULL, or EXPORT algorithms.
+  rationale: >-
+    Weak cipher suites are vulnerable to practical attacks and should not be negotiated.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
+  tags:
+    - security
+    - rust
+    - tls
+    - cryptography
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.weak-tls-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.cryptography
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - rust
+      - tls
+      - cryptography
+  message:
+    title: Replace weak TLS cipher near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` references a weak TLS cipher suite."
+  remediation:
+    summary: >-
+      Use modern AEAD cipher suites such as TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256.

package/rules/shared/security.archive-path-traversal.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sanitize archive entry paths before writing
   summary: Archive extraction should not write entry names directly to the filesystem.
   rationale: Archive entries can contain traversal paths that overwrite files outside the intended extraction directory.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Path Traversal
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
   tags:
     - security
     - filesystem
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` may write an archive-controlled path without a containment check."
   remediation:
     summary: Normalize each entry path against a trusted extraction root and reject paths that escape it.

package/rules/shared/security.external-file-upload.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not persist upload filenames directly
   summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
   rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -38,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
   remediation:
     summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/shared/security.insecure-http-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Insecure HTTP transport
   summary: Outbound transport should not use plain HTTP for sensitive requests.
   rationale: Plain HTTP exposes traffic to interception and tampering.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` sends an outbound request over plain HTTP."
   remediation:
     summary: Use HTTPS or a trusted local-development exception for non-production endpoints.

package/rules/shared/security.no-command-execution-with-request-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Command execution using untrusted input
   summary: Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.
   rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
   tags:
     - security
     - injection
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.execCall.text}` executes a process using request-controlled command data."
   remediation:
     summary: Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.

package/rules/shared/security.no-hardcoded-credentials.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Hardcoded API keys or credentials
   summary: Source files should not embed credential-like string literals.
   rationale: Hardcoded credentials are difficult to rotate and are easily leaked through source control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+    - kind: owasp
+      title: Secrets Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
   tags:
     - security
     - secrets
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.credential.text}` appears to embed a credential-like literal in source code."
   remediation:
     summary: Move the secret to a secure runtime secret store or environment-backed config path.

package/rules/shared/security.no-request-path-file-read.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Path traversal via user input
   summary: File access calls must not use request-controlled paths directly.
   rationale: User-controlled paths can escape the intended directory and expose sensitive files.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
   tags:
     - security
     - filesystem
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.fileRead.text}` reads from a path derived from request data without an allowlist or boundary check."
   remediation:
     summary: Resolve the path against a trusted base directory and reject values that escape it.

package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in logs and telemetry
   summary: Sensitive fields should not be sent to logging, tracing, or analytics sinks.
   rationale: Observability payloads often leave the service boundary and can expose secrets, account identifiers, or personal data if they carry raw request or user fields.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -42,3 +51,4 @@ emit:
     summary: "`${captures.issue.text}` reaches a logging or telemetry sink with sensitive data."
   remediation:
     summary: Redact, hash, or drop the sensitive field before it reaches the sink.

package/rules/shared/security.no-sql-interpolation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid raw or interpolated SQL
   summary: Database query sinks must not receive request-driven or dynamically interpolated SQL text.
   rationale: Raw or interpolated SQL can let attackers control query structure when values are not passed separately.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
   tags:
     - security
     - sql
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.queryCall.text}` builds or forwards SQL text directly into a raw query sink."
   remediation:
     summary: Use prepared statements, placeholder parameters, or a typed query builder instead of executing raw SQL text.

package/rules/shared/security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid world-readable or world-writable file permissions
   summary: File creation and permission changes should not grant broad local access.
   rationale: Broad permissions expose application data to local users or processes that should not read or modify it.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-732
+      title: Incorrect Permission Assignment for Critical Resource
+    - kind: owasp
+      title: File Permission
+      url: https://owasp.org/www-community/vulnerabilities/Improper_File_Permissions
   tags:
     - security
     - filesystem
@@ -38,3 +47,4 @@ emit:
     summary: "`${captures.issue.text}` grants world-readable or world-writable filesystem access."
   remediation:
     summary: Use least-privilege file modes and avoid world-readable or world-writable permissions.

