Add i18n and exotic rules while bumping to 1.16.2

.tool_version

@@ -1 +1 @@
-1.16.1
+1.16.2

Dockerfile

@@ -1,4 +1,4 @@
-ARG OPENGREP_VERSION=v1.16.1
+ARG OPENGREP_VERSION=v1.16.2
 
 # Build codacy-opengrep wrapper
 FROM golang:1.23-alpine3.21 as builder

docs/codacy-rules-exotic.yaml

@@ -0,0 +1,28 @@
+rules:
+  - id: codacy.generic.sql.exotic.hardcoded-sql-values
+    severity: WARNING
+    languages:
+      - generic
+    patterns:
+      - pattern-either:
+          # Complete SQL queries with hardcoded values
+          - pattern-regex: "(?i)^[^\n]*(?:SELECT|INSERT|UPDATE|DELETE|FROM)[^\n]*\\b(?:85|4322385|86|4323386|1628302)\\b"
+          - pattern-regex: "(?i)^[^\n]*(?:SELECT|INSERT|UPDATE|DELETE|FROM)[^\n]*['\"](?:IMO|CVO|SMO|US|FRC)['\"]"
+          # SQL fragments with WHERE/AND/OR and hardcoded values
+          - pattern-regex: "(?i)^[^\n]*(?:WHERE|AND|OR|SET|VALUES|IN)\\s+[^\n]*\\b(?:85|4322385|86|4323386|1628302)\\b"
+          - pattern-regex: "(?i)^[^\n]*(?:WHERE|AND|OR|SET|VALUES|IN)\\s+[^\n]*['\"](?:IMO|CVO|SMO|US|FRC)['\"]"
+          # Column assignments with hardcoded values
+          - pattern-regex: "(?i)^[^\n]*(?:org_id|organization_id|language|currency|mode)\\s*=\\s*(?:85|4322385|86|4323386|1628302)\\b"
+          - pattern-regex: "(?i)^[^\n]*(?:org_id|organization_id|language|currency|mode)\\s*=\\s*['\"](?:IMO|CVO|SMO|US|FRC)['\"]"
+      - pattern-not-regex: '^\s*(?://|--|/\*|\*)'
+    message: >-
+      Hardcoded Language, Currency, or Org_Id values detected in SQL. Avoid hardcoding such values; use parameters or configuration instead.
+    metadata:
+      category: security
+      subcategory: sql
+      description: Flags hardcoded Language, Currency, or Org_Id values in SQL queries that should be parameterized
+      technology:
+        - sql
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH

