@runsec/mcp 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +578 -0
- package/package.json +43 -0
- package/src/rules/data/rule-compliance-map.json +43563 -0
- package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
- package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
- package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
- package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
- package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
- package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
- package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
- package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
- package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
- package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
- package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
- package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
- package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
- package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
- package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
- package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
- package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
- package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
- package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
- package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
- package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
- package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
- package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
- package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
- package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
- package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
- package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
- package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
- package/src/rules/data/semgrep-rules/observability.yaml +381 -0
- package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
- package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
- package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
- package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
- package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
- package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
- package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
|
@@ -0,0 +1,721 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: runsec.mobile-security.mob-001
|
|
3
|
+
metadata:
|
|
4
|
+
runsec_version: v1.0
|
|
5
|
+
confidence: |-
|
|
6
|
+
0.9
|
|
7
|
+
exploit_scenario: |-
|
|
8
|
+
N/A
|
|
9
|
+
fix_template: |-
|
|
10
|
+
Use Keystore/Keychain for secrets at rest.
|
|
11
|
+
pattern-either:
|
|
12
|
+
- pattern: |-
|
|
13
|
+
prefs.edit().putString("token", token).apply()
|
|
14
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-001\\b'
|
|
15
|
+
message: |-
|
|
16
|
+
RunSec Detection [MOB-001]: CWE-922
|
|
17
|
+
languages:
|
|
18
|
+
- generic
|
|
19
|
+
severity: WARNING
|
|
20
|
+
- id: runsec.mobile-security.mob-002
|
|
21
|
+
metadata:
|
|
22
|
+
runsec_version: v1.0
|
|
23
|
+
confidence: |-
|
|
24
|
+
0.9
|
|
25
|
+
exploit_scenario: |-
|
|
26
|
+
N/A
|
|
27
|
+
fix_template: |-
|
|
28
|
+
Persist auth artifacts only in secure enclave-backed stores.
|
|
29
|
+
pattern-either:
|
|
30
|
+
- pattern: |-
|
|
31
|
+
UserDefaults.standard.set(token, forKey:"token")
|
|
32
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-002\\b'
|
|
33
|
+
message: |-
|
|
34
|
+
RunSec Detection [MOB-002]: CWE-922
|
|
35
|
+
languages:
|
|
36
|
+
- generic
|
|
37
|
+
severity: WARNING
|
|
38
|
+
- id: runsec.mobile-security.mob-003
|
|
39
|
+
metadata:
|
|
40
|
+
runsec_version: v1.0
|
|
41
|
+
confidence: |-
|
|
42
|
+
0.9
|
|
43
|
+
exploit_scenario: |-
|
|
44
|
+
N/A
|
|
45
|
+
fix_template: |-
|
|
46
|
+
Encrypt token/PII columns before persistence.
|
|
47
|
+
pattern-either:
|
|
48
|
+
- pattern: |-
|
|
49
|
+
Room entity has refreshToken field
|
|
50
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-003\\b'
|
|
51
|
+
message: |-
|
|
52
|
+
RunSec Detection [MOB-003]: CWE-312
|
|
53
|
+
languages:
|
|
54
|
+
- generic
|
|
55
|
+
severity: WARNING
|
|
56
|
+
- id: runsec.mobile-security.mob-004
|
|
57
|
+
metadata:
|
|
58
|
+
runsec_version: v1.0
|
|
59
|
+
confidence: |-
|
|
60
|
+
0.9
|
|
61
|
+
exploit_scenario: |-
|
|
62
|
+
N/A
|
|
63
|
+
fix_template: |-
|
|
64
|
+
Remove hardcoded credentials from app bundle.
|
|
65
|
+
pattern-either:
|
|
66
|
+
- pattern: |-
|
|
67
|
+
credentials in plist/resources
|
|
68
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-004\\b'
|
|
69
|
+
message: |-
|
|
70
|
+
RunSec Detection [MOB-004]: CWE-798
|
|
71
|
+
languages:
|
|
72
|
+
- generic
|
|
73
|
+
severity: WARNING
|
|
74
|
+
- id: runsec.mobile-security.mob-005
|
|
75
|
+
metadata:
|
|
76
|
+
runsec_version: v1.0
|
|
77
|
+
confidence: |-
|
|
78
|
+
0.9
|
|
79
|
+
exploit_scenario: |-
|
|
80
|
+
N/A
|
|
81
|
+
fix_template: |-
|
|
82
|
+
Enforce pinset with rotation support.
