@runsec/mcp 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +578 -0
- package/package.json +43 -0
- package/src/rules/data/rule-compliance-map.json +43563 -0
- package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
- package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
- package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
- package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
- package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
- package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
- package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
- package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
- package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
- package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
- package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
- package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
- package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
- package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
- package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
- package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
- package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
- package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
- package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
- package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
- package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
- package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
- package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
- package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
- package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
- package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
- package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
- package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
- package/src/rules/data/semgrep-rules/observability.yaml +381 -0
- package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
- package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
- package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
- package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
- package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
- package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
|
@@ -0,0 +1,631 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: runsec.hft-cpp-security.hft-001
|
|
3
|
+
metadata:
|
|
4
|
+
runsec_version: v1.0
|
|
5
|
+
confidence: |-
|
|
6
|
+
0.9
|
|
7
|
+
exploit_scenario: |-
|
|
8
|
+
N/A
|
|
9
|
+
fix_template: |-
|
|
10
|
+
Prevent overwrite in low-latency parsing path.
|
|
11
|
+
pattern-either:
|
|
12
|
+
- pattern: |-
|
|
13
|
+
strcpy(buf, input)
|
|
14
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-001\\b'
|
|
15
|
+
message: |-
|
|
16
|
+
RunSec Detection [HFT-001]: CWE-119
|
|
17
|
+
languages:
|
|
18
|
+
- generic
|
|
19
|
+
severity: WARNING
|
|
20
|
+
- id: runsec.hft-cpp-security.hft-002
|
|
21
|
+
metadata:
|
|
22
|
+
runsec_version: v1.0
|
|
23
|
+
confidence: |-
|
|
24
|
+
0.9
|
|
25
|
+
exploit_scenario: |-
|
|
26
|
+
N/A
|
|
27
|
+
fix_template: |-
|
|
28
|
+
Bound formatted writes in critical loops.
|
|
29
|
+
pattern-either:
|
|
30
|
+
- pattern: |-
|
|
31
|
+
sprintf(dst,"%s",src)
|
|
32
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-002\\b'
|
|
33
|
+
message: |-
|
|
34
|
+
RunSec Detection [HFT-002]: CWE-120
|
|
35
|
+
languages:
|
|
36
|
+
- generic
|
|
37
|
+
severity: WARNING
|
|
38
|
+
- id: runsec.hft-cpp-security.hft-003
|
|
39
|
+
metadata:
|
|
40
|
+
runsec_version: v1.0
|
|
41
|
+
confidence: |-
|
|
42
|
+
0.9
|
|
43
|
+
exploit_scenario: |-
|
|
44
|
+
N/A
|
|
45
|
+
fix_template: |-
|
|
46
|
+
Prevent stale pointer dereference.
|
|
47
|
+
pattern-either:
|
|
48
|
+
- pattern: |-
|
|
49
|
+
access pointer after delete
|
|
50
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-003\\b'
|
|
51
|
+
message: |-
|
|
52
|
+
RunSec Detection [HFT-003]: CWE-416
|
|
53
|
+
languages:
|
|
54
|
+
- generic
|
|
55
|
+
severity: WARNING
|
|
56
|
+
- id: runsec.hft-cpp-security.hft-004
|
|
57
|
+
metadata:
|
|
58
|
+
runsec_version: v1.0
|
|
59
|
+
confidence: |-
|
|
60
|
+
0.9
|
|
61
|
+
exploit_scenario: |-
|
|
62
|
+
N/A
|
|
63
|
+
fix_template: |-
|
|
64
|
+
Avoid memory corruption by double free.
|
|
65
|
+
pattern-either:
|
|
66
|
+
- pattern: |-
|
|
67
|
+
delete p; ... delete p;
|
|
68
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-004\\b'
|
|
69
|
+
message: |-
|
|
70
|
+
RunSec Detection [HFT-004]: CWE-415
|
|
71
|
+
languages:
|
|
72
|
+
- generic
|
|
73
|
+
severity: WARNING
|
|
74
|
+
- id: runsec.hft-cpp-security.hft-005
|
|
75
|
+
metadata:
|
|
76
|
+
runsec_version: v1.0
|
|
77
|
+
confidence: |-
|
|
78
|
+
0.9
|
|
79
|
+
exploit_scenario: |-
|
|
80
|
+
N/A
|
|
81
|
+
fix_template: |-
|
|
82
|
+
Prevent financial logic corruption.