docs/codacy-rules-i18n.yaml

@@ -106,6 +106,242 @@ rules:
       confidence: LOW
       likelihood: HIGH
 
+  - id: codacy.js.i18n.no-hardcoded-confirm-prompt
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    patterns:
+      - pattern-either:
+          - pattern: confirm("...")
+          - pattern: window.confirm("...")
+          - pattern: prompt("...")
+          - pattern: window.prompt("...")
+      - pattern-not: confirm(t(...))
+      - pattern-not: prompt(t(...))
+    message: >-
+      Avoid hardcoded strings in confirm/prompt dialogs. Use an i18n translation function (e.g., t("key")) with interpolation.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded strings in confirm/prompt dialogs to enforce localization
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-jsx-user-props
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    patterns:
+      - pattern-either:
+          - pattern: <$EL placeholder="$STR" ... />
+          - pattern: <$EL alt="$STR" ... />
+          - pattern: <$EL aria-label="$STR" ... />
+          - pattern: <$EL label="$STR" ... />
+          - pattern: <$EL title="$STR" ... />
+      - metavariable-regex:
+          metavariable: $STR
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+    message: >-
+      Avoid hardcoded strings in JSX user-facing props. Use an i18n translation function (e.g., t("key")).
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded strings in JSX props like placeholder, alt, aria-label, label, and title
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.js.i18n.no-hardcoded-console-error
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    patterns:
+      - pattern: console.error("$MSG")
+      - metavariable-regex:
+          metavariable: $MSG
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+    message: >-
+      Avoid hardcoded strings in console.error. Use an i18n translation function (e.g., t("key")).
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in console.error calls
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM
+
+  - id: codacy.js.i18n.no-hardcoded-throw-error
+    severity: WARNING
+    languages:
+      - js
+      - ts
+    patterns:
+      - pattern: throw new Error("$MSG")
+      - metavariable-regex:
+          metavariable: $MSG
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+    message: >-
+      Avoid hardcoded strings in Error constructors. Use an i18n translation function (e.g., t("key")).
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in Error constructor calls
+      technology:
+        - javascript
+        - typescript
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: MEDIUM
+
+  - id: codacy.java.i18n.no-hardcoded-date-format
+    severity: WARNING
+    languages:
+      - java
+    pattern-either:
+      - pattern: new SimpleDateFormat("...")
+      - pattern: DateTimeFormatter.ofPattern("...")
+    message: >-
+      Avoid hardcoded date format patterns. Use DateTimeFormatter.ofLocalizedDate() or DateTimeFormatter.ofLocalizedDateTime() for locale-aware formatting.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded date format patterns that are not locale-aware
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: HIGH
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-decimal-format
+    severity: WARNING
+    languages:
+      - java
+    pattern-either:
+      - pattern: new DecimalFormat("...")
+      - patterns:
+          - pattern: String.format("$FMT", ...)
+          - metavariable-regex:
+              metavariable: $FMT
+              regex: '%[0-9.]*[fd]'
+    message: >-
+      Avoid hardcoded number format patterns. Use NumberFormat.getInstance(locale) or locale-aware formatting for user-visible numbers.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded decimal format patterns and String.format with numeric format specifiers
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: MEDIUM
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-exception-message
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern: throw new $EX("$MSG");
+      - metavariable-regex:
+          metavariable: $MSG
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+      - pattern-not: throw new $EX($BUNDLE.getString(...));
+    message: >-
+      Avoid hardcoded strings in exception messages. Use ResourceBundle.getString() or a localization key.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in exception constructors
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-return-string
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern: return "$STR";
+      - metavariable-regex:
+          metavariable: $STR
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+      - pattern-not: return $BUNDLE.getString(...);
+    message: >-
+      Avoid returning hardcoded natural language strings. Use ResourceBundle.getString() or a localization key.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings returned from methods
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-string-concat
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - patterns:
+              - pattern: return "$LIT" + ...;
+              - metavariable-regex:
+                  metavariable: $LIT
+                  regex: '^[A-Z](?![a-z]+\[)[a-z].*'
+          - patterns:
+              - pattern: return ... + "$LIT";
+              - metavariable-regex:
+                  metavariable: $LIT
+                  regex: '^\s(?!.*\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN)\b).*[a-z]{2}'
+      - pattern-not: return $BUNDLE.getString(...) + ...;
+    message: >-
+      Avoid hardcoded strings in string concatenation for user-facing output. Use ResourceBundle.getString() with MessageFormat.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in return concatenation
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-stringbuilder-append
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern: $SB.append("$STR");
+      - metavariable-regex:
+          metavariable: $STR
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|ORDER)[^.]*\s[^.]*'
+    message: >-
+      Avoid hardcoded natural language strings in StringBuilder.append. Use ResourceBundle.getString() or MessageFormat.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in StringBuilder.append calls
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
   - id: codacy.js.i18n.no-raw-jsx-text
     severity: WARNING
     languages:
@@ -124,4 +360,75 @@ rules:
       impact: MEDIUM
       confidence: LOW
       likelihood: MEDIUM
-
+
+  - id: codacy.java.i18n.no-hardcoded-map-put
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern: $MAP.put("$KEY", "$VALUE");
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+      - pattern-not: $MAP.put("$KEY", $BUNDLE.getString(...));
+    message: >-
+      Avoid hardcoded strings in Map.put(). Use ResourceBundle.getString() or a localization key for user-facing messages.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in Map.put() calls that should be localized
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-map-of
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Map.of(..., "$VALUE", ...)
+          - pattern: Map.of("$KEY", "$VALUE")
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+      - pattern-not: Map.of(..., $BUNDLE.getString(...), ...)
+    message: >-
+      Avoid hardcoded strings in Map.of(). Use ResourceBundle.getString() or a localization key for user-facing messages.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in Map.of() calls that should be localized
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH
+
+  - id: codacy.java.i18n.no-hardcoded-response-body
+    severity: WARNING
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: ResponseEntity.ok(Map.of(..., "$VALUE", ...))
+          - pattern: ResponseEntity.status(...).body(Map.of(..., "$VALUE", ...))
+          - pattern: ResponseEntity.$METHOD(Map.of(..., "$VALUE", ...))
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: '^(?!SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|ERR)[^.]*\s[^.]*'
+      - pattern-not: ResponseEntity.ok(Map.of(..., $BUNDLE.getString(...), ...))
+      - pattern-not: ResponseEntity.status(...).body(Map.of(..., $BUNDLE.getString(...), ...))
+    message: >-
+      Avoid hardcoded strings in ResponseEntity body maps. Use ResourceBundle.getString() or a localization key for user-facing messages.
+    metadata:
+      category: codestyle
+      subcategory: i18n
+      description: Flags hardcoded natural language strings in Spring ResponseEntity responses that should be localized
+      technology:
+        - java
+      impact: MEDIUM
+      confidence: LOW
+      likelihood: HIGH