|
|
83
|
+
pattern-either:
|
|
84
|
+
- pattern: |-
|
|
85
|
+
default trust chain only for high-risk API
|
|
86
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-005\\b'
|
|
87
|
+
message: |-
|
|
88
|
+
RunSec Detection [MOB-005]: CWE-295
|
|
89
|
+
languages:
|
|
90
|
+
- generic
|
|
91
|
+
severity: WARNING
|
|
92
|
+
- id: runsec.mobile-security.mob-006
|
|
93
|
+
metadata:
|
|
94
|
+
runsec_version: v1.0
|
|
95
|
+
confidence: |-
|
|
96
|
+
0.9
|
|
97
|
+
exploit_scenario: |-
|
|
98
|
+
N/A
|
|
99
|
+
fix_template: |-
|
|
100
|
+
Reject untrusted certificates.
|
|
101
|
+
pattern-either:
|
|
102
|
+
- pattern: |-
|
|
103
|
+
checkServerTrusted(...) {}
|
|
104
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-006\\b'
|
|
105
|
+
message: |-
|
|
106
|
+
RunSec Detection [MOB-006]: CWE-295
|
|
107
|
+
languages:
|
|
108
|
+
- generic
|
|
109
|
+
severity: WARNING
|
|
110
|
+
- id: runsec.mobile-security.mob-007
|
|
111
|
+
metadata:
|
|
112
|
+
runsec_version: v1.0
|
|
113
|
+
confidence: |-
|
|
114
|
+
0.9
|
|
115
|
+
exploit_scenario: |-
|
|
116
|
+
N/A
|
|
117
|
+
fix_template: |-
|
|
118
|
+
Require strong server trust evaluation.
|
|
119
|
+
pattern-either:
|
|
120
|
+
- pattern: |-
|
|
121
|
+
.disableEvaluation in ServerTrustManager
|
|
122
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-007\\b'
|
|
123
|
+
message: |-
|
|
124
|
+
RunSec Detection [MOB-007]: CWE-295
|
|
125
|
+
languages:
|
|
126
|
+
- generic
|
|
127
|
+
severity: WARNING
|
|
128
|
+
- id: runsec.mobile-security.mob-008
|
|
129
|
+
metadata:
|
|
130
|
+
runsec_version: v1.0
|
|
131
|
+
confidence: |-
|
|
132
|
+
0.9
|
|
133
|
+
exploit_scenario: |-
|
|
134
|
+
N/A
|
|
135
|
+
fix_template: |-
|
|
136
|
+
Prevent debug trust exceptions in release builds.
|
|
137
|
+
pattern-either:
|
|
138
|
+
- pattern: |-
|
|
139
|
+
if (BuildConfig.DEBUG) skipPinning() leaked to prod
|
|
140
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-008\\b'
|
|
141
|
+
message: |-
|
|
142
|
+
RunSec Detection [MOB-008]: CWE-489
|
|
143
|
+
languages:
|
|
144
|
+
- generic
|
|
145
|
+
severity: WARNING
|
|
146
|
+
- id: runsec.mobile-security.mob-009
|
|
147
|
+
metadata:
|
|
148
|
+
runsec_version: v1.0
|
|
149
|
+
confidence: |-
|
|
150
|
+
0.9
|
|
151
|
+
exploit_scenario: |-
|
|
152
|
+
N/A
|
|
153
|
+
fix_template: |-
|
|
154
|
+
Support crypto agility for pin changes.
|
|
155
|
+
pattern-either:
|
|
156
|
+
- pattern: |-
|
|
157
|
+
static pin forever
|
|
158
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-009\\b'
|
|
159
|
+
message: |-
|
|
160
|
+
RunSec Detection [MOB-009]: CWE-327
|
|
161
|
+
languages:
|
|
162
|
+
- generic
|
|
163
|
+
severity: WARNING
|
|
164
|
+
- id: runsec.mobile-security.mob-010
|
|
165
|
+
metadata:
|
|
166
|
+
runsec_version: v1.0
|
|
167
|
+
confidence: |-
|
|
168
|
+
0.9
|
|
169
|
+
exploit_scenario: |-
|
|
170
|
+
N/A
|
|
171
|
+
fix_template: |-
|
|
172
|
+
Bind biometric result to signed nonce.
