@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/quarantined/cwe-200/zm-k8s-cwe200-service-account.yaml

@@ -0,0 +1,84 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Kubernetes ServiceAccount 安全检测
+# V4.1 Sprint — CWE-200: Exposure of Sensitive Information
+# 检测: ServiceAccount未限制、automountServiceAccountToken未设false、cluster-admin绑定
+
+rules:
+  # ZM-K8S-CWE200-SA-001: ServiceAccount automountServiceAccountToken 未显式禁用
+  - id: zm-k8s-cwe200-sa-001
+    severity: MEDIUM
+    message: |
+      ServiceAccount 未设置 `automountServiceAccountToken: false` — 默认挂载API token到Pod中。
+      即使应用不需要访问K8s API，token仍然存在，权限逃逸后可调用API Server。
+
+      修复:
+      1. 在 ServiceAccount 或 Pod spec 中设置: `automountServiceAccountToken: false`
+      2. 仅向需要API访问的ServiceAccount授予最低权限
+      3. 使用Pod Security Admission限制 automountServiceAccountToken
+    languages:
+      - yaml
+    pattern: |
+      automountServiceAccountToken: true
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, service-account, token-exposure, security-misconfiguration]
+
+  # ZM-K8S-CWE200-SA-002: ClusterRoleBinding 绑定到默认 ServiceAccount
+  - id: zm-k8s-cwe200-sa-002
+    severity: CRITICAL
+    message: |
+      ClusterRoleBinding 将 `cluster-admin` 或高危 ClusterRole 绑定到 `default` ServiceAccount
+      或命名空间级别的 ServiceAccount。这授予了集群范围的管理权限。
+
+      检查 subjects 中的 name 是否为 `default` 或非专用的 ServiceAccount。
+
+      修复:
+      1. 将 cluster-admin 绑定限制为仅系统组件和管理员账户
+      2. 为应用创建专用 ServiceAccount 并绑定最小权限 Role
+      3. 使用 RoleBinding(命名空间级)替代 ClusterRoleBinding(集群级)
+      4. 定期审计 ClusterRoleBinding/subjects
+    languages:
+      - yaml
+    pattern-either:
+      - pattern: |
+          subjects:
+          - kind: ServiceAccount
+            name: default
+      - pattern: |
+          subjects:
+            - kind: ServiceAccount
+              name: default
+      - pattern: |
+          subjects: [{kind: ServiceAccount, name: default}]
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, clusterrole-binding, privilege-escalation, cluster-admin]
+
+  # ZM-K8S-CWE200-SA-003: Pod spec 中 ServiceAccount 名称为 default
+  - id: zm-k8s-cwe200-sa-003
+    severity: LOW
+    message: |
+      Pod 使用 `serviceAccountName: default` — 每个命名空间中的默认 ServiceAccount。
+      default ServiceAccount 可能已被授予不必要的权限。
+      应为每个应用创建专用 ServiceAccount 并授予最小权限。
+
+      修复:
+      1. 创建应用专用 ServiceAccount: `serviceAccountName: my-app`
+      2. 绑定最小权限 Role(非 cluster-admin)
+      3. 设置 `automountServiceAccountToken: false` 如不需要K8s API访问
+    languages:
+      - yaml
+    pattern: |
+      serviceAccountName: default
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-kubernetes
+      precision: very-high
+      confidence: high
+      tags: [kubernetes, service-account, best-practice, least-privilege]

