npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/java/java.correctness.volatile-array-elements.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.volatile-array-elements
+  title: Elements accessed from volatile reference to an array are not volatile
+  summary: Declaring an array reference as volatile does not make array element accesses volatile.
+  rationale: Only the array reference itself is volatile, not the elements. Each element access still goes through normal memory.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0027
+  tags:
+    - correctness
+    - java
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.volatile-array-elements
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Volatile array element access is not volatile
+    summary: Elements accessed from a volatile reference to an array are not volatile.
+  remediation:
+    summary: Use `java.util.concurrent.atomic.AtomicIntegerArray` or similar for volatile array element semantics.

package/rules/java/java.correctness.volatile-increment-non-atomic.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.volatile-increment-non-atomic
+  title: Increment of volatile field is not atomic
+  summary: Operations like `counter++` on a volatile field are not atomic.
+  rationale: Volatile only guarantees visibility, not atomicity. Use `AtomicInteger` or `synchronized`.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0028
+  tags:
+    - correctness
+    - java
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.volatile-increment-non-atomic
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Increment of volatile field is not atomic
+    summary: "`${captures.issue.text}` increments a volatile field, which is not atomic."
+  remediation:
+    summary: Use `AtomicInteger.incrementAndGet()` or `synchronized` block.

package/rules/java/java.correctness.wait-notify-on-thread.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.wait-notify-on-thread
+  title: Wait/notify must not be called on a Thread object
+  summary: Calling wait(), notify(), or notifyAll() on a Thread instance interferes with the JVM's internal thread lifecycle signaling.
+  rationale: The JVM uses wait/notify on Thread objects internally (e.g., for Thread.join()). User code calling these methods can cause spurious wakeups, missed signals, or deadlocks.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1004
+  tags:
+    - correctness
+    - java
+    - concurrency
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.wait-notify-on-thread
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Wait/notify called on Thread object
+    summary: Calling wait(), notify(), or notifyAll() on a Thread instance can interfere with JVM internal thread lifecycle signaling.
+  remediation:
+    summary: Use a dedicated lock Object for wait/notify instead of a Thread instance. For Thread.currentThread(), use a separate monitor object.

package/rules/java/java.correctness.wait-on-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.wait-on-condition
+  title: Monitor wait must not be used on a Condition
+  summary: "Calling `.wait()` on a `java.util.concurrent.locks.Condition` object is incorrect. Use `condition.await()` instead."
+  rationale: Condition objects do not support Object.wait(). Using `.wait()` on a Condition will throw an IllegalMonitorStateException at runtime. Use `await()` on the Condition object instead.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0078
+  tags:
+    - correctness
+    - java
+    - concurrency
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.wait-on-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: wait() called on Condition object
+    summary: "`.wait()` called on a Condition variable `${captures.issue.text}`. Use `await()` instead."
+  remediation:
+    summary: "Replace `condition.wait()` with `condition.await()`."

package/rules/java/java.correctness.week-year-in-date-pattern.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.week-year-in-date-pattern
+  title: Using week year (YYYY) in place of year (yyyy)
+  summary: YYYY represents the ISO week year, not the calendar year, which can cause dates around year boundaries to be off by one year.
+  rationale: SimpleDateFormat and DateTimeFormatter interpret YYYY as the week year, which differs from the calendar year near the start and end of each year. This produces incorrect dates for the last/first week of the year.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1006
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.week-year-in-date-pattern
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Week year (YYYY) used instead of calendar year (yyyy)
+    summary: "`${captures.issue.text}` uses YYYY (week year) instead of yyyy (calendar year). Dates near year boundaries will be incorrect."
+  remediation:
+    summary: Replace YYYY with yyyy unless you explicitly need the ISO week year matching week-based formatting (ww or u).

package/rules/java/java.correctness.zoneid-invalid-timezone.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.zoneid-invalid-timezone
+  title: "ZoneId.of() should be passed a valid timezone identifier"
+  summary: "Calling `ZoneId.of()` with a hardcoded string that may not be a valid IANA timezone ID will throw `ZoneRulesException` at runtime."
+  rationale: "`ZoneId.of()` expects a valid IANA timezone ID (e.g., America/New_York, Europe/London). Passing an arbitrary string compiles but throws `ZoneRulesException` at runtime. Use `ZoneId.of()` only with known-valid identifiers or use `ZoneId.of(tz, ZoneId.SHORT_IDS)` for short IDs."
+  aliases:
+    - JAVA-E1092
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.zoneid-invalid-timezone
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: high
+    confidence: 0.40
+    tags:
+      - correctness
+      - java
+  message:
+    title: "ZoneId.of() is called with a hardcoded string in `${captures.issue.text}`"
+    summary: "Verify the timezone ID passed to `ZoneId.of()`. Invalid IDs throw `ZoneRulesException` at runtime."
+  remediation:
+    summary: "Use a known-valid IANA timezone ID (e.g., `America/New_York`), or use `ZoneId.SHORT_IDS` for short timezone names."

