npm - @critiq/rules - Versions diffs - 0.2.0 → 0.4.0 - Mend

@critiq/rules 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (907) hide show

package/rules/rust/rust.security.unsafe-remove-dir-all.rule.yaml ADDED Viewed

@@ -0,0 +1,62 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: rust.security.unsafe-remove-dir-all
+  title: Avoid `std::fs::remove_dir_all` without TOCTOU mitigations
+  summary: >-
+    `remove_dir_all` is vulnerable to TOCTOU (time-of-check-time-of-use) races
+    when the directory tree contains symbolic links.
+  rationale: >-
+    `std::fs::remove_dir_all` follows symlinks, enabling arbitrary file deletion
+    via directory traversal during removal (CWE-367).
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-367
+      title: Time-of-check Time-of-use (TOCTOU) Race Condition
+    - kind: url
+      title: CWE-367 TOCTOU
+      url: https://cwe.mitre.org/data/definitions/367.html
+  tags:
+    - security
+    - rust
+    - filesystem
+    - race-condition
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - RS-S1002
+scope:
+  languages:
+    - rust
+  paths:
+    include:
+      - "**/*.rs"
+    exclude:
+      - "**/tests/**"
+      - "**/*_test.rs"
+      - "**/examples/**"
+match:
+  fact:
+    kind: rust.security.unsafe-remove-dir-all
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.80
+    tags:
+      - security
+      - rust
+      - filesystem
+      - race-condition
+  message:
+    title: Guard `remove_dir_all` against symlink races near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` removes a directory tree without TOCTOU protection."
+  remediation:
+    summary: >-
+      Prefer `std::fs::remove_dir_all` only on trusted paths, or use an
+      alternative that handles symlinks explicitly (e.g. the `remove_dir_all`
+      crate with `#[cfg(not(target_os = "linux"))]` guards).

package/rules/rust/rust.security.weak-crypto-import.rule.yaml CHANGED Viewed

@@ -23,6 +23,8 @@ metadata:
     - rules-catalog
   stability: experimental
   appliesTo: block
+  aliases:
+    - RS-S1004
 scope:
   languages:
     - rust

package/rules/rust/rust.security.weak-rsa-key-size.rule.yaml CHANGED Viewed

@@ -24,6 +24,8 @@ metadata:
     - rules-catalog
   stability: experimental
   appliesTo: block
+  aliases:
+    - RS-S1005
 scope:
   languages:
     - rust

package/rules/rust/rust.testing.ignore-without-ticket-reference.rule.yaml CHANGED Viewed

@@ -2,9 +2,12 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: rust.testing.ignore-without-ticket-reference
-  title: "Rust #[ignore] tests should cite a ticket"
-  summary: Ignored tests without a nearby tracker comment are easy to lose.
-  rationale: Ignored tests should carry reviewable intent like skips in other ecosystems.
+  title: "Add a ticket reference to ignored Rust tests"
+  summary: "`#[ignore]` without a nearby ticket reference or reason makes the test easy to forget."
+  rationale: >
+    Ignored tests accumulate when their ignore reason is undocumented. A ticket
+    reference or suppression comment tells future maintainers why the test is
+    skipped and when it should be re-enabled.
   tags:
     - testing
     - rust
@@ -14,6 +17,11 @@ metadata:
 scope:
   languages:
     - rust
+  paths:
+    exclude:
+      - "**/compiler/*/tests/**"
+      - "**/src/tools/*/tests/**"
+      - "**/tests/ui/**"
 match:
   fact:
     kind: rust.testing.ignore-without-ticket-reference
@@ -27,7 +35,5 @@ emit:
       - testing
       - rust
   message:
-    title: Add a ticket comment near `${captures.issue.text}`
-    summary: "`#[ignore]` is present without a nearby issue key or accepted suppression comment."
-  remediation:
-    summary: Document the ignore with a tracker id or remove the attribute when the test is ready.
+    title: "Ignored test lacks a ticket reference"
+    summary: "`#[ignore]` was found without a nearby issue tracker id (e.g., `#123`, `JIRA-77`), suppression comment (`TODO(expires: YYYY-MM-DD)`), or same-line reason comment."