package/rules/quarantined/cwe-200/zm-k8s-cwe200-verbosity-high.yaml

@@ -0,0 +1,81 @@
+# Source: iac | Cluster: N/A
+rules:
+  - id: zm-k8s-cwe200-verbosity-high
+    metadata:
+      cwe: ["CWE-200: Exposure of Sensitive Information", "CWE-532: Insertion of Sensitive Information into Log File"]
+      confidence: MEDIUM
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A09:2021 - Security Logging and Monitoring Failures"]
+      cve: ["CVE-2019-11250"]
+      references:
+        - "https://kubernetes.io/docs/concepts/cluster-administration/logging/"
+    message: |
+      Pod日志级别设置为debug或trace。高详细日志可能泄露令牌、凭证等敏感信息。
+      修复：生产环境使用 --v=2 或更低的日志级别。
+    languages: [yaml, json]
+    severity: WARNING
+    patterns:
+      - pattern-inside: |
+          args: [...]
+      - pattern-regex: (-{1,2}v[=\s]?[5-9]|-{1,2}v[=\s]?1[0-9])
+  - id: zm-k8s-cwe250-host-network
+    metadata:
+      cwe: ["CWE-250: Execution with Unnecessary Privileges", "CWE-668: Exposure of Resource to Wrong Sphere"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2021-25741"]
+      references:
+        - "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    message: |
+      Pod使用hostNetwork:true直接共享节点网络命名空间。攻击者可通过网络绑定
+      窃听同节点流量、绕过NetworkPolicy、访问节点级网络接口。
+      修复：移除hostNetwork:true，使用Service/Ingress暴露应用端口。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern: |
+          hostNetwork: true
+  - id: zm-k8s-cwe269-host-pid-ns
+    metadata:
+      cwe: ["CWE-269: Improper Privilege Management", "CWE-653: Insufficient Isolation"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2022-23648"]
+      references:
+        - "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+    message: |
+      Pod共享宿主机PID命名空间(hostPID:true)。这允许容器内进程
+      查看甚至向宿主机或同节点其他容器发送信号，实现跨容器攻击。
+      修复：移除hostPID:true，严格使用容器隔离。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern: |
+          hostPID: true
+  - id: zm-k8s-cwe502-sys-admin-cap
+    metadata:
+      cwe: ["CWE-502: Deserialization of Untrusted Data", "CWE-250: Execution with Unnecessary Privileges"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2019-11253"]
+      references:
+        - "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+    message: |
+      Pod添加了SYS_ADMIN特权能力。这实际上赋予容器几乎完整的root权限，
+      可执行挂载文件系统、加载内核模块、修改eBPF等危险操作。
+      修复：移除SYS_ADMIN capability，逐项添加所需的最小能力集。
+    languages: [yaml, json]
+    severity: ERROR
+    patterns:
+      - pattern-inside: |
+          securityContext:
+            capabilities:
+              add: [...]
+      - pattern: SYS_ADMIN

package/rules/quarantined/cwe-200/zm-py-django-cwe200-cwe798-cwe352-01.yaml

@@ -0,0 +1,81 @@
+# Source: common | Cluster: N/A
+# CWE-200/CWE-798: Django 安全配置检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: DEBUG=True 泄露 / SECRET_KEY 硬编码 / CSRF 豁免 / XFrame 缺失
+
+rules:
+
+# ZM-PY-DJANGO-01: Django DEBUG=True 生产环境泄露
+- id: zm-py-django-debug-001
+  severity: ERROR
+  message: |
+    检测到 Django settings.py 中 DEBUG = True 且未受环境变量控制。
+    生产环境开启 DEBUG 会泄露详细错误堆栈、数据库查询、配置变量等敏感信息。
+    攻击者可通过触发异常获取 Settings 配置、数据库结构乃至核心密钥，参考 CVE-2024-38828。
+    修复: 设置 DEBUG = os.environ.get("DJANGO_DEBUG", "False").lower() == "true" 通过环境变量控制。
+  languages:
+    - python
+  patterns:
+    - pattern: DEBUG = True
+    - pattern-not: DEBUG = os.environ.get(...)
+    - pattern-not: DEBUG = os.getenv(...)
+    - pattern-not: DEBUG = bool(...)
+    - pattern-not: DEBUG = env(...)
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+    cve: "CVE-2024-38828"
+
+# ZM-PY-DJANGO-02: Django SECRET_KEY 硬编码
+- id: zm-py-django-secret-key-001
+  severity: ERROR
+  message: |
+    检测到 Django settings.py 中 SECRET_KEY 硬编码为明文字符串。
+    SECRET_KEY 用于签名 Session/Cookie/CSRF Token 和加密密码重置链接，
+    泄露后攻击者可伪造 Session 以任意用户身份登录、绕过 CSRF 保护。
+    参考: 2023年Django官方安全建议 - 密钥管理最佳实践。
+    修复: 使用 os.environ.get("DJANGO_SECRET_KEY") 从环境变量读取密钥。
+  languages:
+    - python
+  patterns:
+    - pattern: $SECRET_KEY = "..."
+    - metavariable-regex:
+        metavariable: $SECRET_KEY
+        regex: ^(SECRET_KEY)$
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-PY-DJANGO-03: Django csrf_exempt 全局豁免 CSRF 保护
+- id: zm-py-django-csrf-exempt-001
+  severity: ERROR
+  message: |
+    检测到 Django 视图使用 @csrf_exempt 装饰器豁免 CSRF 保护。
+    豁免 CSRF 后攻击者可构造恶意表单或 AJAX 请求以用户身份执行敏感操作
+    （如修改密码、转账、删除账户），参考 CVE-2021-3515 跨站请求伪造风险。
+    修复: 移除 @csrf_exempt；使用 CSRF Token 保护所有状态变更请求（POST/PUT/DELETE）。
+  languages:
+    - python
+  pattern-either:
+    - pattern: '@csrf_exempt'
+    - pattern: '@django.views.decorators.csrf.csrf_exempt'
+    - pattern: from django.views.decorators.csrf import csrf_exempt
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    severity: ERROR
+    precision: very-high
+    category: django-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    cve: "CVE-2021-3515"

