npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/java/java.correctness.boxed-boolean-conditional.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.boxed-boolean-conditional
+  title: Boxed Boolean in conditional expressions
+  summary: Using a boxed Boolean directly in a conditional can throw NullPointerException if the value is null.
+  rationale: Auto-unboxing a null Boolean in if/while/ternary expressions throws NullPointerException at runtime.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1054
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.boxed-boolean-conditional
+    bind: issue
+emit:
+  finding:
+    category: correctness.general
+    severity: high
+    confidence: 0.80
+    tags:
+      - correctness
+      - java
+  message:
+    title: Boxed Boolean in conditional expression
+    summary: Unboxing a null Boolean will throw NullPointerException.
+  remediation:
+    summary: Use `Boolean.TRUE.equals(flag)` or `boolean` primitive type, or guard with a null check before the conditional.

package/rules/java/java.correctness.cacheloader-null-return.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.cacheloader-null-return
+  title: CacheLoader load method should not return null
+  summary: Returning null from a CacheLoader.load() method causes InvalidCacheLoadException at runtime. Guava caches do not support null values.
+  rationale: CacheLoader.load() must never return null. Guava caches treat null returns as failures and throw InvalidCacheLoadException. The method should either return a non-null value or throw an exception.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1104
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.cacheloader-null-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: medium
+    confidence: 0.7
+    tags:
+      - correctness
+      - java
+  message:
+    title: CacheLoader.load() returns null which will throw InvalidCacheLoadException
+    summary: The load() method of a CacheLoader subclass returns null. Guava caches do not allow null values and will throw InvalidCacheLoadException.
+  remediation:
+    summary: Return a non-null value, use Optional, or throw an exception instead of returning null from CacheLoader.load().

package/rules/java/java.correctness.case-insensitive-regex-lacks-unicode.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.case-insensitive-regex-lacks-unicode
+  title: Case insensitive regex does not properly handle Unicode input
+  summary: CASE_INSENSITIVE or (?i) without UNICODE_CASE or (?u) does not handle Unicode-aware case folding.
+  rationale: Without UNICODE_CASE, case-insensitive matching only handles ASCII characters. Unicode characters (e.g., accented letters, non-Latin scripts) will not be matched case-insensitively, leading to text processing bugs in internationalized applications.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1010
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+    - i18n
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.case-insensitive-regex-lacks-unicode
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+      - i18n
+  message:
+    title: Case-insensitive regex pattern without Unicode support
+    summary: "`${captures.issue.text}` uses case-insensitive matching without Unicode support. Add UNICODE_CASE or (?u) for proper internationalization."
+  remediation:
+    summary: Add Pattern.UNICODE_CASE (or (?u) flag) alongside CASE_INSENSITIVE flag for proper Unicode-aware case-insensitive matching.

package/rules/java/java.correctness.catch-null-pointer.rule.yaml CHANGED Viewed

@@ -5,6 +5,10 @@ metadata:
   title: Do not catch NullPointerException
   summary: NullPointerException indicates a programming error.
   rationale: Catching NPE masks bugs that should be fixed at the source.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1070
   tags:
     - correctness
     - java
@@ -28,7 +32,7 @@ match:
 emit:
   finding:
     category: correctness.exceptions
-    severity: low
+    severity: critical
     confidence: 0.88
     tags:
       - correctness

package/rules/java/java.correctness.class-isinstance-on-class.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.class-isinstance-on-class
+  title: "Use `instanceof` instead of `Class.isInstance()`"
+  summary: "Calling `.class.isInstance(obj)` should be replaced with `obj instanceof Type` for clarity and type safety."
+  rationale: "`SomeClass.class.isInstance(obj)` is equivalent to `obj instanceof SomeClass`, but the `instanceof` operator is more readable, type-safe at compile time, and is the idiomatic Java pattern for runtime type checking."
+  aliases:
+    - JAVA-E1091
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.class-isinstance-on-class
+    bind: issue
+emit:
+  finding:
+    category: correctness.code-style
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - java
+  message:
+    title: "Use `instanceof` instead of `.class.isInstance()` in `${captures.issue.text}`"
+    summary: "`SomeClass.class.isInstance(obj)` should be replaced with `obj instanceof SomeClass` for readability and compile-time type safety."
+  remediation:
+    summary: "Replace `X.class.isInstance(obj)` with `obj instanceof X`."

package/rules/java/java.correctness.class-name-collision.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.class-name-collision
+  title: Class name collides with superclass simple name
+  summary: A class shares its simple name with a superclass referenced in the extends clause, causing ambiguity.
+  rationale: When a class name matches the simple name of its explicit superclass, it can lead to confusion and subtle bugs where the wrong type is referenced. The collision obscures the inheritance relationship and reduces code clarity.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0169
+  tags:
+    - correctness
+    - java
+    - types
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.class-name-collision
+    bind: issue
+emit:
+  finding:
+    category: correctness.types
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Class name collides with superclass name
+    summary: "Class `${captures.issue.text}` has the same simple name as its explicit superclass."
+  remediation:
+    summary: Rename the class or the superclass reference to avoid the name collision.