|
|
173
|
+
pattern-either:
|
|
174
|
+
- pattern: |-
|
|
175
|
+
accept auth on callback without result checks
|
|
176
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-010\\b'
|
|
177
|
+
message: |-
|
|
178
|
+
RunSec Detection [MOB-010]: CWE-287
|
|
179
|
+
languages:
|
|
180
|
+
- generic
|
|
181
|
+
severity: WARNING
|
|
182
|
+
- id: runsec.mobile-security.mob-011
|
|
183
|
+
metadata:
|
|
184
|
+
runsec_version: v1.0
|
|
185
|
+
confidence: |-
|
|
186
|
+
0.9
|
|
187
|
+
exploit_scenario: |-
|
|
188
|
+
N/A
|
|
189
|
+
fix_template: |-
|
|
190
|
+
Fail closed on biometric errors.
|
|
191
|
+
pattern-either:
|
|
192
|
+
- pattern: |-
|
|
193
|
+
failure callback logs only, continues flow
|
|
194
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-011\\b'
|
|
195
|
+
message: |-
|
|
196
|
+
RunSec Detection [MOB-011]: CWE-287
|
|
197
|
+
languages:
|
|
198
|
+
- generic
|
|
199
|
+
severity: WARNING
|
|
200
|
+
- id: runsec.mobile-security.mob-012
|
|
201
|
+
metadata:
|
|
202
|
+
runsec_version: v1.0
|
|
203
|
+
confidence: |-
|
|
204
|
+
0.9
|
|
205
|
+
exploit_scenario: |-
|
|
206
|
+
N/A
|
|
207
|
+
fix_template: |-
|
|
208
|
+
Use strong biometric/device credential policy.
|
|
209
|
+
pattern-either:
|
|
210
|
+
- pattern: |-
|
|
211
|
+
allow weak fallback for high-risk action
|
|
212
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-012\\b'
|
|
213
|
+
message: |-
|
|
214
|
+
RunSec Detection [MOB-012]: CWE-307
|
|
215
|
+
languages:
|
|
216
|
+
- generic
|
|
217
|
+
severity: WARNING
|
|
218
|
+
- id: runsec.mobile-security.mob-013
|
|
219
|
+
metadata:
|
|
220
|
+
runsec_version: v1.0
|
|
221
|
+
confidence: |-
|
|
222
|
+
0.9
|
|
223
|
+
exploit_scenario: |-
|
|
224
|
+
N/A
|
|
225
|
+
fix_template: |-
|
|
226
|
+
Prevent replay of authentication state.
|
|
227
|
+
pattern-either:
|
|
228
|
+
- pattern: |-
|
|
229
|
+
LAContext evaluated but token issued later without binding
|
|
230
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-013\\b'
|
|
231
|
+
message: |-
|
|
232
|
+
RunSec Detection [MOB-013]: CWE-345
|
|
233
|
+
languages:
|
|
234
|
+
- generic
|
|
235
|
+
severity: WARNING
|
|
236
|
+
- id: runsec.mobile-security.mob-014
|
|
237
|
+
metadata:
|
|
238
|
+
runsec_version: v1.0
|
|
239
|
+
confidence: |-
|
|
240
|
+
0.9
|
|
241
|
+
exploit_scenario: |-
|
|
242
|
+
N/A
|
|
243
|
+
fix_template: |-
|
|
244
|
+
Minimize secret lifetime in memory.
|
|
245
|
+
pattern-either:
|
|
246
|
+
- pattern: |-
|
|
247
|
+
val pin = "1234"/String secrets
|
|
248
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-014\\b'
|
|
249
|
+
message: |-
|
|
250
|
+
RunSec Detection [MOB-014]: CWE-1037
|
|
251
|
+
languages:
|
|
252
|
+
- generic
|
|
253
|
+
severity: WARNING
|
|
254
|
+
- id: runsec.mobile-security.mob-015
|
|
255
|
+
metadata:
|
|
256
|
+
runsec_version: v1.0
|
|
257
|
+
confidence: |-
|
|
258
|
+
0.9
|
|
259
|
+
exploit_scenario: |-
|
|
260
|
+
N/A
|
|
261
|
+
fix_template: |-
|
|
262
|
+
Prevent accidental secret exfiltration.
