npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/php/php.correctness.trait-class-constant.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.trait-class-constant
+  title: Avoid class constants inside traits
+  summary: Avoid class constants inside traits
+  rationale: Avoid class constants inside traits
+  aliases:
+    - PHP-E1113
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.trait-class-constant
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: critical
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid class constants inside traits
+    summary: "`${captures.issue.text}` matches php.correctness.trait-class-constant."
+  remediation:
+    summary: Avoid class constants inside traits

package/rules/php/php.correctness.undefined-constant-reference.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-constant-reference
+  title: Reference only defined constants
+  summary: Reference only defined constants
+  rationale: Reference only defined constants
+  aliases:
+    - PHP-W1038
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-constant-reference
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: critical
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Reference only defined constants
+    summary: "`${captures.issue.text}` matches php.correctness.undefined-constant-reference."
+  remediation:
+    summary: Reference only defined constants

package/rules/php/php.correctness.undefined-function.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-function
+  title: Undefined function call detected
+  summary: Calling a function that is not defined in the current file and is not a known PHP built-in function will cause a runtime fatal error.
+  aliases:
+    - PHP-E1000
+  rationale: "PHP raises a fatal error when calling an undefined function. Single-file heuristic checks for functions not defined in the current file and not in the built-in function registry. Functions in included files may cause false positives; confidence is set accordingly."
+  detection:
+    kind: pattern
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-function
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: critical
+    confidence: 0.60
+    tags:
+      - correctness
+      - php
+  message:
+    title: Call to undefined function ${captures.issue.text}
+    summary: "Function ${captures.issue.text}() is called but is not defined in the current file and is not a known PHP built-in function."
+  remediation:
+    summary: Ensure the function is defined (via a manual include check) or correct the function name to match an existing function.

package/rules/php/php.correctness.undefined-method.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-method
+  title: Undefined method call detected
+  summary: "Calling a method on $this, self::, or static:: that is not declared in the enclosing class will cause a runtime error."
+  aliases:
+    - PHP-E1002
+  rationale: "PHP raises an error when calling a method that does not exist on the class. Single-file heuristic checks the enclosing class body for declared methods. Classes extending other classes are skipped to avoid false positives from inherited methods."
+  detection:
+    kind: pattern
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-method
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: critical
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Call to undefined method ${captures.issue.text}
+    summary: "Method ${captures.issue.text}() is called via $this->, self::, or static:: but is not declared in the enclosing class."
+  remediation:
+    summary: Declare the method on the class or correct the method name to reference an existing method.

package/rules/php/php.correctness.undefined-property.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-property
+  title: Undefined property access via $this->
+  summary: Accessing a property via $this-> that is not declared on the class will cause a runtime notice.
+  aliases:
+    - PHP-W1033
+  rationale: >-
+    PHP emits a warning when accessing an undefined instance property. Single-file
+    heuristic checks the enclosing class body for declared properties, including
+    typed properties and constructor-promoted properties. Classes with extends are
+    skipped to avoid false positives from inherited properties. Classes with __get
+    or __set magic methods are also skipped. Dynamically assigned properties (common
+    in Laravel Eloquent) are not detected, which may produce false negatives.
+  detection:
+    kind: pattern
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-property
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Access to undefined property ${captures.issue.text}
+    summary: >-
+      ${captures.issue.text} accesses a property via $this-> that is not declared
+      on the enclosing class — PHP will raise a warning.
+  remediation:
+    summary: >-
+      Declare the property on the class with the appropriate visibility and type,
+      or correct the property name. If dynamic properties are intended, declare
+      __get/__set magic methods on the class.

package/rules/php/php.correctness.undefined-static-property.rule.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-static-property
+  title: Do not access undefined static properties
+  summary: Accessing a static property that is not declared on the target class will produce a runtime notice and return null.
+  aliases:
+    - PHP-W1034
+    - PHP-E1007
+  rationale: PHP raises an undefined property notice when accessing a static property that was never declared on the class. This is a common mistake when class APIs evolve or when property names are mistyped. The fix is to declare the static property or correct the access.
+  detection:
+    kind: pattern
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-static-property
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: critical
+    confidence: 0.80
+    tags:
+      - correctness
+      - php
+  message:
+    title: Static property ${captures.issue.text} is not defined on the target class
+    summary: "${captures.issue.text} is accessed via static property syntax but the declaring class has no static property with that name."
+  remediation:
+    summary: Ensure the static property is declared on the class with the correct name, or fix the static access to reference an existing property.