package/rules/java/java.doc.empty-javadoc-tag.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.doc.empty-javadoc-tag
+  title: Javadoc tags must not be empty
+  summary: "Javadoc block tags must have content following the tag name."
+  rationale: "Empty tags like bare @param or @return can crash Javadoc processing tools and provide no documentation value."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-D1006
+  tags:
+    - documentation
+    - java
+    - javadoc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+match:
+  fact:
+    kind: java.doc.empty-javadoc-tag
+    bind: issue
+emit:
+  finding:
+    category: documentation.javadoc
+    severity: low
+    confidence: 0.90
+    tags:
+      - documentation
+      - java
+  message:
+    title: "Empty Javadoc block tag"
+    summary: "The `${captures.issue.text}` tag has no content. Add a parameter name, description, or remove the tag."
+  remediation:
+    summary: "Provide content for the tag or remove it if unused."

package/rules/java/java.doc.malformed-javadoc-comment.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.doc.malformed-javadoc-comment
+  title: Malformed Javadoc comment
+  summary: "Javadoc comments must use valid tag syntax without double @ symbols."
+  rationale: "Malformed tags like @@param can raise errors during Javadoc generation."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-D1007
+  tags:
+    - documentation
+    - java
+    - javadoc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+match:
+  fact:
+    kind: java.doc.malformed-javadoc-comment
+    bind: issue
+emit:
+  finding:
+    category: documentation.javadoc
+    severity: low
+    confidence: 0.90
+    tags:
+      - documentation
+      - java
+  message:
+    title: "Malformed Javadoc tag"
+    summary: "The `${captures.issue.text}` tag has a doubled @ symbol. Use a single @ to open the tag."
+  remediation:
+    summary: "Replace @@ with @ to form a valid Javadoc tag."

package/rules/java/java.doc.parameter-tag-no-description.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.doc.parameter-tag-no-description
+  title: Javadoc @param tag has no description
+  summary: "@param tags must include a description of the parameter."
+  rationale: "A @param tag with no description adds no value. Either describe the parameter or remove the tag."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-D1005
+  tags:
+    - documentation
+    - java
+    - javadoc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+match:
+  fact:
+    kind: java.doc.parameter-tag-no-description
+    bind: issue
+emit:
+  finding:
+    category: documentation.javadoc
+    severity: low
+    confidence: 0.85
+    tags:
+      - documentation
+      - java
+  message:
+    title: "@param tag is missing a description"
+    summary: "The `${captures.issue.text}` tag has a parameter name but no description."
+  remediation:
+    summary: "Add a description after the parameter name explaining its purpose."

package/rules/java/java.doc.unmatched-parameter-tag.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.doc.unmatched-parameter-tag
+  title: Unmatched @param tag in Javadoc
+  summary: "@param tags must reference declared method parameters."
+  rationale: "@param tags referencing non-existent parameters confuse readers. Remove or rename them to match the actual parameter list."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-D1004
+  tags:
+    - documentation
+    - java
+    - javadoc
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+match:
+  fact:
+    kind: java.doc.unmatched-parameter-tag
+    bind: issue
+emit:
+  finding:
+    category: documentation.javadoc
+    severity: low
+    confidence: 0.70
+    tags:
+      - documentation
+      - java
+  message:
+    title: "@param tag does not match any method parameter"
+    summary: "The `${captures.issue.text}` tag references a parameter that does not exist in the method signature."
+  remediation:
+    summary: "Remove the unmatched @param tag or rename it to match an actual parameter name."

package/rules/java/java.performance.boxed-boolean-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.boxed-boolean-constructor
+  title: "Boolean constructor is inefficient"
+  summary: "`new Boolean(value)` creates a new object instance; use `Boolean.valueOf()` or autoboxing instead."
+  rationale: "The `Boolean(boolean)` constructor always creates a new object instance, while `Boolean.valueOf(boolean)` returns cached singletons (`Boolean.TRUE` / `Boolean.FALSE`). Since Java 9, the `Boolean` constructor has been deprecated in favor of `valueOf()`. Replace `new Boolean(...)` with `Boolean.valueOf(...)` or rely on autoboxing."
+  aliases:
+    - JAVA-P0066
+  tags:
+    - performance
+    - java
+    - allocation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.performance.boxed-boolean-constructor
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.93
+    tags:
+      - performance
+      - java
+  message:
+    title: "Inefficient Boolean constructor in `${captures.issue.text}`"
+    summary: "`${captures.issue.text}` creates a new Boolean instance. Use `Boolean.valueOf(...)` to reuse cached instances."
+  remediation:
+    summary: "Replace `new Boolean(value)` with `Boolean.valueOf(value)` or rely on autoboxing."

