npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/python/py.correctness.global-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.global-statement
+  aliases:
+    - PY-W0002
+  title: Avoid global statements in Python
+  summary: Using global variables is an anti-pattern that can lead to hard-to-debug side effects
+  rationale: Global state makes code harder to reason about, test, and parallelize. Prefer passing state explicitly or using class-based state management.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-562
+      title: Return of Stack Variable Address
+  tags:
+    - correctness
+    - python
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.global-statement
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+      - quality
+  message:
+    title: Global statement in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a global declaration for mutable state."
+  remediation:
+    summary: Refactor to pass state through function parameters or class instances instead of global variables.

package/rules/python/py.correctness.redefined-builtin.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.redefined-builtin
+  aliases:
+    - PY-W0001
+  title: Avoid redefining Python builtins
+  summary: Function definitions should not shadow builtin names like list, dict, str, or int
+  rationale: Shadowing builtins with function definitions can cause unexpected behavior and bugs in code that relies on standard Python functions.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-480
+      title: Use of Incorrect Operator
+  tags:
+    - correctness
+    - python
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.redefined-builtin
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+      - quality
+  message:
+    title: Function shadows builtin in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defines a function that shadows a Python builtin name."
+  remediation:
+    summary: Rename the function to avoid shadowing standard library names like list, dict, str, etc.

package/rules/python/py.correctness.super-with-arguments.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.super-with-arguments
+  aliases:
+    - PY-W0003
+  title: Use parameterless super() in Python 3
+  summary: Python 3 supports super() without arguments in class methods
+  rationale: Passing the class and self to super() is an older Python 2 pattern that is verbose and error-prone when refactoring class names.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-398
+      title: Indicator of Poor Code Quality
+  tags:
+    - correctness
+    - python
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.super-with-arguments
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+      - quality
+  message:
+    title: Use parameterless super() in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` passes class and self to super() unnecessarily."
+  remediation:
+    summary: Replace super(ClassName, self) with super() for cleaner, more maintainable Python 3 code.

package/rules/python/py.correctness.unnecessary-comprehension.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.unnecessary-comprehension
+  aliases:
+    - PY-W0005
+  title: Avoid unnecessary comprehension wrapped in list() or set()
+  summary: Wrapping a list comprehension in list() or set() is redundant and should be simplified
+  rationale: Python list comprehensions already produce a list, so wrapping them in list() performs unnecessary work. Use the comprehension directly or a generator expression.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-398
+      title: Indicator of Poor Code Quality
+  tags:
+    - correctness
+    - python
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.unnecessary-comprehension
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: low
+    confidence: 0.90
+    tags:
+      - correctness
+      - python
+      - quality
+  message:
+    title: Simplify unnecessary comprehension in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` wraps a comprehension in list() or set() unnecessarily."
+  remediation:
+    summary: Remove the list() or set() wrapper and use the comprehension directly, or use the underlying iterable if no transformation is needed.

package/rules/python/py.correctness.useless-return.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.correctness.useless-return
+  aliases:
+    - PY-W0004
+  title: Avoid bare return at end of function body
+  summary: A bare return at the end of a function adds no value and should be removed
+  rationale: Bare return statements at the end of a function body are redundant as functions implicitly return None.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-398
+      title: Indicator of Poor Code Quality
+  tags:
+    - correctness
+    - python
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.correctness.useless-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.source
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - python
+      - quality
+  message:
+    title: Remove useless return in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` contains a bare return at the end of a function body."
+  remediation:
+    summary: Remove the bare return statement as the function already returns None implicitly.

package/rules/python/py.security.command-execution-with-request-input.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.command-execution-with-request-input
+  aliases:
+    - BAN-B603
+  title: Avoid command execution with request-controlled input
+  summary: Python process execution helpers must not receive request-controlled arguments.
+  rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: OS Command Injection
+    - kind: owasp
+      title: OS Command Injection Defense Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - injection
+    - command-execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.command-execution-with-request-input
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: critical
+    confidence: 0.90
+    tags:
+      - security
+      - python
+      - injection
+      - command-execution
+  message:
+    title: Avoid request-controlled command execution in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` executes a process using request-controlled command data."
+  remediation:
+    summary: Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.

package/rules/python/py.security.ftp-usage.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.ftp-usage
+  aliases:
+    - BAN-B321
+  title: Avoid cleartext FTP protocol
+  summary: FTP transmits credentials and data without encryption
+  rationale: FTP sends authentication credentials and file data in plaintext over the network, exposing sensitive information to interception and man-in-the-middle attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+  tags:
+    - security
+    - python
+    - transport
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.ftp-usage
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - transport
+  message:
+    title: Replace FTP with secure transport in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports or uses the insecure FTP protocol."
+  remediation:
+    summary: Use SFTP/SSH-based transport like `paramiko.Transport` or FTPS for encrypted file transfers.