|
|
83
|
+
pattern-either:
|
|
84
|
+
- pattern: |-
|
|
85
|
+
int64_t notional = price * volume; unchecked
|
|
86
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-005\\b'
|
|
87
|
+
message: |-
|
|
88
|
+
RunSec Detection [HFT-005]: CWE-190
|
|
89
|
+
languages:
|
|
90
|
+
- generic
|
|
91
|
+
severity: WARNING
|
|
92
|
+
- id: runsec.hft-cpp-security.hft-006
|
|
93
|
+
metadata:
|
|
94
|
+
runsec_version: v1.0
|
|
95
|
+
confidence: |-
|
|
96
|
+
0.9
|
|
97
|
+
exploit_scenario: |-
|
|
98
|
+
N/A
|
|
99
|
+
fix_template: |-
|
|
100
|
+
Avoid bypassed bounds logic.
|
|
101
|
+
pattern-either:
|
|
102
|
+
- pattern: |-
|
|
103
|
+
compare signed index to unsigned size
|
|
104
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-006\\b'
|
|
105
|
+
message: |-
|
|
106
|
+
RunSec Detection [HFT-006]: CWE-190
|
|
107
|
+
languages:
|
|
108
|
+
- generic
|
|
109
|
+
severity: WARNING
|
|
110
|
+
- id: runsec.hft-cpp-security.hft-007
|
|
111
|
+
metadata:
|
|
112
|
+
runsec_version: v1.0
|
|
113
|
+
confidence: |-
|
|
114
|
+
0.9
|
|
115
|
+
exploit_scenario: |-
|
|
116
|
+
N/A
|
|
117
|
+
fix_template: |-
|
|
118
|
+
Preserve memory safety in lock-free queues.
|
|
119
|
+
pattern-either:
|
|
120
|
+
- pattern: |-
|
|
121
|
+
buf[head++] without wrap guard
|
|
122
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-007\\b'
|
|
123
|
+
message: |-
|
|
124
|
+
RunSec Detection [HFT-007]: CWE-787
|
|
125
|
+
languages:
|
|
126
|
+
- generic
|
|
127
|
+
severity: WARNING
|
|
128
|
+
- id: runsec.hft-cpp-security.hft-008
|
|
129
|
+
metadata:
|
|
130
|
+
runsec_version: v1.0
|
|
131
|
+
confidence: |-
|
|
132
|
+
0.9
|
|
133
|
+
exploit_scenario: |-
|
|
134
|
+
N/A
|
|
135
|
+
fix_template: |-
|
|
136
|
+
Block packet-driven memory overwrite.
|
|
137
|
+
pattern-either:
|
|
138
|
+
- pattern: |-
|
|
139
|
+
memcpy(dst, pkt, len)
|
|
140
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-008\\b'
|
|
141
|
+
message: |-
|
|
142
|
+
RunSec Detection [HFT-008]: CWE-120
|
|
143
|
+
languages:
|
|
144
|
+
- generic
|
|
145
|
+
severity: WARNING
|
|
146
|
+
- id: runsec.hft-cpp-security.hft-009
|
|
147
|
+
metadata:
|
|
148
|
+
runsec_version: v1.0
|
|
149
|
+
confidence: |-
|
|
150
|
+
0.9
|
|
151
|
+
exploit_scenario: |-
|
|
152
|
+
N/A
|
|
153
|
+
fix_template: |-
|
|
154
|
+
Prevent arbitrary memory disclosure/write.
|
|
155
|
+
pattern-either:
|
|
156
|
+
- pattern: |-
|
|
157
|
+
printf(userFmt)
|
|
158
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-009\\b'
|
|
159
|
+
message: |-
|
|
160
|
+
RunSec Detection [HFT-009]: CWE-134
|
|
161
|
+
languages:
|
|
162
|
+
- generic
|
|
163
|
+
severity: WARNING
|
|
164
|
+
- id: runsec.hft-cpp-security.hft-010
|
|
165
|
+
metadata:
|
|
166
|
+
runsec_version: v1.0
|
|
167
|
+
confidence: |-
|
|
168
|
+
0.9
|
|
169
|
+
exploit_scenario: |-
|
|
170
|
+
N/A
|
|
171
|
+
fix_template: |-
|
|
172
|
+
Keep engine stable under memory pressure.