package/rules/java/java.performance.boxed-double-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.boxed-double-constructor
+  title: "Float/Double constructor is inefficient"
+  summary: "`new Float(value)` and `new Double(value)` create unnecessary objects; use `valueOf()` instead."
+  rationale: "The `Float(float)` and `Double(double)` constructors always create new object instances, while `valueOf()` can return cached instances. Since Java 9, these constructors have been deprecated in favor of `valueOf()`. Replace `new Float(...)` / `new Double(...)` with `Float.valueOf(...)` / `Double.valueOf(...)` or rely on autoboxing."
+  aliases:
+    - JAVA-P0068
+  tags:
+    - performance
+    - java
+    - allocation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.performance.boxed-double-constructor
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.93
+    tags:
+      - performance
+      - java
+  message:
+    title: "Inefficient Float/Double constructor in `${captures.issue.text}`"
+    summary: "`${captures.issue.text}` creates a new boxed floating-point instance. Use `Float.valueOf()` / `Double.valueOf()` to reuse cached instances."
+  remediation:
+    summary: "Replace `new Float(value)` / `new Double(value)` with `Float.valueOf(value)` / `Double.valueOf(value)`."

package/rules/java/java.performance.boxed-integer-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.boxed-integer-constructor
+  title: "Integer/Long constructor is inefficient"
+  summary: "`new Integer(value)` and `new Long(value)` create unnecessary objects; use `valueOf()` instead."
+  rationale: "The `Integer(int)` and `Long(long)` constructors always create new object instances, while `valueOf()` uses a cached pool for commonly used values (-128 to 127). Since Java 9, these constructors have been deprecated in favor of `valueOf()`. Replace `new Integer(...)` / `new Long(...)` with `Integer.valueOf(...)` / `Long.valueOf(...)` or rely on autoboxing."
+  aliases:
+    - JAVA-P0067
+  tags:
+    - performance
+    - java
+    - allocation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.performance.boxed-integer-constructor
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.93
+    tags:
+      - performance
+      - java
+  message:
+    title: "Inefficient Integer/Long constructor in `${captures.issue.text}`"
+    summary: "`${captures.issue.text}` creates a new boxed integer instance. Use `Integer.valueOf()` / `Long.valueOf()` to reuse cached instances."
+  remediation:
+    summary: "Replace `new Integer(value)` / `new Long(value)` with `Integer.valueOf(value)` / `Long.valueOf(value)`."

package/rules/java/java.performance.empty-string-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.empty-string-constructor
+  title: "Use \"\" instead of new String() to create empty strings"
+  summary: "`new String()` creates an unnecessary object; use the empty string literal `\"\"` instead."
+  rationale: "The no-argument `String()` constructor creates a new empty String object. The empty string literal `\"\"` is interned and more efficient. Replace `new String()` with `\"\"` to avoid unnecessary allocations."
+  aliases:
+    - JAVA-P0063
+    - JAVA-S0063
+  tags:
+    - performance
+    - java
+    - allocation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.performance.empty-string-constructor
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.92
+    tags:
+      - performance
+      - java
+  message:
+    title: "Use `\"\"` instead of `${captures.issue.text}`"
+    summary: "`${captures.issue.text}` allocates an unnecessary empty String object. Use the string literal `\"\"` instead."
+  remediation:
+    summary: "Replace `new String()` with `\"\"` (empty string literal)."

package/rules/java/java.performance.expensive-method-on-ui-thread.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.performance.expensive-method-on-ui-thread
+  title: "Expensive methods should not be invoked from performance critical threads"
+  summary: "Methods annotated with `@WorkerThread` or `@Expensive` are invoked from a `@MainThread`, `@UIThread`, or `@PerformanceCritical` context, potentially blocking the UI."
+  rationale: "Methods marked with `@WorkerThread` or `@Expensive` are intended for background execution. Calling them from a `@MainThread` or `@UIThread` context blocks the UI thread, leading to Application Not Responding (ANR) on Android or UI freezes on desktop. Offload the call to a background thread using an `ExecutorService`, `AsyncTask`, `HandlerThread`, or coroutine/structured concurrency."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-400
+      title: Uncontrolled Resource Consumption
+  aliases:
+    - JAVA-P1007
+  tags:
+    - performance
+    - java
+    - concurrency
+    - android
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.performance.expensive-method-on-ui-thread
+    bind: issue
+emit:
+  finding:
+    category: performance.concurrency
+    severity: high
+    confidence: 0.80
+    tags:
+      - performance
+      - java
+  message:
+    title: "`${captures.issue.text}` is an expensive method called from a UI/main thread context"
+    summary: "A method annotated `@WorkerThread` or `@Expensive` is called from a `@MainThread` or `@UIThread` context, which may block the UI."
+  remediation:
+    summary: "Offload the call to a background thread using `ExecutorService`, `AsyncTask`, `HandlerThread`, or structured concurrency."