package/rules/python/py.security.hardcoded-credentials.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.hardcoded-credentials
+  aliases:
+    - BAN-B101
+  title: Avoid hardcoded credentials in Python source
+  summary: Python source should not embed static secrets such as API keys, tokens, or passwords in plain text.
+  rationale: Hardcoded credentials are easily exposed to version control, logs, and anyone with read access to the source.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-798
+      title: Use of Hard-coded Credentials
+  tags:
+    - security
+    - python
+    - credentials
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.hardcoded-credentials
+    bind: issue
+emit:
+  finding:
+    category: security.credentials
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - credentials
+  message:
+    title: Hardcoded credential in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` contains a hardcoded credential."
+  remediation:
+    summary: Use environment variables, a secrets manager, or a secure vault for all credentials.

package/rules/python/py.security.hardcoded-temp-directory.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.hardcoded-temp-directory
+  aliases:
+    - BAN-B108
+  title: Avoid hardcoded temporary directory paths
+  summary: Temporary paths should use tempfile module instead of string literals
+  rationale: Hardcoded temporary directory paths can lead to predictable file locations, enabling symlink races, unauthorized access, and insecure file handling.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-377
+      title: Insecure Temporary File
+  tags:
+    - security
+    - python
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.hardcoded-temp-directory
+    bind: issue
+emit:
+  finding:
+    category: security.file
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - filesystem
+  message:
+    title: Use tempfile module instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a hardcoded temporary directory path."
+  remediation:
+    summary: Use `tempfile.mkdtemp()` or `tempfile.TemporaryDirectory()` to create secure, unpredictable temporary directories.

package/rules/python/py.security.insecure-cipher-mode.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-cipher-mode
+  aliases:
+    - BAN-B305
+  title: Avoid ECB cipher mode
+  summary: ECB mode is deterministic and reveals patterns in plaintext
+  rationale: ECB (Electronic Codebook) mode encrypts identical plaintext blocks into identical ciphertext blocks, revealing data patterns. It should never be used for encrypting more than a single block.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+  tags:
+    - security
+    - python
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-cipher-mode
+    bind: issue
+emit:
+  finding:
+    category: security.crypto
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - crypto
+  message:
+    title: Replace ECB mode with authenticated encryption in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses ECB cipher mode which reveals plaintext patterns."
+  remediation:
+    summary: Use an authenticated encryption mode like GCM (e.g. `AES.MODE_GCM`) or CBC with HMAC.

package/rules/python/py.security.insecure-cipher.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-cipher
+  aliases:
+    - BAN-B304
+  title: Avoid insecure cryptographic ciphers
+  summary: Weak ciphers like DES, ARC2, ARC4, and Blowfish should not be used
+  rationale: DES, ARC2, ARC4, and Blowfish are cryptographically weak algorithms that are susceptible to brute-force and known-plaintext attacks. Modern applications should use AES or other strong algorithms.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+  tags:
+    - security
+    - python
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-cipher
+    bind: issue
+emit:
+  finding:
+    category: security.crypto
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - python
+      - crypto
+  message:
+    title: Replace weak cipher in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports or uses a cryptographically weak cipher."
+  remediation:
+    summary: Use AES (e.g. `from Crypto.Cipher import AES`) or another strong, modern cipher instead.

package/rules/python/py.security.insecure-crypto-import.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-crypto-import
+  aliases:
+    - BAN-B413
+  title: Avoid low-level crypto library imports
+  summary: Low-level cryptography.hazmat and pycrypto imports bypass safer high-level APIs
+  rationale: Direct use of low-level cryptographic primitives from cryptography.hazmat or pycrypto bypasses safe defaults and requires expert knowledge to avoid subtle security flaws. High-level APIs like Fernet provide secure defaults.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+  tags:
+    - security
+    - python
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: python.security.insecure-crypto-import
+    bind: issue
+emit:
+  finding:
+    category: security.crypto
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - python
+      - crypto
+  message:
+    title: Prefer high-level crypto API over `${captures.issue.text}`
+    summary: "`${captures.issue.text}` imports a low-level cryptographic primitive directly."
+  remediation:
+    summary: Use high-level APIs like `cryptography.fernet.Fernet` for symmetric encryption or `cryptography.hazmat.primitives.asymmetric` through the recipes layer.

package/rules/python/py.security.insecure-http-transport.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: py.security.insecure-http-transport
+  aliases:
+    - BAN-B107
+  title: Avoid cleartext HTTP for API calls
+  summary: Python outbound requests should use HTTPS, not plain HTTP, when calling external services.
+  rationale: Cleartext HTTP exposes request bodies, headers, and responses to eavesdropping and man-in-the-middle interception.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Protection Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
+  tags:
+    - security
+    - python
+    - transport
+    - encryption
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - python
+  paths:
+    include:
+      - "**/*.py"
+    exclude:
+      - "**/tests/**"
+      - "**/test_*.py"
+      - "**/*_test.py"
+      - "**/migrations/**"
+match:
+  fact:
+    kind: security.insecure-http-transport
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - python
+      - transport
+      - encryption
+  message:
+    title: Use HTTPS in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sends a request over cleartext HTTP instead of HTTPS."
+  remediation:
+    summary: Replace `http://` with `https://` for all outbound API calls. Use HTTPS for all service-to-service communication.