|
|
173
|
+
pattern-either:
|
|
174
|
+
- pattern: |-
|
|
175
|
+
new T(...) unchecked
|
|
176
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-010\\b'
|
|
177
|
+
message: |-
|
|
178
|
+
RunSec Detection [HFT-010]: CWE-703
|
|
179
|
+
languages:
|
|
180
|
+
- generic
|
|
181
|
+
severity: WARNING
|
|
182
|
+
- id: runsec.hft-cpp-security.hft-011
|
|
183
|
+
metadata:
|
|
184
|
+
runsec_version: v1.0
|
|
185
|
+
confidence: |-
|
|
186
|
+
0.9
|
|
187
|
+
exploit_scenario: |-
|
|
188
|
+
N/A
|
|
189
|
+
fix_template: |-
|
|
190
|
+
Avoid crashes and undefined behavior.
|
|
191
|
+
pattern-either:
|
|
192
|
+
- pattern: |-
|
|
193
|
+
dereference optional pointer directly
|
|
194
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-011\\b'
|
|
195
|
+
message: |-
|
|
196
|
+
RunSec Detection [HFT-011]: CWE-476
|
|
197
|
+
languages:
|
|
198
|
+
- generic
|
|
199
|
+
severity: WARNING
|
|
200
|
+
- id: runsec.hft-cpp-security.hft-012
|
|
201
|
+
metadata:
|
|
202
|
+
runsec_version: v1.0
|
|
203
|
+
confidence: |-
|
|
204
|
+
0.9
|
|
205
|
+
exploit_scenario: |-
|
|
206
|
+
N/A
|
|
207
|
+
fix_template: |-
|
|
208
|
+
Prevent inconsistent market state.
|
|
209
|
+
pattern-either:
|
|
210
|
+
- pattern: |-
|
|
211
|
+
mutable shared map without sync
|
|
212
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-012\\b'
|
|
213
|
+
message: |-
|
|
214
|
+
RunSec Detection [HFT-012]: CWE-362
|
|
215
|
+
languages:
|
|
216
|
+
- generic
|
|
217
|
+
severity: WARNING
|
|
218
|
+
- id: runsec.hft-cpp-security.hft-013
|
|
219
|
+
metadata:
|
|
220
|
+
runsec_version: v1.0
|
|
221
|
+
confidence: |-
|
|
222
|
+
0.9
|
|
223
|
+
exploit_scenario: |-
|
|
224
|
+
N/A
|
|
225
|
+
fix_template: |-
|
|
226
|
+
Prevent stale CAS success conditions.
|
|
227
|
+
pattern-either:
|
|
228
|
+
- pattern: |-
|
|
229
|
+
CAS without ABA protection
|
|
230
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-013\\b'
|
|
231
|
+
message: |-
|
|
232
|
+
RunSec Detection [HFT-013]: CWE-367
|
|
233
|
+
languages:
|
|
234
|
+
- generic
|
|
235
|
+
severity: WARNING
|
|
236
|
+
- id: runsec.hft-cpp-security.hft-014
|
|
237
|
+
metadata:
|
|
238
|
+
runsec_version: v1.0
|
|
239
|
+
confidence: |-
|
|
240
|
+
0.9
|
|
241
|
+
exploit_scenario: |-
|
|
242
|
+
N/A
|
|
243
|
+
fix_template: |-
|
|
244
|
+
Ensure visibility and ordering correctness.
|
|
245
|
+
pattern-either:
|
|
246
|
+
- pattern: |-
|
|
247
|
+
relaxed ops for publication
|
|
248
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-014\\b'
|
|
249
|
+
message: |-
|
|
250
|
+
RunSec Detection [HFT-014]: CWE-362
|
|
251
|
+
languages:
|
|
252
|
+
- generic
|
|
253
|
+
severity: WARNING
|
|
254
|
+
- id: runsec.hft-cpp-security.hft-015
|
|
255
|
+
metadata:
|
|
256
|
+
runsec_version: v1.0
|
|
257
|
+
confidence: |-
|
|
258
|
+
0.9
|
|
259
|
+
exploit_scenario: |-
|
|
260
|
+
N/A
|
|
261
|
+
fix_template: |-
|
|
262
|
+
Prevent use-after-scope.