package/rules/php/php.correctness.undefined-variable.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.undefined-variable
+  title: Variable is used but not defined
+  summary: Using a variable that has not been defined in scope will cause a runtime notice.
+  aliases:
+    - PHP-W1066
+  rationale: >-
+    PHP emits a warning when reading an undefined variable. Single-file heuristic checks
+    function and method bodies for use-before-define, $this in static context, and
+    post-unset variable references. Nested closures, extract(), compact(), and cross-file
+    scopes are not analyzed, which may produce false negatives.
+  detection:
+    kind: pattern
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.undefined-variable
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Variable ${captures.issue.text} is used but may not be defined in scope
+    summary: >-
+      ${captures.issue.text} is referenced but was not found to be defined before
+      this point in the function scope.
+  remediation:
+    summary: >-
+      Declare and assign the variable before its first use, or ensure the variable
+      was initialized in all code paths before this reference.

package/rules/php/php.correctness.uninitialized-typed-property.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.uninitialized-typed-property
+  title: Initialize typed properties
+  summary: Typed class properties without a default value should be initialized in the constructor.
+  aliases:
+    - PHP-E1008
+  rationale: Accessing a typed property before initialization causes a runtime TypeError.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.uninitialized-typed-property
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Initialize typed property in constructor or with default value
+    summary: "`${captures.issue.text}` is a typed property without a default value and may not be initialized before access."
+  remediation:
+    summary: Assign a default value at declaration or initialize the property in the class constructor.

package/rules/php/php.correctness.unknown-magic-method.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.correctness.unknown-magic-method
   title: Use only supported magic methods
   summary: PHP recognizes a fixed set of double-underscore magic methods.
+  aliases:
+    - PHP-W1081
   rationale: Unknown magic methods are never invoked by the runtime and usually indicate typos or dead code.
   tags:
     - correctness

package/rules/php/php.correctness.unreachable-after-return.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.correctness.unreachable-after-return
   title: Remove unreachable statements after return or throw
   summary: Code after `return` or `throw` in the same block never runs.
+  aliases:
+    - PHP-W1074
   rationale: Unreachable statements usually indicate dead code, incomplete refactors, or missing control-flow fixes.
   tags:
     - correctness

package/rules/php/php.correctness.unused-closure-use-variable.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unused-closure-use-variable
+  title: Closure use variables must be referenced
+  summary: Closure use variables must be referenced
+  rationale: Closure use variables must be referenced
+  aliases:
+    - PHP-W1039
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unused-closure-use-variable
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Closure use variables must be referenced
+    summary: "`${captures.issue.text}` matches php.correctness.unused-closure-use-variable."
+  remediation:
+    summary: Closure use variables must be referenced

package/rules/php/php.correctness.unused-constructor-parameter.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unused-constructor-parameter
+  title: Remove unused constructor parameters
+  summary: Constructor parameters that are not referenced in the constructor body should be removed.
+  aliases:
+    - PHP-W1037
+  rationale: Unused constructor parameters are dead code that clutter the interface. They suggest incomplete refactoring or misunderstanding of the constructor signature. Promoting properties with `public`/`protected`/`private` implicitly creates and assigns the property, so they are excluded.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unused-constructor-parameter
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.75
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove unused constructor parameter
+    summary: "Parameter `${captures.issue.text}` is never referenced in the constructor body."
+  remediation:
+    summary: Remove the unused parameter or add a reference in the constructor body. Consider promoting with `public`/`protected`/`private` if the parameter should become a property.

package/rules/php/php.correctness.unused-import.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unused-import
+  title: Remove unused import statements
+  summary: Remove unused import statements
+  rationale: Remove unused import statements
+  aliases:
+    - PHP-W1069
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unused-import
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove unused import statements
+    summary: "`${captures.issue.text}` matches php.correctness.unused-import."
+  remediation:
+    summary: Remove unused import statements

package/rules/php/php.correctness.useless-post-increment.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.correctness.useless-post-increment
   title: Remove useless post-increment statements
   summary: Standalone post-increment statements with discarded results are usually mistakes.
+  aliases:
+    - PHP-W1090
   rationale: Post-increment statements that do not feed a larger expression often indicate dead or accidental code.
   tags:
     - correctness

package/rules/php/php.correctness.useless-unset.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.correctness.useless-unset
   title: Remove useless unset calls
   summary: Calling unset on literals or non-variables has no effect.
+  aliases:
+    - PHP-W1036
   rationale: Useless unset calls add noise and suggest the author misunderstood PHP unset semantics.
   tags:
     - correctness