package/rules/java/java.correctness.clone-without-super.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.clone-without-super
+  title: Clone method does not call super.clone()
+  summary: "`clone()` methods should call `super.clone()` to create the correct object."
+  rationale: "Without `super.clone()`, the cloned object may not be properly initialized. `super.clone()` copies the object's internal state."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0048
+  tags:
+    - correctness
+    - java
+    - contract-violation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.clone-without-super
+    bind: issue
+emit:
+  finding:
+    category: correctness.contract-violation
+    severity: high
+    confidence: 0.80
+    tags:
+      - correctness
+      - java
+  message:
+    title: clone() does not call super.clone()
+    summary: "`clone()` methods should call `super.clone()` to create the correct object."
+  remediation:
+    summary: "Add `super.clone()` call at the beginning of the `clone()` method."

package/rules/java/java.correctness.closeable-provides-injection.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.closeable-provides-injection
+  title: Closeable values should not be injected via @Provides annotated methods
+  summary: "@Provides/@Inject methods returning Closeable types can cause resource management problems."
+  rationale: DI frameworks may hold Closeable resources longer than intended, preventing proper cleanup. Scope the resource or use a factory that manages lifecycle.
+  aliases:
+    - JAVA-E1103
+  tags:
+    - correctness
+    - java
+    - framework
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.closeable-provides-injection
+    bind: issue
+emit:
+  finding:
+    category: correctness.resource-management
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Closeable type returned from @Provides method
+    summary: "The method returns a Closeable type that may not be properly closed by the DI container."
+  remediation:
+    summary: Return a factory or wrapper that manages the Closeable lifecycle instead of exposing it directly from @Provides/@Inject.

package/rules/java/java.correctness.collection-adds-self.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.collection-adds-self
+  title: Collections should not be added to themselves
+  summary: A collection is being added to itself, which is likely a logic error.
+  rationale: Self-add operations on collections are almost always unintentional typos where the wrong variable was used.
+  aliases:
+    - JAVA-E1077
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.collection-adds-self
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - java
+  message:
+    title: Collection added to itself in `${captures.issue.text}`
+    summary: "A collection is being added to itself, which is likely a logic error."
+  remediation:
+    summary: Use a different collection reference for the add operation.

package/rules/java/java.correctness.collection-contains-self.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.collection-contains-self
+  title: Collections should not contain themselves
+  summary: A collection checks if it contains itself — likely a logic error.
+  rationale: Self-containment checks on collections are almost always unintentional typos where the wrong variable was used.
+  aliases:
+    - JAVA-E1076
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.collection-contains-self
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: critical
+    confidence: 0.95
+    tags:
+      - correctness
+      - java
+  message:
+    title: Collection contains check on itself in `${captures.issue.text}`
+    summary: "A collection checks for containment of itself, which is likely a logic error."
+  remediation:
+    summary: Use a different collection reference for the containment check.

package/rules/java/java.correctness.collection-remove-type-mismatch.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.collection-remove-type-mismatch
+  title: Wrong argument type for Collection remove method
+  summary: Passing a numeric literal to Collection.remove() on a collection with a non-numeric generic type will silently fail to remove the intended element.
+  rationale: Although Collection.remove(Object) accepts any Object, passing an argument of the wrong type (e.g., an int to a List<String>) will never match an existing element. The remove call may succeed in removing a value that happens to match the object's equals/hashCode, but typically represents a bug.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+  aliases:
+    - JAVA-E1036
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.collection-remove-type-mismatch
+    bind: issue
+emit:
+  finding:
+    category: correctness.types
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Possible type mismatch in Collection.remove()
+    summary: "`${captures.issue.text}` passes a numeric literal to `remove()` on a collection with a non-numeric generic type. This may never match an intended element."
+  remediation:
+    summary: Verify that the argument type matches the collection's generic type. If the collection is `List<String>`, pass a `String` argument to `remove()`.

