npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/go/go.security.incomplete-hostname-regex.rule.yaml ADDED Viewed

@@ -0,0 +1,64 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.incomplete-hostname-regex
+  title: Use a complete and anchored regular expression for hostname validation
+  summary: >-
+    Regex patterns used for hostname validation should use start (`^`) and end
+    (`$`) anchors, escape literal dots, and avoid overly permissive character
+    classes that allow subdomains or non-hostname input through.
+  rationale: >-
+    Unanchored or unescaped hostname regexes accept malicious or malformed
+    input (e.g. `evil.com.evildomain.com`), enabling SSRF, open redirects,
+    and domain validation bypasses.
+  aliases:
+    - GO-S1016
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-185
+      title: Incorrect Regular Expression
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - regex
+    - hostname
+    - validation
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.incomplete-hostname-regex
+    bind: issue
+emit:
+  finding:
+    category: security.validation
+    severity: medium
+    confidence: 0.55
+    tags:
+      - security
+      - go
+      - regex
+  message:
+    title: Anchor hostname regex at start and end in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses a regex that may accept broader input than intended for hostname validation."
+  remediation:
+    summary: >-
+      Anchor the pattern with `^` and `$`, escape literal dots with `\\.`, and
+      restrict character classes to valid hostname characters. For example:
+      `^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$`.

package/rules/go/go.security.insecure-ssl-protocol.rule.yaml CHANGED Viewed

@@ -7,6 +7,8 @@ metadata:
     `tls.VersionSSL30`, SSLv2, or SSLv3 string literals indicate use of broken legacy protocols.
   rationale: >-
     SSLv2 and SSLv3 contain unrecoverable cryptographic weaknesses (POODLE, DROWN) and must not be negotiated.
+  aliases:
+    - GO-S1021
   detection:
     kind: pattern
   references:

package/rules/go/go.security.jwt-without-verification.rule.yaml CHANGED Viewed

@@ -7,6 +7,8 @@ metadata:
     Parsing JWTs with `jwt.Parse` and a nil keyfunc, `jwt.ParseUnverified`, or `jwt.Decode` skips signature verification and lets attackers forge tokens.
   rationale: >-
     Trusting unverified JWTs allows attackers to impersonate users or escalate privileges by crafting tokens with arbitrary claims.
+  aliases:
+    - GO-S1019
   detection:
     kind: pattern
   references:

package/rules/go/go.security.net-http-missing-timeouts.rule.yaml CHANGED Viewed

@@ -7,6 +7,9 @@ metadata:
     Public Go HTTP servers should use `http.Server` with read, write, idle, and header timeouts instead of convenience `ListenAndServe` helpers or incomplete literals.
   rationale: >-
     Missing timeouts enable slowloris-style resource exhaustion and hung connections on internet-facing services.
+  aliases:
+    - GO-S2112
+    - GO-S2114
   detection:
     kind: pattern
   references:

package/rules/go/go.security.pprof-exposed.rule.yaml CHANGED Viewed

@@ -7,6 +7,8 @@ metadata:
     Importing `net/http/pprof` or registering `/debug/pprof` handlers on the default mux exposes debugging endpoints to remote callers.
   rationale: >-
     Exposed pprof endpoints leak heap, goroutine, and CPU profiles and can be used for denial-of-service or sensitive data harvesting.
+  aliases:
+    - GO-S2108
   detection:
     kind: pattern
   references:

package/rules/go/go.security.squirrel-unsafe-quoting.rule.yaml ADDED Viewed

@@ -0,0 +1,64 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.squirrel-unsafe-quoting
+  title: Use safe parameterized queries with squirrel query builder
+  summary: >-
+    `squirrel.Expr` (or `sq.Expr`) with `fmt.Sprintf` interpolation constructs
+    SQL queries via string formatting, enabling SQL injection when arguments
+    contain untrusted data.
+  rationale: >-
+    String interpolation in query construction bypasses placeholder-based
+    parameterization, allowing attackers to inject SQL through user-controlled
+    input. Use `squirrel.Eq{}`, `squirrel.Eq{}`, or other safe builders that
+    emit parameterized queries.
+  aliases:
+    - GO-S1017
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: SQL Injection
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - sql-injection
+    - squirrel
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.squirrel-unsafe-quoting
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.5
+    tags:
+      - security
+      - go
+      - sql-injection
+  message:
+    title: Use parameterized query instead of squirrel.Expr with string interpolation
+    summary: "`${captures.issue.text}` uses `squirrel.Expr` with `fmt.Sprintf` instead of safe builders like `squirrel.Eq{}`."
+  remediation:
+    summary: >-
+      Replace `squirrel.Expr(fmt.Sprintf(...))` with safe builders such as
+      `squirrel.Eq{"field": value}` or `squirrel.Expr("field = ?", value)`
+      with placeholder syntax.

package/rules/go/go.security.tainted-value-sink.rule.yaml ADDED Viewed

@@ -0,0 +1,59 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.tainted-value-sink
+  title: Avoid using tainted values in SQL and command sinks
+  summary: >-
+    User-controlled input (parameters named `input`, `data`, `body`, etc.) should not reach SQL execution or OS command sinks via `fmt.Sprintf` string interpolation.
+  rationale: >-
+    Building SQL queries or shell commands by interpolating user input with `fmt.Sprintf` enables SQL injection and command injection attacks. Use parameterized queries or sanitized APIs instead.
+  aliases:
+    - GO-S7000
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-89
+      title: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
+    - kind: cwe
+      id: CWE-78
+      title: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
+    - kind: owasp
+      title: SQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - injection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.tainted-value-sink
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.4
+    tags:
+      - security
+      - go
+      - experimental
+  message:
+    title: Use parameterized query instead of interpolation near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` passes a potentially tainted value through `fmt.Sprintf` into a SQL or command sink."
+  remediation:
+    summary: >-
+      Replace `fmt.Sprintf` interpolation with parameterized queries (`db.ExecContext(ctx, query, args...)`) for SQL or use `exec.Command(name, arg...)` with separate arguments for OS commands.

package/rules/go/go.security.tls-missing-min-version.rule.yaml CHANGED Viewed

@@ -7,6 +7,8 @@ metadata:
     `tls.Config` literals should set `MinVersion` to a modern protocol (`tls.VersionTLS12` or newer) to avoid downgrade attacks.
   rationale: >-
     Without `MinVersion`, the Go standard library accepts legacy TLS versions that are vulnerable to known protocol attacks.
+  aliases:
+    - GO-S1020
   detection:
     kind: pattern
   references:

package/rules/go/go.security.unsafe-defer-close.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.unsafe-defer-close
+  title: Handle deferred Close errors explicitly
+  summary: >-
+    `defer f.Close()` silently discards the error returned by `Close()`. For writable files, this can mask data loss when buffered writes fail on close.
+  rationale: >-
+    The `Close()` method on `*os.File` and other `io.Closer` implementations can return errors (e.g., flush failures, disk-full). A deferred call without error handling may silently lose data. Consider handling the close error explicitly or calling `f.Sync()` before deferring close.
+  aliases:
+    - GO-S2307
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-754
+      title: Improper Check for Unusual or Exceptional Conditions
+    - kind: url
+      title: Effective Go - Defer
+      url: https://go.dev/doc/effective_go#defer
+  tags:
+    - security
+    - go
+    - error-handling
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.unsafe-defer-close
+    bind: issue
+emit:
+  finding:
+    category: security.exceptions
+    severity: high
+    confidence: 0.55
+    tags:
+      - security
+      - go
+  message:
+    title: Handle close error instead of deferring near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` defers a close call without capturing potential write errors."
+  remediation:
+    summary: >-
+      Call `f.Sync()` before the deferred `f.Close()`, or handle `f.Close()` explicitly with error checking instead of deferring it.