docs/codacy-rules.yaml

@@ -182,7 +182,7 @@ rules:
       GRANT SELECT privileges should only be given to role-based accounts
       (ending in '_role'). Direct grants to users or non-role accounts violate
       security best practices.
-    pattern-regex: GRANT\s+(DELETE|INSERT|SELECT|UPDATE)(\s*,\s*(DELETE|INSERT|SELECT|UPDATE))*\s+ON\s+[a-zA-Z0-9_]+(\.[a-zA-Z0-9_*]+)?\s+TO\s+(?![a-zA-Z0-9_]*_role\b)[a-zA-Z0-9_]+
+    pattern-regex: GRANT\s+(?:DELETE|INSERT|SELECT|UPDATE)(?:\s*,\s*(?:DELETE|INSERT|SELECT|UPDATE))*\s+ON\s+[\w.*]+\s+TO\s+(?!\w*_[Rr][Oo][Ll][Ee]\b)\b\w+
     paths:
       include:
         - "*.sql"
@@ -303,9 +303,9 @@ rules:
       - generic
     patterns:
       - pattern-either:
-        - pattern-regex: "(?i)\\b\\w*language\\w*\\b\\s*(=|:=)\\s*'?\\b[A-Z]{2}\\b'?"
-        - pattern-regex: "(?i)\\b\\w*currency\\w*\\b\\s*(=|:=)\\s*'?\\b[A-Z]{3}\\b'?"
-        - pattern-regex: "(?i)\\b(\\w*\\.)?org_id\\b\\s*(=|:=|IN|!=|<>)\\s*(\\(?\\s*'?\\d+'?(,\\s*'?\\d+'?)*\\s*\\)?)?"
+        - pattern-regex: "(?i)^(?:(?!--).)*\\b\\w*language\\w*\\b\\s*(=|:=)\\s*'?\\b[A-Z]{2}\\b'?"
+        - pattern-regex: "(?i)^(?:(?!--).)*\\b\\w*currency\\w*\\b\\s*(=|:=)\\s*'?\\b[A-Z]{3}\\b'?"
+        - pattern-regex: "(?i)^(?:(?!--).)*\\b(\\w*\\.)?org_id\\b\\s*(=|:=|IN|!=|<>)\\s*(\\(?\\s*'?\\d+'?(,\\s*'?\\d+'?)*\\s*\\)?)?"
     paths:
       include:
         - "*.sql"

docs/multiple-tests/exotic/patterns.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="codacy.generic.sql.exotic.hardcoded-sql-values" />
+</module>