I need an experienced application-security researcher to design and document a comprehensive set of static-analysis patterns and rules capable of spotting the most common and dangerous software weaknesses. The rules must reliably flag code-quality flaws drawn from the CWE/SANS Top 25, OWASP Top 10, cryptographic and authentication mistakes, control-flow defects, and general “code smell” issues. Target languages and frameworks The engine that will consume these patterns must understand Java, Python, JavaScript as well as Go, React and Node. I will supply representative code samples in each language so you can prove the rules work across paradigms (object-oriented, functional and asynchronous). Scope of the rule pack • Logical & control-flow errors: unreachable branches, infinite loops, improper break/continue usage, missing returns. • Cryptographic & security failures: weak or deprecated ciphers, improper SSL/TLS handling, broken or missing access controls, predictable secrets. • Compliance & code-quality metrics: cyclomatic complexity thresholds, excessive technical debt, deviations from established style guides. Deliverables 1. A well-structured rule set (YAML, JSON or the DSL of SonarQube, Semgrep or a similar engine—your choice, but be consistent). 2. Unit-test corpus that contains both positive and negative examples for every rule, runnable by CI. 3. Installation and tuning guide that explains rule parameters, risk levels and recommended fixes. 4. Brief effectiveness report summarising coverage against the supplied code base and highlighting any false positives/negatives discovered during validation. Acceptance criteria • 90 %+ detection rate on supplied vulnerable samples with <10 % false positives on clean code. • Each rule annotated with CWE/OWASP mapping and language applicability. • All artefacts checked into the provided Git repository and verified through an automated workflow. If you have prior experience writing custom Semgrep, CodeQL or Sonar rules and can demonstrate measurable detection accuracy, I’d love to review your approach and timeline.