package/rules/quarantined/cwe-200/zm-py-flask-cwe200-cwe326-01.yaml

@@ -0,0 +1,58 @@
+# Source: common | Cluster: N/A
+# CWE-200/CWE-326: Flask 安全配置检测
+# 逐码 ZhuMa V4.1 — Python 通用规则库
+# 检测: Flask debug=True 生产环境 / session secret_key 弱密钥
+
+rules:
+
+# ZM-PY-FLASK-01: Flask debug=True 生产环境泄露
+- id: zm-py-flask-debug-001
+  severity: ERROR
+  message: |
+    检测到 Flask app.run(debug=True) 在生产环境中开启调试模式。
+    调试模式会激活 Werkzeug Debugger 允许在浏览器中执行任意 Python 代码（RCE），
+    攻击者可通过触发异常获取交互式 Shell，参考 CVE-2024-56201 Werkzeug Debugger RCE。
+    修复: 生产环境使用 Gunicorn/uWSGI 部署；禁用 debug=True 并通过环境变量控制。
+  languages:
+    - python
+  pattern-either:
+    - pattern: app.run(debug=True)
+    - pattern: $APP.run(..., debug=True, ...)
+    - pattern: $APP.run(debug=True, ...)
+    - pattern: $APP.debug = True
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-489: Active Debug Code"
+    severity: ERROR
+    precision: very-high
+    category: flask-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A05:2021 - Security Misconfiguration"
+    cve: "CVE-2024-56201"
+
+# ZM-PY-FLASK-02: Flask SECRET_KEY 使用弱密钥/默认值
+- id: zm-py-flask-secret-key-weak-001
+  severity: ERROR
+  message: |
+    检测到 Flask SECRET_KEY 使用弱密钥（"secret" / "dev" / "test" / "changeme"）或默认值。
+    Flask Session 使用 SECRET_KEY 签名，弱密钥可被暴力破解后伪造 Session 任意登录。
+    参考: 2023年大规模 Flask 应用 Session 伪造攻击事件 — 弱密钥导致认证绕过。
+    修复: 使用 secrets.token_hex(32) 生成强随机密钥并通过环境变量注入。
+  languages:
+    - python
+  patterns:
+    - pattern: $APP.secret_key = $KEY
+    - metavariable-regex:
+        metavariable: $KEY
+        regex: ^(("secret")|("dev")|("test")|("changeme")|("password")|("default")|("flask")|("my-secret")|("secret-key")|("super-secret")|("development")|("change-me"))$
+    - metavariable-regex:
+        metavariable: $APP
+        regex: ^(app|application|webapp)$
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength; CWE-521: Weak Password Requirements"
+    severity: ERROR
+    precision: very-high
+    category: flask-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"