package/rules/php/php.correctness.void-match-arm.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.void-match-arm
+  title: Match arms must return a value
+  summary: Match arms must return a value
+  rationale: Match arms must return a value
+  aliases:
+    - PHP-W1045
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.void-match-arm
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Match arms must return a value
+    summary: "`${captures.issue.text}` matches php.correctness.void-match-arm."
+  remediation:
+    summary: Match arms must return a value

package/rules/php/php.performance.expensive-loop-condition.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.performance.expensive-loop-condition
   title: Avoid expensive calls in loop conditions
   summary: Functions like count() and strlen() inside loop conditions run on every iteration.
+  aliases:
+    - PHP-P1000
   rationale: Recomputing expensive conditions in loops adds avoidable overhead in hot paths.
   tags:
     - performance

package/rules/php/php.security.debug-function-exposure.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Remove debug dump helpers from production PHP
   summary: >-
     var_dump, print_r, debug_zval_dump, and xdebug helpers should not ship in application code paths.
+  aliases:
+    - PHP-A1012
   rationale: >-
     Debug helpers can leak secrets, PII, and internal object state to logs or HTTP responses.
   detection:

package/rules/php/php.security.insecure-session-id-generation.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Avoid predictable or user-supplied session IDs
   summary: >-
     session_id must not be set from weak hash helpers, uniqid, or request-derived values.
+  aliases:
+    - PHP-A1008
   rationale: >-
     Predictable or attacker-controlled session identifiers enable fixation and session hijacking.
   detection:

package/rules/php/php.security.insecure-session-or-cookie-config.rule.yaml CHANGED Viewed

@@ -5,6 +5,9 @@ metadata:
   title: Harden PHP session and cookie security flags
   summary: >-
     Session/cookie configuration should keep secure, httpOnly, and safe same-site posture for authenticated contexts.
+  aliases:
+    - PHP-A1003
+    - PHP-A1005
   rationale: >-
     Weak cookie/session flags increase theft and replay risk across XSS, mixed transport, and cross-site request contexts.
   detection:

package/rules/php/php.security.no-dynamic-eval.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Avoid dynamic PHP code execution
   summary: >-
     Do not execute runtime-generated PHP via eval, string assert, or create_function.
+  aliases:
+    - PHP-A1000
   rationale: >-
     Dynamic execution turns untrusted or mutable input into executable code and expands injection risk.
   detection:

package/rules/php/php.security.unsafe-include-with-user-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Avoid include/require with user-controlled paths
   summary: >-
     Include and require statements must not load files from request-derived or tainted path values.
+  aliases:
+    - PHP-A1001
   rationale: >-
     User-controlled includes can load attacker-chosen PHP and lead to remote code execution.
   detection:

package/rules/php/php.security.unsafe-new-static.rule.yaml CHANGED Viewed

@@ -4,6 +4,8 @@ metadata:
   id: php.security.unsafe-new-static
   title: Avoid unsafe new static() instantiation
   summary: "Using `new static()` can instantiate unexpected subclasses and weaken type guarantees."
+  aliases:
+    - PHP-W1014
   rationale: "Late static binding with `new static()` can bypass intended class boundaries and create objects outside expected inheritance chains."
   detection:
     kind: pattern

package/rules/php/php.security.weak-cipher.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Avoid weak PHP cipher algorithms
   summary: >-
     OpenSSL and mcrypt usage should not rely on DES, RC4, Blowfish, ECB mode, or legacy mcrypt APIs.
+  aliases:
+    - PHP-A1007
   rationale: >-
     Weak ciphers and modes are vulnerable to practical cryptanalysis and do not meet modern confidentiality standards.
   detection:

package/rules/php/php.security.xml-external-entity.rule.yaml CHANGED Viewed

@@ -5,6 +5,8 @@ metadata:
   title: Harden PHP XML parsing against external entities
   summary: >-
     XML parsing should disable external entities and avoid LIBXML_NOENT or libxml_disable_entity_loader(false).
+  aliases:
+    - PHP-A1010
   rationale: >-
     Unsafe XML parser configuration enables XXE attacks that can leak files and reach internal services.
   detection:

package/rules/python/py.correctness.assert-outside-test.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.assert-outside-test
+  aliases:
+    - BAN-B502
+  title: Avoid assert statements in production code
+  summary: assert statements should only appear in test files
+  rationale: Assert statements are stripped when Python runs in optimized mode (-O), so they are not a reliable mechanism for production checks. Use explicit exceptions instead.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1078
+      title: Inappropriate Use of Assert
+  tags:
+    - correctness
+    - python
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.assert-outside-test
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - python
+  message:
+    title: Replace assert with explicit check in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an assert statement outside of a test file."
+  remediation:
+    summary: Replace assert statements with explicit if/raise ValueError or appropriate runtime checks.