|
|
263
|
+
pattern-either:
|
|
264
|
+
- pattern: |-
|
|
265
|
+
lambda captures local by reference
|
|
266
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-015\\b'
|
|
267
|
+
message: |-
|
|
268
|
+
RunSec Detection [HFT-015]: CWE-416
|
|
269
|
+
languages:
|
|
270
|
+
- generic
|
|
271
|
+
severity: WARNING
|
|
272
|
+
- id: runsec.hft-cpp-security.hft-016
|
|
273
|
+
metadata:
|
|
274
|
+
runsec_version: v1.0
|
|
275
|
+
confidence: |-
|
|
276
|
+
0.9
|
|
277
|
+
exploit_scenario: |-
|
|
278
|
+
N/A
|
|
279
|
+
fix_template: |-
|
|
280
|
+
Avoid UB and misparsed data.
|
|
281
|
+
pattern-either:
|
|
282
|
+
- pattern: |-
|
|
283
|
+
cast unaligned packet buffer to struct
|
|
284
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-016\\b'
|
|
285
|
+
message: |-
|
|
286
|
+
RunSec Detection [HFT-016]: CWE-704
|
|
287
|
+
languages:
|
|
288
|
+
- generic
|
|
289
|
+
severity: WARNING
|
|
290
|
+
- id: runsec.hft-cpp-security.hft-017
|
|
291
|
+
metadata:
|
|
292
|
+
runsec_version: v1.0
|
|
293
|
+
confidence: |-
|
|
294
|
+
0.9
|
|
295
|
+
exploit_scenario: |-
|
|
296
|
+
N/A
|
|
297
|
+
fix_template: |-
|
|
298
|
+
Prevent symbol parsing overflow.
|
|
299
|
+
pattern-either:
|
|
300
|
+
- pattern: |-
|
|
301
|
+
write symbol blindly
|
|
302
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-017\\b'
|
|
303
|
+
message: |-
|
|
304
|
+
RunSec Detection [HFT-017]: CWE-120
|
|
305
|
+
languages:
|
|
306
|
+
- generic
|
|
307
|
+
severity: WARNING
|
|
308
|
+
- id: runsec.hft-cpp-security.hft-018
|
|
309
|
+
metadata:
|
|
310
|
+
runsec_version: v1.0
|
|
311
|
+
confidence: |-
|
|
312
|
+
0.9
|
|
313
|
+
exploit_scenario: |-
|
|
314
|
+
N/A
|
|
315
|
+
fix_template: |-
|
|
316
|
+
Avoid overflow in dynamic rule composition.
|
|
317
|
+
pattern-either:
|
|
318
|
+
- pattern: |-
|
|
319
|
+
strcat(rule, input)
|
|
320
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-018\\b'
|
|
321
|
+
message: |-
|
|
322
|
+
RunSec Detection [HFT-018]: CWE-120
|
|
323
|
+
languages:
|
|
324
|
+
- generic
|
|
325
|
+
severity: WARNING
|
|
326
|
+
- id: runsec.hft-cpp-security.hft-019
|
|
327
|
+
metadata:
|
|
328
|
+
runsec_version: v1.0
|
|
329
|
+
confidence: |-
|
|
330
|
+
0.9
|
|
331
|
+
exploit_scenario: |-
|
|
332
|
+
N/A
|
|
333
|
+
fix_template: |-
|
|
334
|
+
Prevent thread/resource starvation.
|
|
335
|
+
pattern-either:
|
|
336
|
+
- pattern: |-
|
|
337
|
+
blocking read forever
|
|
338
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-019\\b'
|
|
339
|
+
message: |-
|
|
340
|
+
RunSec Detection [HFT-019]: CWE-400
|
|
341
|
+
languages:
|
|
342
|
+
- generic
|
|
343
|
+
severity: WARNING
|
|
344
|
+
- id: runsec.hft-cpp-security.hft-020
|
|
345
|
+
metadata:
|
|
346
|
+
runsec_version: v1.0
|
|
347
|
+
confidence: |-
|
|
348
|
+
0.9
|
|
349
|
+
exploit_scenario: |-
|
|
350
|
+
N/A
|
|
351
|
+
fix_template: |-
|
|
352
|
+
Prevent FD exhaustion under churn.