package/rules/rust/rust.testing.thread-sleep-in-unit-test.rule.yaml CHANGED Viewed

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: rust.testing.thread-sleep-in-unit-test
-  title: Avoid thread::sleep in Rust unit tests
-  summary: Sleeping in tests slows CI and hides synchronization bugs.
-  rationale: Prefer deterministic synchronization or tokio time advances.
+  title: Avoid blocking std::thread::sleep with long duration in Rust unit tests
+  summary: Long blocking sleeps (>100ms) in narrow unit tests slow CI and hide synchronization bugs.
+  rationale: Use tokio::time::sleep (async-safe), deterministic synchronization, or tokio time advances instead of blocking the test thread.
   tags:
     - testing
     - rust
@@ -27,7 +27,7 @@ emit:
       - testing
       - rust
   message:
-    title: Replace sleep in `${captures.issue.text}`
-    summary: "`${captures.issue.text}` blocks on real wall-clock time inside a test-like path."
+    title: Blocking sleep exceeding 100ms in Rust unit test
+    summary: "`${captures.issue.text}` blocks on wall-clock time inside a narrow unit test. Prefer async-safe alternatives."
   remediation:
-    summary: Use `tokio::time::pause`, condvars, or scoped integration tests for real delays.
+    summary: Use `tokio::time::pause`, `tokio::time::sleep` (non-blocking), `condvars`, or move to integration tests for real delays. Short sleeps (≤100ms) are allowed for event loop yielding.

package/rules/shared/security.no-command-execution-with-request-input.rule.yaml CHANGED Viewed

@@ -4,6 +4,9 @@ metadata:
   id: security.no-command-execution-with-request-input
   title: Command execution using untrusted input
   summary: Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.
+  aliases:
+    - PHP-A1009
+    - GO-S1015
   rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
   detection:
     kind: pattern

package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: security.no-sensitive-data-in-logs-and-telemetry
   title: Avoid sensitive data in logs and telemetry
   summary: Sensitive fields should not be sent to logging, tracing, or analytics sinks.
+  aliases:
+    - PHP-A1011
   rationale: Observability payloads often leave the service boundary and can expose secrets, account identifiers, or personal data if they carry raw request or user fields.
   detection:
     kind: pattern

package/rules/shared/security.no-sql-interpolation.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: security.no-sql-interpolation
   title: Avoid raw or interpolated SQL
   summary: Database query sinks must not receive request-driven or dynamically interpolated SQL text.
+  aliases:
+    - PHP-A1002
   rationale: Raw or interpolated SQL can let attackers control query structure when values are not passed separately.
   detection:
     kind: pattern

package/rules/shared/security.permissive-file-permissions.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: security.permissive-file-permissions
   title: Avoid world-readable or world-writable file permissions
   summary: File creation and permission changes should not grant broad local access.
+  aliases:
+    - PHP-A1006
   rationale: Broad permissions expose application data to local users or processes that should not read or modify it.
   detection:
     kind: pattern

package/rules/shared/security.weak-hash-algorithm.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: security.weak-hash-algorithm
   title: Avoid weak hash algorithms
   summary: Cryptographic hashing should use modern, collision-resistant algorithms.
+  aliases:
+    - PHP-A1004
   rationale: Weak digests such as MD5 and SHA-1 are vulnerable to collisions and should not be used for security-sensitive hashing.
   detection:
     kind: pattern

package/rules/sql/sql.correctness.undefined-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.correctness.undefined-reference
+  aliases:
+    - SQL-L026
+  title: Undefined table or alias reference
+  summary: Qualify column references with known tables or aliases only
+  rationale: Referencing an undefined table or alias (e.g. SELECT vee.a FROM foo where vee is not a known table or alias) indicates a likely typo or logic error.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.correctness.undefined-reference
+    bind: issue
+emit:
+  finding:
+    category: sql.correctness
+    severity: high
+    confidence: 0.7
+    tags:
+      - sql
+      - correctness
+  message:
+    title: Undefined reference to table or alias
+    summary: "``${captures.issue.text}`` references a table or alias not defined in the current query scope"
+  remediation:
+    summary: Verify the referenced table or alias name is correct and spelled consistently.