package/rules/go/go.security.weak-crypto-import.rule.yaml CHANGED Viewed

@@ -7,6 +7,9 @@ metadata:
     Production Go code should not import `crypto/md5`, `crypto/sha1`, `crypto/des`, or `crypto/rc4` for security-sensitive purposes.
   rationale: >-
     MD5 and SHA-1 are broken hash functions, DES has an obsolete key size, and RC4 has known biases; using them as cryptographic primitives degrades confidentiality and integrity.
+  aliases:
+    - GO-S1022
+    - GO-S1023
   detection:
     kind: pattern
   references:

package/rules/go/go.security.weak-file-permission.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.security.weak-file-permission
+  title: Avoid overly permissive file permissions
+  summary: >-
+    `os.WriteFile` or `os.OpenFile` with permission bits above `0600` (owner read/write) may expose sensitive data to other users on the system.
+  rationale: >-
+    Overly permissive file modes (e.g., `0744`, `0777`) allow group or world access to files that may contain credentials, tokens, or sensitive data. Restrict to `0600` or `0400` for sensitive files.
+  aliases:
+    - GO-S2306
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-276
+      title: Incorrect Default Permissions
+    - kind: owasp
+      title: File Permission Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Permission_Cheat_Sheet.html
+  tags:
+    - security
+    - go
+    - filesystem
+    - permissions
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.security.weak-file-permission
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - go
+  message:
+    title: Restrict file permissions near `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses permission bits above `0600` which may expose sensitive data."
+  remediation:
+    summary: >-
+      Use `0600` (owner read/write) or `0400` (owner read-only) for sensitive files. Avoid group or world access unless explicitly required and reviewed.

package/rules/java/java.correctness.annotation-check-always-false.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.annotation-check-always-false
+  title: Annotation retention prevents runtime check
+  summary: Checking for an annotation at runtime that is retained only at SOURCE or CLASS level will always return false.
+  rationale: The @Retention annotation controls whether an annotation is available at runtime via reflection. RetentionPolicy.SOURCE and RetentionPolicy.CLASS annotations are not preserved in the JVM, so isAnnotationPresent() will always return false. Only RetentionPolicy.RUNTIME annotations can be detected at runtime.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - JAVA-E1039
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.annotation-check-always-false
+    bind: issue
+emit:
+  finding:
+    category: correctness.reflection
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Annotation check always returns false
+    summary: "`${captures.issue.text}` checks for an annotation with SOURCE or CLASS retention, which is never available at runtime."
+  remediation:
+    summary: Change the annotation's retention to RetentionPolicy.RUNTIME if it needs to be detected via reflection at runtime, or remove the isAnnotationPresent check.

package/rules/java/java.correctness.array-compared-to-non-array.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.array-compared-to-non-array
+  title: Array compared to non-array value
+  summary: Comparing an array variable to a non-array value (string literal, number, boolean) is almost certainly a logic bug.
+  rationale: "Comparing an array with `==` or `.equals()` to a non-array value like a string literal or number is almost always a programmer error. Arrays are objects; comparing them to primitives or strings with `==` will always be false, and `.equals()` will never match a non-array type."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-S0347
+  tags:
+    - correctness
+    - java
+    - equality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.array-compared-to-non-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.equality
+    severity: medium
+    confidence: 0.82
+    tags:
+      - correctness
+      - java
+  message:
+    title: Suspicious array comparison in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` compares an array variable to a non-array value."
+  remediation:
+    summary: "Review the comparison. If checking array contents, use `Arrays.equals(array, otherArray)`. If checking length, use `array.length`."

package/rules/java/java.correctness.array-index-bounds.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.array-index-bounds
+  title: Array or list access with out-of-bounds index
+  summary: An array, list, or string is accessed at length()/size(), which is always one past the last valid index.
+  rationale: Array indices range from 0 to length-1. Accessing index `length` throws ArrayIndexOutOfBoundsException.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1020
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.array-index-bounds
+    bind: issue
+emit:
+  finding:
+    category: correctness.bounds
+    severity: critical
+    confidence: 0.9
+    tags:
+      - correctness
+      - java
+  message:
+    title: Potential index out of bounds access in `${captures.issue.text}`
+    summary: An index expression uses length()/size() as the upper bound, which is always one element past the valid range.
+  remediation:
+    summary: Use `length - 1` or `size() - 1` to access the last element, or verify the index is valid before access.