|
|
263
|
+
pattern-either:
|
|
264
|
+
- pattern: |-
|
|
265
|
+
copy token/password to clipboard
|
|
266
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-015\\b'
|
|
267
|
+
message: |-
|
|
268
|
+
RunSec Detection [MOB-015]: CWE-200
|
|
269
|
+
languages:
|
|
270
|
+
- generic
|
|
271
|
+
severity: WARNING
|
|
272
|
+
- id: runsec.mobile-security.mob-016
|
|
273
|
+
metadata:
|
|
274
|
+
runsec_version: v1.0
|
|
275
|
+
confidence: |-
|
|
276
|
+
0.9
|
|
277
|
+
exploit_scenario: |-
|
|
278
|
+
N/A
|
|
279
|
+
fix_template: |-
|
|
280
|
+
Limit WebView bridge attack surface.
|
|
281
|
+
pattern-either:
|
|
282
|
+
- pattern: |-
|
|
283
|
+
addJavascriptInterface without origin controls
|
|
284
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-016\\b'
|
|
285
|
+
message: |-
|
|
286
|
+
RunSec Detection [MOB-016]: CWE-749
|
|
287
|
+
languages:
|
|
288
|
+
- generic
|
|
289
|
+
severity: WARNING
|
|
290
|
+
- id: runsec.mobile-security.mob-017
|
|
291
|
+
metadata:
|
|
292
|
+
runsec_version: v1.0
|
|
293
|
+
confidence: |-
|
|
294
|
+
0.9
|
|
295
|
+
exploit_scenario: |-
|
|
296
|
+
N/A
|
|
297
|
+
fix_template: |-
|
|
298
|
+
Block mixed content downgrade.
|
|
299
|
+
pattern-either:
|
|
300
|
+
- pattern: |-
|
|
301
|
+
allow HTTP subresources
|
|
302
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-017\\b'
|
|
303
|
+
message: |-
|
|
304
|
+
RunSec Detection [MOB-017]: CWE-319
|
|
305
|
+
languages:
|
|
306
|
+
- generic
|
|
307
|
+
severity: WARNING
|
|
308
|
+
- id: runsec.mobile-security.mob-018
|
|
309
|
+
metadata:
|
|
310
|
+
runsec_version: v1.0
|
|
311
|
+
confidence: |-
|
|
312
|
+
0.9
|
|
313
|
+
exploit_scenario: |-
|
|
314
|
+
N/A
|
|
315
|
+
fix_template: |-
|
|
316
|
+
Prevent runtime introspection in production.
|
|
317
|
+
pattern-either:
|
|
318
|
+
- pattern: |-
|
|
319
|
+
android:debuggable="true"
|
|
320
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-018\\b'
|
|
321
|
+
message: |-
|
|
322
|
+
RunSec Detection [MOB-018]: CWE-489
|
|
323
|
+
languages:
|
|
324
|
+
- generic
|
|
325
|
+
severity: WARNING
|
|
326
|
+
- id: runsec.mobile-security.mob-019
|
|
327
|
+
metadata:
|
|
328
|
+
runsec_version: v1.0
|
|
329
|
+
confidence: |-
|
|
330
|
+
0.9
|
|
331
|
+
exploit_scenario: |-
|
|
332
|
+
N/A
|
|
333
|
+
fix_template: |-
|
|
334
|
+
Add runtime integrity checks for sensitive flows.
|
|
335
|
+
pattern-either:
|
|
336
|
+
- pattern: |-
|
|
337
|
+
no jailbreak checks before payment action
|
|
338
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-019\\b'
|
|
339
|
+
message: |-
|
|
340
|
+
RunSec Detection [MOB-019]: CWE-693
|
|
341
|
+
languages:
|
|
342
|
+
- generic
|
|
343
|
+
severity: WARNING
|
|
344
|
+
- id: runsec.mobile-security.mob-020
|
|
345
|
+
metadata:
|
|
346
|
+
runsec_version: v1.0
|
|
347
|
+
confidence: |-
|
|
348
|
+
0.9
|
|
349
|
+
exploit_scenario: |-
|
|
350
|
+
N/A
|
|
351
|
+
fix_template: |-
|
|
352
|
+
Restrict critical actions on rooted devices.