|
|
353
|
+
pattern-either:
|
|
354
|
+
- pattern: |-
|
|
355
|
+
open sockets/files without close on retry
|
|
356
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-020\\b'
|
|
357
|
+
message: |-
|
|
358
|
+
RunSec Detection [HFT-020]: CWE-772
|
|
359
|
+
languages:
|
|
360
|
+
- generic
|
|
361
|
+
severity: WARNING
|
|
362
|
+
- id: runsec.hft-cpp-security.hft-021
|
|
363
|
+
metadata:
|
|
364
|
+
runsec_version: v1.0
|
|
365
|
+
confidence: |-
|
|
366
|
+
0.9
|
|
367
|
+
exploit_scenario: |-
|
|
368
|
+
N/A
|
|
369
|
+
fix_template: |-
|
|
370
|
+
Avoid self-inflicted DoS.
|
|
371
|
+
pattern-either:
|
|
372
|
+
- pattern: |-
|
|
373
|
+
while(true) reconnect()
|
|
374
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-021\\b'
|
|
375
|
+
message: |-
|
|
376
|
+
RunSec Detection [HFT-021]: CWE-400
|
|
377
|
+
languages:
|
|
378
|
+
- generic
|
|
379
|
+
severity: WARNING
|
|
380
|
+
- id: runsec.hft-cpp-security.hft-022
|
|
381
|
+
metadata:
|
|
382
|
+
runsec_version: v1.0
|
|
383
|
+
confidence: |-
|
|
384
|
+
0.9
|
|
385
|
+
exploit_scenario: |-
|
|
386
|
+
N/A
|
|
387
|
+
fix_template: |-
|
|
388
|
+
Stop malformed snapshot exploitation.
|
|
389
|
+
pattern-either:
|
|
390
|
+
- pattern: |-
|
|
391
|
+
trust snapshot blob layout blindly
|
|
392
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-022\\b'
|
|
393
|
+
message: |-
|
|
394
|
+
RunSec Detection [HFT-022]: CWE-502
|
|
395
|
+
languages:
|
|
396
|
+
- generic
|
|
397
|
+
severity: WARNING
|
|
398
|
+
- id: runsec.hft-cpp-security.hft-023
|
|
399
|
+
metadata:
|
|
400
|
+
runsec_version: v1.0
|
|
401
|
+
confidence: |-
|
|
402
|
+
0.9
|
|
403
|
+
exploit_scenario: |-
|
|
404
|
+
N/A
|
|
405
|
+
fix_template: |-
|
|
406
|
+
Protect privileged runtime controls.
|
|
407
|
+
pattern-either:
|
|
408
|
+
- pattern: |-
|
|
409
|
+
plain command socket without auth
|
|
410
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-023\\b'
|
|
411
|
+
message: |-
|
|
412
|
+
RunSec Detection [HFT-023]: CWE-306
|
|
413
|
+
languages:
|
|
414
|
+
- generic
|
|
415
|
+
severity: WARNING
|
|
416
|
+
- id: runsec.hft-cpp-security.hft-024
|
|
417
|
+
metadata:
|
|
418
|
+
runsec_version: v1.0
|
|
419
|
+
confidence: |-
|
|
420
|
+
0.9
|
|
421
|
+
exploit_scenario: |-
|
|
422
|
+
N/A
|
|
423
|
+
fix_template: |-
|
|
424
|
+
Remove embedded secrets from binaries.
|
|
425
|
+
pattern-either:
|
|
426
|
+
- pattern: |-
|
|
427
|
+
API keys in source constants
|
|
428
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-024\\b'
|
|
429
|
+
message: |-
|
|
430
|
+
RunSec Detection [HFT-024]: CWE-798
|
|
431
|
+
languages:
|
|
432
|
+
- generic
|
|
433
|
+
severity: WARNING
|
|
434
|
+
- id: runsec.hft-cpp-security.hft-025
|
|
435
|
+
metadata:
|
|
436
|
+
runsec_version: v1.0
|
|
437
|
+
confidence: |-
|
|
438
|
+
0.9
|
|
439
|
+
exploit_scenario: |-
|
|
440
|
+
N/A
|
|
441
|
+
fix_template: |-
|
|
442
|
+
Preserve financial precision/integrity.