package/rules/sql/sql.style.ambiguous-distinct.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.ambiguous-distinct
+  aliases:
+    - SQL-L021
+  title: Ambiguous use of DISTINCT
+  summary: DISTINCT with multiple columns including computed expressions may be ambiguous
+  rationale: When DISTINCT is used with 3+ columns including computed expressions, the DISTINCT may not apply as intended to all columns.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.ambiguous-distinct
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.7
+    tags:
+      - sql
+      - style
+  message:
+    title: Ambiguous use of DISTINCT
+    summary: "``${captures.issue.text}`` uses ``DISTINCT`` with multiple columns including computed expressions"
+  remediation:
+    summary: Consider using a derived table or GROUP BY instead of DISTINCT when mixing simple and computed columns.

package/rules/sql/sql.style.column-expression-without-alias.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.column-expression-without-alias
+  aliases:
+    - SQL-L013
+  title: Column expression without alias detected
+  summary: Complex column expressions should include an explicit alias
+  rationale: Column expressions like function calls and arithmetic without an alias produce hard-to-reference result columns.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.column-expression-without-alias
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Column expression without alias
+    summary: "``${captures.issue.text}`` is a column expression without an explicit alias"
+  remediation:
+    summary: "Add an explicit alias (e.g. SELECT COUNT(*) AS user_count)."

package/rules/sql/sql.style.distinct-with-parenthesis.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.distinct-with-parenthesis
+  aliases:
+    - SQL-L015
+  title: DISTINCT with parenthesis
+  summary: Avoid using parentheses after DISTINCT as if it were a function call
+  rationale: "DISTINCT is a keyword modifier, not a function. DISTINCT(col) can be misleading; prefer DISTINCT col."
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.distinct-with-parenthesis
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: DISTINCT used as a function call
+    summary: "``${captures.issue.text}`` uses ``DISTINCT`` with parentheses as if it were a function"
+  remediation:
+    summary: "Remove the parentheses (e.g. SELECT DISTINCT name instead of SELECT DISTINCT(name))."

package/rules/sql/sql.style.duplicate-table-aliases.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.duplicate-table-aliases
+  aliases:
+    - SQL-L020
+  title: Duplicate table aliases
+  summary: Each table alias should be unique within a query
+  rationale: Duplicate table aliases cause ambiguous column references and runtime errors.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.duplicate-table-aliases
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: critical
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Duplicate table alias
+    summary: "``${captures.issue.text}`` repeats a table alias used elsewhere in the query"
+  remediation:
+    summary: Use a unique alias for each table reference.

package/rules/sql/sql.style.implicit-column-alias.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.implicit-column-alias
+  aliases:
+    - SQL-L012
+  title: Implicit aliasing of column detected
+  summary: Avoid implicit column aliases without the AS keyword
+  rationale: "Implicit column aliases (e.g. SELECT name n) are less readable than explicit AS aliases."
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.implicit-column-alias
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Implicit column alias detected
+    summary: "``${captures.issue.text}`` uses an implicit alias without the ``AS`` keyword"
+  remediation:
+    summary: "Add the AS keyword before the alias (e.g. SELECT name AS n)."