|
|
353
|
+
pattern-either:
|
|
354
|
+
- pattern: |-
|
|
355
|
+
no root checks before transfer
|
|
356
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-020\\b'
|
|
357
|
+
message: |-
|
|
358
|
+
RunSec Detection [MOB-020]: CWE-693
|
|
359
|
+
languages:
|
|
360
|
+
- generic
|
|
361
|
+
severity: WARNING
|
|
362
|
+
- id: runsec.mobile-security.mob-021
|
|
363
|
+
metadata:
|
|
364
|
+
runsec_version: v1.0
|
|
365
|
+
confidence: |-
|
|
366
|
+
0.9
|
|
367
|
+
exploit_scenario: |-
|
|
368
|
+
N/A
|
|
369
|
+
fix_template: |-
|
|
370
|
+
Add anti-debug checks for critical paths.
|
|
371
|
+
pattern-either:
|
|
372
|
+
- pattern: |-
|
|
373
|
+
no debugger checks in sensitive workflow
|
|
374
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-021\\b'
|
|
375
|
+
message: |-
|
|
376
|
+
RunSec Detection [MOB-021]: CWE-489
|
|
377
|
+
languages:
|
|
378
|
+
- generic
|
|
379
|
+
severity: WARNING
|
|
380
|
+
- id: runsec.mobile-security.mob-022
|
|
381
|
+
metadata:
|
|
382
|
+
runsec_version: v1.0
|
|
383
|
+
confidence: |-
|
|
384
|
+
0.9
|
|
385
|
+
exploit_scenario: |-
|
|
386
|
+
N/A
|
|
387
|
+
fix_template: |-
|
|
388
|
+
Protect endpoint integrity.
|
|
389
|
+
pattern-either:
|
|
390
|
+
- pattern: |-
|
|
391
|
+
base URL in mutable plain config
|
|
392
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-022\\b'
|
|
393
|
+
message: |-
|
|
394
|
+
RunSec Detection [MOB-022]: CWE-346
|
|
395
|
+
languages:
|
|
396
|
+
- generic
|
|
397
|
+
severity: WARNING
|
|
398
|
+
- id: runsec.mobile-security.mob-023
|
|
399
|
+
metadata:
|
|
400
|
+
runsec_version: v1.0
|
|
401
|
+
confidence: |-
|
|
402
|
+
0.9
|
|
403
|
+
exploit_scenario: |-
|
|
404
|
+
N/A
|
|
405
|
+
fix_template: |-
|
|
406
|
+
Validate deep links before navigation/actions.
|
|
407
|
+
pattern-either:
|
|
408
|
+
- pattern: |-
|
|
409
|
+
accepts arbitrary URI host/path
|
|
410
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-023\\b'
|
|
411
|
+
message: |-
|
|
412
|
+
RunSec Detection [MOB-023]: CWE-939
|
|
413
|
+
languages:
|
|
414
|
+
- generic
|
|
415
|
+
severity: WARNING
|
|
416
|
+
- id: runsec.mobile-security.mob-024
|
|
417
|
+
metadata:
|
|
418
|
+
runsec_version: v1.0
|
|
419
|
+
confidence: |-
|
|
420
|
+
0.9
|
|
421
|
+
exploit_scenario: |-
|
|
422
|
+
N/A
|
|
423
|
+
fix_template: |-
|
|
424
|
+
Restrict component exposure.
|
|
425
|
+
pattern-either:
|
|
426
|
+
- pattern: |-
|
|
427
|
+
exported activity/service handles sensitive intents
|
|
428
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-024\\b'
|
|
429
|
+
message: |-
|
|
430
|
+
RunSec Detection [MOB-024]: CWE-926
|
|
431
|
+
languages:
|
|
432
|
+
- generic
|
|
433
|
+
severity: WARNING
|
|
434
|
+
- id: runsec.mobile-security.mob-025
|
|
435
|
+
metadata:
|
|
436
|
+
runsec_version: v1.0
|
|
437
|
+
confidence: |-
|
|
438
|
+
0.9
|
|
439
|
+
exploit_scenario: |-
|
|
440
|
+
N/A
|
|
441
|
+
fix_template: |-
|
|
442
|
+
Authenticate inter-app communication.