|
|
443
|
+
pattern-either:
|
|
444
|
+
- pattern: |-
|
|
445
|
+
cast large value to narrow type
|
|
446
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-025\\b'
|
|
447
|
+
message: |-
|
|
448
|
+
RunSec Detection [HFT-025]: CWE-197
|
|
449
|
+
languages:
|
|
450
|
+
- generic
|
|
451
|
+
severity: WARNING
|
|
452
|
+
- id: runsec.hft-cpp-security.hft-026
|
|
453
|
+
metadata:
|
|
454
|
+
runsec_version: v1.0
|
|
455
|
+
confidence: |-
|
|
456
|
+
0.9
|
|
457
|
+
exploit_scenario: |-
|
|
458
|
+
N/A
|
|
459
|
+
fix_template: |-
|
|
460
|
+
Prevent time drift and ordering faults.
|
|
461
|
+
pattern-either:
|
|
462
|
+
- pattern: |-
|
|
463
|
+
ts + latency_ns unchecked
|
|
464
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-026\\b'
|
|
465
|
+
message: |-
|
|
466
|
+
RunSec Detection [HFT-026]: CWE-190
|
|
467
|
+
languages:
|
|
468
|
+
- generic
|
|
469
|
+
severity: WARNING
|
|
470
|
+
- id: runsec.hft-cpp-security.hft-027
|
|
471
|
+
metadata:
|
|
472
|
+
runsec_version: v1.0
|
|
473
|
+
confidence: |-
|
|
474
|
+
0.9
|
|
475
|
+
exploit_scenario: |-
|
|
476
|
+
N/A
|
|
477
|
+
fix_template: |-
|
|
478
|
+
Block malformed protocol messages.
|
|
479
|
+
pattern-either:
|
|
480
|
+
- pattern: |-
|
|
481
|
+
switch without default reject
|
|
482
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-027\\b'
|
|
483
|
+
message: |-
|
|
484
|
+
RunSec Detection [HFT-027]: CWE-20
|
|
485
|
+
languages:
|
|
486
|
+
- generic
|
|
487
|
+
severity: WARNING
|
|
488
|
+
- id: runsec.hft-cpp-security.hft-028
|
|
489
|
+
metadata:
|
|
490
|
+
runsec_version: v1.0
|
|
491
|
+
confidence: |-
|
|
492
|
+
0.9
|
|
493
|
+
exploit_scenario: |-
|
|
494
|
+
N/A
|
|
495
|
+
fix_template: |-
|
|
496
|
+
Prevent data leak and nondeterminism.
|
|
497
|
+
pattern-either:
|
|
498
|
+
- pattern: |-
|
|
499
|
+
stack buffer partially filled
|
|
500
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-028\\b'
|
|
501
|
+
message: |-
|
|
502
|
+
RunSec Detection [HFT-028]: CWE-457
|
|
503
|
+
languages:
|
|
504
|
+
- generic
|
|
505
|
+
severity: WARNING
|
|
506
|
+
- id: runsec.hft-cpp-security.hft-029
|
|
507
|
+
metadata:
|
|
508
|
+
runsec_version: v1.0
|
|
509
|
+
confidence: |-
|
|
510
|
+
0.9
|
|
511
|
+
exploit_scenario: |-
|
|
512
|
+
N/A
|
|
513
|
+
fix_template: |-
|
|
514
|
+
Protect interprocess market data integrity.
|
|
515
|
+
pattern-either:
|
|
516
|
+
- pattern: |-
|
|
517
|
+
world-readable/writable shm
|
|
518
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-029\\b'
|
|
519
|
+
message: |-
|
|
520
|
+
RunSec Detection [HFT-029]: CWE-732
|
|
521
|
+
languages:
|
|
522
|
+
- generic
|
|
523
|
+
severity: WARNING
|
|
524
|
+
- id: runsec.hft-cpp-security.hft-030
|
|
525
|
+
metadata:
|
|
526
|
+
runsec_version: v1.0
|
|
527
|
+
confidence: |-
|
|
528
|
+
0.9
|
|
529
|
+
exploit_scenario: |-
|
|
530
|
+
N/A
|
|
531
|
+
fix_template: |-
|
|
532
|
+
Prevent identifier prediction attacks.