package/rules/sql/sql.style.implicit-table-alias.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.implicit-table-alias
+  aliases:
+    - SQL-L011
+  title: Implicit aliasing of table detected
+  summary: Avoid implicit table aliases without the AS keyword
+  rationale: "Implicit table aliases (e.g. FROM users u) are less readable and can be confused with other SQL constructs. Prefer explicit AS for clarity."
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.implicit-table-alias
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Implicit table alias detected
+    summary: "``${captures.issue.text}`` uses an implicit alias without the ``AS`` keyword"
+  remediation:
+    summary: "Add the AS keyword before the alias (e.g. FROM users AS u)."

package/rules/sql/sql.style.inconsistent-capitalization.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.inconsistent-capitalization
+  aliases:
+    - SQL-L014
+  title: Inconsistent capitalization detected
+  summary: Identifiers should be consistently capitalized throughout a file
+  rationale: Inconsistent capitalization of table and column names reduces readability and can lead to confusion.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.inconsistent-capitalization
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.85
+    tags:
+      - sql
+      - style
+  message:
+    title: Inconsistent identifier capitalization
+    summary: "Identifiers in ``${captures.issue.text}`` use inconsistent capitalization"
+  remediation:
+    summary: Use consistent casing for each table and column name throughout the file.

package/rules/sql/sql.style.inconsistent-keyword-case.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.inconsistent-keyword-case
+  aliases:
+    - SQL-L010
+  title: Inconsistent capitalisation of keywords
+  summary: SQL keywords should be consistently cased throughout a file
+  rationale: Mixing uppercase and lowercase SQL keywords reduces readability and suggests inconsistent coding habits.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.inconsistent-keyword-case
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Inconsistent keyword casing in SQL
+    summary: "``${captures.issue.text}`` mixes uppercase and lowercase SQL keywords"
+  remediation:
+    summary: Use consistent casing for all SQL keywords throughout the file (e.g. all UPPER or all lower).

package/rules/sql/sql.style.keyword-as-identifier.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.keyword-as-identifier
+  aliases:
+    - SQL-L029
+  title: Keyword used as identifier
+  summary: Avoid using SQL keywords as table aliases
+  rationale: Using SQL keywords as aliases (e.g. SELECT sum.a FROM foo AS sum) makes queries harder to read and can cause parse errors or subtle bugs.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.keyword-as-identifier
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Keyword used as table alias
+    summary: "``${captures.issue.text}`` uses a reserved SQL keyword as an alias"
+  remediation:
+    summary: Rename the alias to a non-keyword identifier.

package/rules/sql/sql.style.trailing-select-comma.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.trailing-select-comma
+  aliases:
+    - SQL-L038
+  title: Trailing comma in SELECT clause
+  summary: Remove trailing commas before FROM in SELECT statements
+  rationale: Trailing commas in SELECT clauses (e.g. SELECT a, b, FROM foo) are invalid in standard SQL and cause syntax errors in most databases.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.trailing-select-comma
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - sql
+      - style
+  message:
+    title: Trailing comma in SELECT clause
+    summary: "``${captures.issue.text}`` contains a trailing comma before ``FROM``"
+  remediation:
+    summary: Remove the trailing comma before the FROM keyword.

package/rules/sql/sql.style.unqualified-references.rule.yaml ADDED Viewed

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: sql.style.unqualified-references
+  aliases:
+    - SQL-L027
+  title: Unqualified column references in multi-table query
+  summary: Qualify column references with table name or alias when querying multiple tables
+  rationale: Unqualified column references in multi-table queries (e.g. SELECT a, b FROM foo JOIN bar) are ambiguous and can produce different results when table schemas change.
+  detection:
+    kind: pattern
+  tags:
+    - sql
+    - style
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - sql
+match:
+  fact:
+    kind: sql.style.unqualified-references
+    bind: issue
+emit:
+  finding:
+    category: sql.style
+    severity: high
+    confidence: 0.7
+    tags:
+      - sql
+      - style
+  message:
+    title: Unqualified column reference
+    summary: "``${captures.issue.text}`` contains unqualified column references in a multi-table query"
+  remediation:
+    summary: Prefix each column reference with its corresponding table name or alias.