|
|
443
|
+
pattern-either:
|
|
444
|
+
- pattern: |-
|
|
445
|
+
trust any URL invocation
|
|
446
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-025\\b'
|
|
447
|
+
message: |-
|
|
448
|
+
RunSec Detection [MOB-025]: CWE-346
|
|
449
|
+
languages:
|
|
450
|
+
- generic
|
|
451
|
+
severity: WARNING
|
|
452
|
+
- id: runsec.mobile-security.mob-026
|
|
453
|
+
metadata:
|
|
454
|
+
runsec_version: v1.0
|
|
455
|
+
confidence: |-
|
|
456
|
+
0.9
|
|
457
|
+
exploit_scenario: |-
|
|
458
|
+
N/A
|
|
459
|
+
fix_template: |-
|
|
460
|
+
Block shoulder-surfing/screenshot leaks.
|
|
461
|
+
pattern-either:
|
|
462
|
+
- pattern: |-
|
|
463
|
+
no secure flag for secrets
|
|
464
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-026\\b'
|
|
465
|
+
message: |-
|
|
466
|
+
RunSec Detection [MOB-026]: CWE-200
|
|
467
|
+
languages:
|
|
468
|
+
- generic
|
|
469
|
+
severity: WARNING
|
|
470
|
+
- id: runsec.mobile-security.mob-027
|
|
471
|
+
metadata:
|
|
472
|
+
runsec_version: v1.0
|
|
473
|
+
confidence: |-
|
|
474
|
+
0.9
|
|
475
|
+
exploit_scenario: |-
|
|
476
|
+
N/A
|
|
477
|
+
fix_template: |-
|
|
478
|
+
Avoid secret disclosure via logs.
|
|
479
|
+
pattern-either:
|
|
480
|
+
- pattern: |-
|
|
481
|
+
Log.d("auth", token)
|
|
482
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-027\\b'
|
|
483
|
+
message: |-
|
|
484
|
+
RunSec Detection [MOB-027]: CWE-532
|
|
485
|
+
languages:
|
|
486
|
+
- generic
|
|
487
|
+
severity: WARNING
|
|
488
|
+
- id: runsec.mobile-security.mob-028
|
|
489
|
+
metadata:
|
|
490
|
+
runsec_version: v1.0
|
|
491
|
+
confidence: |-
|
|
492
|
+
0.9
|
|
493
|
+
exploit_scenario: |-
|
|
494
|
+
N/A
|
|
495
|
+
fix_template: |-
|
|
496
|
+
Keep sensitive data off push channels.
|
|
497
|
+
pattern-either:
|
|
498
|
+
- pattern: |-
|
|
499
|
+
full token/account data in notification
|
|
500
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-028\\b'
|
|
501
|
+
message: |-
|
|
502
|
+
RunSec Detection [MOB-028]: CWE-359
|
|
503
|
+
languages:
|
|
504
|
+
- generic
|
|
505
|
+
severity: WARNING
|
|
506
|
+
- id: runsec.mobile-security.mob-029
|
|
507
|
+
metadata:
|
|
508
|
+
runsec_version: v1.0
|
|
509
|
+
confidence: |-
|
|
510
|
+
0.9
|
|
511
|
+
exploit_scenario: |-
|
|
512
|
+
N/A
|
|
513
|
+
fix_template: |-
|
|
514
|
+
Generate cryptographically strong nonces.
|
|
515
|
+
pattern-either:
|
|
516
|
+
- pattern: |-
|
|
517
|
+
Random() for auth nonce
|
|
518
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-029\\b'
|
|
519
|
+
message: |-
|
|
520
|
+
RunSec Detection [MOB-029]: CWE-330
|
|
521
|
+
languages:
|
|
522
|
+
- generic
|
|
523
|
+
severity: WARNING
|
|
524
|
+
- id: runsec.mobile-security.mob-030
|
|
525
|
+
metadata:
|
|
526
|
+
runsec_version: v1.0
|
|
527
|
+
confidence: |-
|
|
528
|
+
0.9
|
|
529
|
+
exploit_scenario: |-
|
|
530
|
+
N/A
|
|
531
|
+
fix_template: |-
|
|
532
|
+
Prevent request replay abuse.