|
|
533
|
+
pattern-either:
|
|
534
|
+
- pattern: |-
|
|
535
|
+
rand()/std::mt19937 for security ids
|
|
536
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-030\\b'
|
|
537
|
+
message: |-
|
|
538
|
+
RunSec Detection [HFT-030]: CWE-330
|
|
539
|
+
languages:
|
|
540
|
+
- generic
|
|
541
|
+
severity: WARNING
|
|
542
|
+
- id: runsec.hft-cpp-security.hft-031
|
|
543
|
+
metadata:
|
|
544
|
+
runsec_version: v1.0
|
|
545
|
+
confidence: |-
|
|
546
|
+
0.9
|
|
547
|
+
exploit_scenario: |-
|
|
548
|
+
N/A
|
|
549
|
+
fix_template: |-
|
|
550
|
+
Defend against malformed FIX payloads.
|
|
551
|
+
pattern-either:
|
|
552
|
+
- pattern: |-
|
|
553
|
+
parse tag length from input unchecked
|
|
554
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-031\\b'
|
|
555
|
+
message: |-
|
|
556
|
+
RunSec Detection [HFT-031]: CWE-130
|
|
557
|
+
languages:
|
|
558
|
+
- generic
|
|
559
|
+
severity: WARNING
|
|
560
|
+
- id: runsec.hft-cpp-security.hft-032
|
|
561
|
+
metadata:
|
|
562
|
+
runsec_version: v1.0
|
|
563
|
+
confidence: |-
|
|
564
|
+
0.9
|
|
565
|
+
exploit_scenario: |-
|
|
566
|
+
N/A
|
|
567
|
+
fix_template: |-
|
|
568
|
+
Prevent temp file race/tampering.
|
|
569
|
+
pattern-either:
|
|
570
|
+
- pattern: |-
|
|
571
|
+
predictable temp filename
|
|
572
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-032\\b'
|
|
573
|
+
message: |-
|
|
574
|
+
RunSec Detection [HFT-032]: CWE-377
|
|
575
|
+
languages:
|
|
576
|
+
- generic
|
|
577
|
+
severity: WARNING
|
|
578
|
+
- id: runsec.hft-cpp-security.hft-033
|
|
579
|
+
metadata:
|
|
580
|
+
runsec_version: v1.0
|
|
581
|
+
confidence: |-
|
|
582
|
+
0.9
|
|
583
|
+
exploit_scenario: |-
|
|
584
|
+
N/A
|
|
585
|
+
fix_template: |-
|
|
586
|
+
Reduce operational information leakage.
|
|
587
|
+
pattern-either:
|
|
588
|
+
- pattern: |-
|
|
589
|
+
dumps keys/endpoints in logs
|
|
590
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-033\\b'
|
|
591
|
+
message: |-
|
|
592
|
+
RunSec Detection [HFT-033]: CWE-532
|
|
593
|
+
languages:
|
|
594
|
+
- generic
|
|
595
|
+
severity: WARNING
|
|
596
|
+
- id: runsec.hft-cpp-security.hft-034
|
|
597
|
+
metadata:
|
|
598
|
+
runsec_version: v1.0
|
|
599
|
+
confidence: |-
|
|
600
|
+
0.9
|
|
601
|
+
exploit_scenario: |-
|
|
602
|
+
N/A
|
|
603
|
+
fix_template: |-
|
|
604
|
+
Enable controlled crypto migration.
|
|
605
|
+
pattern-either:
|
|
606
|
+
- pattern: |-
|
|
607
|
+
fixed outdated cipher list
|
|
608
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-034\\b'
|
|
609
|
+
message: |-
|
|
610
|
+
RunSec Detection [HFT-034]: CWE-327
|
|
611
|
+
languages:
|
|
612
|
+
- generic
|
|
613
|
+
severity: WARNING
|
|
614
|
+
- id: runsec.hft-cpp-security.hft-035
|
|
615
|
+
metadata:
|
|
616
|
+
runsec_version: v1.0
|
|
617
|
+
confidence: |-
|
|
618
|
+
0.9
|
|
619
|
+
exploit_scenario: |-
|
|
620
|
+
N/A
|
|
621
|
+
fix_template: |-
|
|
622
|
+
Minimize secret retention in memory.
|
|
623
|
+
pattern-either:
|
|
624
|
+
- pattern: |-
|
|
625
|
+
key buffers persist after use
|
|
626
|
+
- pattern-regex: 'Vulnerable:\\s*HFT\\-035\\b'
|
|
627
|
+
message: |-
|
|
628
|
+
RunSec Detection [HFT-035]: CWE-1037
|
|
629
|
+
languages:
|
|
630
|
+
- generic
|
|
631
|
+
severity: WARNING
|