package/rules/shared/security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sensitive data egress to third-party processors
   summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
   rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` sends request or identity data to an outbound processor."
   remediation:
     summary: Minimize the payload, redact sensitive fields, or route the data only to approved processors.

package/rules/shared/security.tls-verification-disabled.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: TLS verification disabled
   summary: Transport clients should not disable certificate verification.
   rationale: Trust-all TLS settings accept any certificate and undermine transport security.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -40,3 +49,4 @@ emit:
     summary: "`${captures.issue.text}` disables certificate verification or trust validation."
   remediation:
     summary: Use trusted certificate validation and remove trust-all overrides outside local development.

package/rules/shared/security.unsafe-deserialization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Protect deserialization trust boundaries
   summary: Deserializers should not consume untrusted payloads directly across a trust boundary.
   rationale: Deserializing untrusted payloads can let attacker-controlled data reshape parser state, object graphs, or downstream runtime behavior.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
   tags:
     - security
     - deserialization
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` deserializes an untrusted payload across a trust boundary."
   remediation:
     summary: Deserialize only from trusted producers, or validate and constrain the payload shape before crossing the deserialization boundary.

package/rules/shared/security.weak-hash-algorithm.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak hash algorithms
   summary: Cryptographic hashing should use modern, collision-resistant algorithms.
   rationale: Weak digests such as MD5 and SHA-1 are vulnerable to collisions and should not be used for security-sensitive hashing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -39,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak hash algorithm."
   remediation:
     summary: Use SHA-256, SHA-384, SHA-512, or a stronger approved hashing primitive instead.

package/rules/typescript/ts.correctness.array-callback-missing-return.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-callback-missing-return
+  title: Array callback missing return
+  summary: Array iteration callbacks with block bodies should return a value when required.
+  rationale: map, filter, reduce, every, and some expect callback return values; missing returns yield undefined elements or incorrect predicates.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-032
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-callback-missing-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Add a return to the array callback
+    summary: "`${captures.issue.text}` is a block-bodied array callback without a return statement."
+  remediation:
+    summary: Return the computed value from the callback, or switch to forEach when side effects are intended.

package/rules/typescript/ts.correctness.array-sort-without-compare.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.array-sort-without-compare
+  title: Array.sort without compare function
+  summary: Provide a compare function when sorting non-string arrays.
+  rationale: Default sort coerces elements to strings, which misorders numbers and many objects.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-036
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.array-sort-without-compare
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Pass a compare function to sort
+    summary: "`${captures.issue.text}` calls sort() without a comparator."
+  remediation:
+    summary: Pass an explicit compare function, for example `(a, b) => a - b` for numbers.

package/rules/typescript/ts.correctness.control-flow-in-finally.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.control-flow-in-finally
+  title: Control flow in finally block
+  summary: Avoid return, throw, break, or continue inside finally blocks.
+  rationale: Control-flow statements in finally override try/catch completion and can hide errors or skip cleanup intent.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-028
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.control-flow-in-finally
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove control flow from finally
+    summary: "`${captures.issue.text}` changes completion inside a finally block."
+  remediation:
+    summary: Move return, throw, break, or continue out of the finally block, or restructure the try/finally logic.

package/rules/typescript/ts.correctness.duplicate-if-else-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-if-else-condition
+  title: Duplicate if-else-if condition
+  summary: Do not repeat the same test in an if-else-if chain.
+  rationale: Duplicate conditions create unreachable branches and usually indicate a copy-paste defect.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-031
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-if-else-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate if condition
+    summary: "`${captures.issue.text}` repeats a prior if-else-if test."
+  remediation:
+    summary: Remove the duplicate branch or change the condition to the intended distinct test.