|
|
533
|
+
pattern-either:
|
|
534
|
+
- pattern: |-
|
|
535
|
+
no nonce/timestamp/signature
|
|
536
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-030\\b'
|
|
537
|
+
message: |-
|
|
538
|
+
RunSec Detection [MOB-030]: CWE-294
|
|
539
|
+
languages:
|
|
540
|
+
- generic
|
|
541
|
+
severity: WARNING
|
|
542
|
+
- id: runsec.mobile-security.mob-031
|
|
543
|
+
metadata:
|
|
544
|
+
runsec_version: v1.0
|
|
545
|
+
confidence: |-
|
|
546
|
+
0.9
|
|
547
|
+
exploit_scenario: |-
|
|
548
|
+
N/A
|
|
549
|
+
fix_template: |-
|
|
550
|
+
Protect local cache confidentiality.
|
|
551
|
+
pattern-either:
|
|
552
|
+
- pattern: |-
|
|
553
|
+
decrypted JSON persisted in cache
|
|
554
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-031\\b'
|
|
555
|
+
message: |-
|
|
556
|
+
RunSec Detection [MOB-031]: CWE-312
|
|
557
|
+
languages:
|
|
558
|
+
- generic
|
|
559
|
+
severity: WARNING
|
|
560
|
+
- id: runsec.mobile-security.mob-032
|
|
561
|
+
metadata:
|
|
562
|
+
runsec_version: v1.0
|
|
563
|
+
confidence: |-
|
|
564
|
+
0.9
|
|
565
|
+
exploit_scenario: |-
|
|
566
|
+
N/A
|
|
567
|
+
fix_template: |-
|
|
568
|
+
Never downgrade secure transport.
|
|
569
|
+
pattern-either:
|
|
570
|
+
- pattern: |-
|
|
571
|
+
retry via http:// when HTTPS fails
|
|
572
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-032\\b'
|
|
573
|
+
message: |-
|
|
574
|
+
RunSec Detection [MOB-032]: CWE-319
|
|
575
|
+
languages:
|
|
576
|
+
- generic
|
|
577
|
+
severity: WARNING
|
|
578
|
+
- id: runsec.mobile-security.mob-033
|
|
579
|
+
metadata:
|
|
580
|
+
runsec_version: v1.0
|
|
581
|
+
confidence: |-
|
|
582
|
+
0.9
|
|
583
|
+
exploit_scenario: |-
|
|
584
|
+
N/A
|
|
585
|
+
fix_template: |-
|
|
586
|
+
Enforce robust TLS validation.
|
|
587
|
+
pattern-either:
|
|
588
|
+
- pattern: |-
|
|
589
|
+
trust challenge blindly
|
|
590
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-033\\b'
|
|
591
|
+
message: |-
|
|
592
|
+
RunSec Detection [MOB-033]: CWE-295
|
|
593
|
+
languages:
|
|
594
|
+
- generic
|
|
595
|
+
severity: WARNING
|
|
596
|
+
- id: runsec.mobile-security.mob-034
|
|
597
|
+
metadata:
|
|
598
|
+
runsec_version: v1.0
|
|
599
|
+
confidence: |-
|
|
600
|
+
0.9
|
|
601
|
+
exploit_scenario: |-
|
|
602
|
+
N/A
|
|
603
|
+
fix_template: |-
|
|
604
|
+
Prevent remote disabling of protections.
|
|
605
|
+
pattern-either:
|
|
606
|
+
- pattern: |-
|
|
607
|
+
remote flag can disable integrity
|
|
608
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-034\\b'
|
|
609
|
+
message: |-
|
|
610
|
+
RunSec Detection [MOB-034]: CWE-693
|
|
611
|
+
languages:
|
|
612
|
+
- generic
|
|
613
|
+
severity: WARNING
|
|
614
|
+
- id: runsec.mobile-security.mob-035
|
|
615
|
+
metadata:
|
|
616
|
+
runsec_version: v1.0
|
|
617
|
+
confidence: |-
|
|
618
|
+
0.9
|
|
619
|
+
exploit_scenario: |-
|
|
620
|
+
N/A
|
|
621
|
+
fix_template: |-
|
|
622
|
+
Synchronize token renewal safely.
|
|
623
|
+
pattern-either:
|
|
624
|
+
- pattern: |-
|
|
625
|
+
concurrent refresh requests overwrite state
|
|
626
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-035\\b'
|
|
627
|
+
message: |-
|
|
628
|
+
RunSec Detection [MOB-035]: CWE-367
|
|
629
|
+
languages:
|
|
630
|
+
- generic
|
|
631
|
+
severity: WARNING
|
|
632
|
+
- id: runsec.mobile-security.mob-036
|
|
633
|
+
metadata:
|
|
634
|
+
runsec_version: v1.0
|
|
635
|
+
confidence: |-
|
|
636
|
+
0.9
|
|
637
|
+
exploit_scenario: |-
|
|
638
|
+
N/A
|
|
639
|
+
fix_template: |-
|
|
640
|
+
Tighten keychain accessibility scope.