package/rules/java/java.correctness.comparator-downcast-sign-flip.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.comparator-downcast-sign-flip
+  title: Downcast may flip integer sign in comparator method
+  summary: Narrowing casts (short, byte, int) of subtraction results inside compare/compareTo methods can overflow and flip the comparison sign, producing incorrect ordering.
+  rationale: Comparing values by casting (short)(a - b) or (int)(a - b) discards overflow bits, potentially returning the wrong sign for large values. Use Long.compare or Integer.compare instead.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1102
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.comparator-downcast-sign-flip
+    bind: issue
+emit:
+  finding:
+    category: correctness.general
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: Narrowing cast of subtraction may flip comparison sign
+    summary: Casting (a - b) to a narrower type inside a comparator can overflow and produce incorrect ordering. Use Long.compare(a, b) or Integer.compare(a, b) instead.
+  remediation:
+    summary: Replace `(short)(a - b)` or similar narrow casts with `Long.compare(a, b)` or `Integer.compare(a, b)` to avoid overflow sign flips.

package/rules/java/java.correctness.compareto-min-value.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.compareto-min-value
+  title: compareTo returns Integer.MIN_VALUE
+  summary: Returning Integer.MIN_VALUE from compareTo() can break comparison contracts and cause subtle ordering bugs.
+  rationale: When compareTo() returns Integer.MIN_VALUE, the sign flip from negation (e.g. -Integer.MIN_VALUE == Integer.MIN_VALUE due to overflow) violates the contract that compareTo must be consistent with equals. Use Integer.compare() or explicit comparison logic instead.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0112
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.compareto-min-value
+    bind: issue
+emit:
+  finding:
+    category: correctness.contract-violation
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+  message:
+    title: compareTo returns Integer.MIN_VALUE
+    summary: Returning Integer.MIN_VALUE from compareTo can produce inconsistent ordering because negating Integer.MIN_VALUE overflows back to itself.
+  remediation:
+    summary: Use Integer.compare() or explicit comparison logic instead of returning Integer.MIN_VALUE directly.

package/rules/java/java.correctness.constructor-starts-thread.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.constructor-starts-thread
+  title: Constructor of non-final class starts a thread
+  summary: Starting a thread in a constructor of a non-final class may expose a partially constructed object.
+  rationale: "When a constructor starts a thread, the new thread may access the object before it is fully initialized. Subclasses can also override methods called by the thread before construction completes, leading to unpredictable behavior."
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E0208
+  tags:
+    - correctness
+    - java
+    - concurrency
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.constructor-starts-thread
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.80
+    tags:
+      - correctness
+      - java
+  message:
+    title: Thread started in constructor of non-final class
+    summary: This constructor starts a thread, but the class is not final so subclasses may not be fully initialized when the thread runs.
+  remediation:
+    summary: Either declare the class `final` or move thread creation to a factory method or `init()`.

package/rules/java/java.correctness.default-package-spring-scan.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.default-package-spring-scan
+  title: '@SpringBootApplication or @ComponentScan must not be used in the default package'
+  summary: Spring Boot applications in the default package cannot be scanned properly and will fail at runtime.
+  rationale: Spring Boot's component scanning relies on package declarations to locate beans, configurations, and auto-configuration. Classes in the default package are not scanned, silently causing missing beans.
+  detection:
+    kind: pattern
+  aliases:
+    - JAVA-E1009
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+    - spring
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.default-package-spring-scan
+    bind: issue
+emit:
+  finding:
+    category: correctness.framework-configuration
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - java
+      - spring
+  message:
+    title: Spring Boot application or component scan in default package
+    summary: "`${captures.issue.text}` is used in the default (unnamed) package. Spring Boot will not scan components correctly."
+  remediation:
+    summary: Move the application class to a named package (e.g., com.example) and ensure all Spring components are under a named package hierarchy.

package/rules/java/java.correctness.deprecated-thread-methods.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: java.correctness.deprecated-thread-methods
+  title: Avoid using deprecated Thread methods
+  summary: Calls to deprecated Thread instance methods stop(), suspend(), and resume() should be removed. These methods are inherently unsafe.
+  rationale: Thread.stop(), Thread.suspend(), and Thread.resume() are deprecated since JDK 1.2 because they are inherently unsafe. stop() can corrupt shared state, suspend() is deadlock-prone, and resume() is the counterpart to a dangerous method.
+  tags:
+    - correctness
+    - java
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+  aliases:
+    - JAVA-E1107
+scope:
+  languages:
+    - java
+  paths:
+    include:
+      - "**/*.java"
+    exclude:
+      - "**/src/test/**"
+      - "**/tests/**"
+      - "**/*Test.java"
+match:
+  fact:
+    kind: java.correctness.deprecated-thread-methods
+    bind: issue
+emit:
+  finding:
+    category: correctness.concurrency
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - java
+  message:
+    title: Deprecated Thread method call
+    summary: The Thread method stop(), suspend(), or resume() is deprecated and unsafe. Use cooperative interruption, locks, or other concurrency primitives instead.
+  remediation:
+    summary: Replace Thread.stop() with cooperative interruption via Thread.interrupt() and InterruptedException. Replace Thread.suspend()/resume() with explicit lock variables and condition flags.