package/rules/java/java.correctness.assert-self-comparison.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.assert-self-comparison
+  title: Objects should not be compared to themselves within assertions
+  summary: Assertions comparing a value to itself always pass and indicate a testing bug where a different expected value should be used.
+  rationale: Self-comparison in assertions (assertEquals(a, a), assertSame(a, a), assertTrue(a == a)) is a common copy-paste mistake. These assertions always pass and never validate actual behavior.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1012
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+    - testing
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.assert-self-comparison
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+      - testing
+  message:
+    title: Self-comparison in assertion
+    summary: "`${captures.issue.text}` compares an object to itself. This assertion always passes and does not test anything meaningful."
+  remediation:
+    summary: Replace the self-comparison with the actual expected value. If testing equality contract, check equals/hashCode explicitly.

package/rules/java/java.correctness.assertion-in-production.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.assertion-in-production
+  title: Assert statement in production code
+  summary: "The `assert` keyword in Java is disabled at runtime. Do not use it for argument validation or precondition checks in production code."
+  rationale: "Java assertions are disabled by default and throw `AssertionError` (not a typed exception) when enabled. They should not be used for input validation, precondition checks, or any logic that must execute. Use `IllegalArgumentException`, `Objects.requireNonNull`, or explicit condition checks instead."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-617
+      title: Reachable Assertion
+  aliases:
+    - JAVA-S0336
+  tags:
+    - correctness
+    - java
+    - defensive-programming
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.assertion-in-production
+    bind: issue
+emit:
+  finding:
+    category: correctness.defensive-programming
+    severity: low
+    confidence: 0.92
+    tags:
+      - correctness
+      - java
+  message:
+    title: Replace assert with proper validation in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses the Java `assert` keyword which is disabled by default. Use explicit validation such as `Objects.requireNonNull` or `IllegalArgumentException` instead."
+  remediation:
+    summary: "Replace `assert` with explicit validation: `if (!condition) throw new IllegalArgumentException(\"...\")` or use `Objects.requireNonNull(value)` for null checks."

package/rules/java/java.correctness.bad-short-circuit-null-check.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.bad-short-circuit-null-check
+  title: Bad short-circuiting null check
+  summary: Null check uses || instead of && causing a NullPointerException when the variable is null.
+  rationale: In `x != null || x.method()`, if x is null, the first condition is false, so x.method() executes and throws NPE. Use && for null-guarded access.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1003
+  tags:
+    - correctness
+    - java
+    - defensive-programming
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.bad-short-circuit-null-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.90
+    tags:
+      - correctness
+      - java
+  message:
+    title: Bad short-circuit null check
+    summary: Using `||` instead of `&&` after a null check causes a NullPointerException when the variable is null.
+  remediation:
+    summary: Change `x != null || x.method()` to `x != null && x.method()` so the method call is guarded by the null check.

package/rules/java/java.correctness.bitwise-or-never-equal.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.bitwise-or-never-equal
+  title: Bitwise OR expression will never equal the comparison constant
+  summary: A bitwise OR expression is compared with `==` to a constant but will never equal it.
+  rationale: When using `(expr | C) == D`, if `C` has bits that `D` doesn't have, the expression always evaluates to false because OR adds bits.
+  aliases:
+    - JAVA-E1073
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.bitwise-or-never-equal
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - java
+  message:
+    title: Bitwise OR expression never equals constant in `${captures.issue.text}`
+    summary: "A bitwise OR comparison will always evaluate to the same result."
+  remediation:
+    summary: Use `&` (bitwise AND) instead of `|` to test for specific bits, or use a valid constant for comparison.