|
|
641
|
+
pattern-either:
|
|
642
|
+
- pattern: |-
|
|
643
|
+
kSecAttrAccessibleAlways for secrets
|
|
644
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-036\\b'
|
|
645
|
+
message: |-
|
|
646
|
+
RunSec Detection [MOB-036]: CWE-732
|
|
647
|
+
languages:
|
|
648
|
+
- generic
|
|
649
|
+
severity: WARNING
|
|
650
|
+
- id: runsec.mobile-security.mob-037
|
|
651
|
+
metadata:
|
|
652
|
+
runsec_version: v1.0
|
|
653
|
+
confidence: |-
|
|
654
|
+
0.9
|
|
655
|
+
exploit_scenario: |-
|
|
656
|
+
N/A
|
|
657
|
+
fix_template: |-
|
|
658
|
+
Avoid secret exfil via backups.
|
|
659
|
+
pattern-either:
|
|
660
|
+
- pattern: |-
|
|
661
|
+
allowBackup=true with tokens stored locally
|
|
662
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-037\\b'
|
|
663
|
+
message: |-
|
|
664
|
+
RunSec Detection [MOB-037]: CWE-312
|
|
665
|
+
languages:
|
|
666
|
+
- generic
|
|
667
|
+
severity: WARNING
|
|
668
|
+
- id: runsec.mobile-security.mob-038
|
|
669
|
+
metadata:
|
|
670
|
+
runsec_version: v1.0
|
|
671
|
+
confidence: |-
|
|
672
|
+
0.9
|
|
673
|
+
exploit_scenario: |-
|
|
674
|
+
N/A
|
|
675
|
+
fix_template: |-
|
|
676
|
+
Reduce static analysis attack surface.
|
|
677
|
+
pattern-either:
|
|
678
|
+
- pattern: |-
|
|
679
|
+
reverse engineering made trivial
|
|
680
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-038\\b'
|
|
681
|
+
message: |-
|
|
682
|
+
RunSec Detection [MOB-038]: CWE-656
|
|
683
|
+
languages:
|
|
684
|
+
- generic
|
|
685
|
+
severity: WARNING
|
|
686
|
+
- id: runsec.mobile-security.mob-039
|
|
687
|
+
metadata:
|
|
688
|
+
runsec_version: v1.0
|
|
689
|
+
confidence: |-
|
|
690
|
+
0.9
|
|
691
|
+
exploit_scenario: |-
|
|
692
|
+
N/A
|
|
693
|
+
fix_template: |-
|
|
694
|
+
Add runtime anti-tamper controls.
|
|
695
|
+
pattern-either:
|
|
696
|
+
- pattern: |-
|
|
697
|
+
no Frida/hook heuristics
|
|
698
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-039\\b'
|
|
699
|
+
message: |-
|
|
700
|
+
RunSec Detection [MOB-039]: CWE-693
|
|
701
|
+
languages:
|
|
702
|
+
- generic
|
|
703
|
+
severity: WARNING
|
|
704
|
+
- id: runsec.mobile-security.mob-040
|
|
705
|
+
metadata:
|
|
706
|
+
runsec_version: v1.0
|
|
707
|
+
confidence: |-
|
|
708
|
+
0.9
|
|
709
|
+
exploit_scenario: |-
|
|
710
|
+
N/A
|
|
711
|
+
fix_template: |-
|
|
712
|
+
Eliminate embedded long-term secrets.
|
|
713
|
+
pattern-either:
|
|
714
|
+
- pattern: |-
|
|
715
|
+
API keys in strings.xml/Swift constants
|
|
716
|
+
- pattern-regex: 'Vulnerable:\\s*MOB\\-040\\b'
|
|
717
|
+
message: |-
|
|
718
|
+
RunSec Detection [MOB-040]: CWE-798
|
|
719
|
+
languages:
|
|
720
|
+
- generic
|
|
721
|
+
severity: WARNING
|