package/rules/quarantined/cwe-200/zm-tf-cwe200-ecr-public.yaml

@@ -0,0 +1,19 @@
+# Source: iac | Cluster: N/A
+rules:
+  - id: zm-tf-cwe200-ecr-public
+    metadata:
+      cwe: ["CWE-200"]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: ["A01:2021 - Broken Access Control"]
+      cve: ["CVE-2021-31936"]
+    message: >-
+      ECR仓库策略可能公开。检查策略是否包含Principal通配符。
+    languages: [generic]
+    severity: ERROR
+    paths:
+      include: ["*.tf"]
+    patterns:
+      - pattern-regex: 'aws_ecr_repository_policy'
+      - pattern-regex: '"Principal"\s*=\s*"\*"'

package/rules/quarantined/cwe-200/zm-tf-cwe200-s3-bucket-public.yaml

@@ -0,0 +1,101 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Terraform S3/OSS Bucket 公开访问检测
+# V4.1 Sprint — CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+
+rules:
+  # ZM-TF-CWE200-001: AWS S3 Bucket ACL 公开读
+  - id: zm-tf-cwe200-s3-public-001
+    severity: CRITICAL
+    message: |
+      AWS S3 Bucket ACL 设置为 `public-read` 或 `public-read-write` — 存储桶数据可被任意匿名用户读取。
+      检查是否可以改用预签名 URL 或 CloudFront OAC 替代直接公开访问，
+      或将 ACL 改为 `private` 并使用 IAM 策略精细化授权。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_s3_bucket_acl" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket_acl" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, s3, public-access, data-leak]
+
+  # ZM-TF-CWE200-002: S3 Bucket Policy 允许公开访问
+  - id: zm-tf-cwe200-s3-public-002
+    severity: CRITICAL
+    message: |
+      S3 Bucket Policy 中 Principal 设为 `"*"` 且 Effect 为 `Allow` — 任意主体可访问存储桶。
+      将 Principal 限制为特定 AWS 账户或 IAM 角色 ARN，或将 Action 限制为仅 `s3:GetObject` 等必要操作。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_s3_bucket_policy" $NAME {
+            ...
+            policy = "...\"Principal\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_s3_bucket_policy" $NAME {
+            ...
+            policy = "...\"Principal\": { \"AWS\": \"*\" }..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, s3, policy, public-access]
+
+  # ZM-TF-CWE200-003: Aliyun OSS Bucket ACL 公开读
+  - id: zm-tf-cwe200-s3-public-003
+    severity: CRITICAL
+    message: |
+      阿里云 OSS Bucket ACL 设置为 `public-read` 或 `public-read-write` — 存储桶数据可被任意匿名用户访问。
+      将 acl 改为 `private` 并使用 RAM 策略或 STS 临时令牌进行精细化访问控制。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "alicloud_oss_bucket" $NAME {
+            ...
+            acl = "public-read"
+            ...
+          }
+      - pattern: |
+          resource "alicloud_oss_bucket" $NAME {
+            ...
+            acl = "public-read-write"
+            ...
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, oss, public-access, data-leak]

package/rules/quarantined/cwe-532/cl-532-all-158.yaml

@@ -0,0 +1,46 @@
+# zhuma-nvd-532-532-all-158.yaml
+# Generated: 2026-06-28T10:37:40.301Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-532-ALL-158 | CWE: CWE-532 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 227 | KEV: 0 | Exploit: 1
+
+rules:
+- id: zhuma-nvd-532-532-all-158
+  metadata:
+    category: A09:2021-Security Logging and Monitoring Failures
+    cwe: "CWE-532: Sensitive Info in Logs"
+    cve: "CVE-2024-48852, CVE-2021-37760, CVE-2021-37759, CVE-2019-17395, CVE-2019-17398, CVE-2019-17396, CVE-2019-17394, CVE-2019-17355"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-48852
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37760
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37759
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17395
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17398
+      - https://cwe.mitre.org/data/definitions/532.html
+
+  message: |
+    检测到敏感信息泄露至日志风险。密码/token/密钥等敏感数据出现在日志输出中。
+        修复: 在日志输出前脱敏处理，使用结构化日志过滤字段。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: '(password|token|secret|key|credential)'
+  # Sensitive data in log calls
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+  # CONSTRAINT: LIMIT: Semgrep OSS cannot distinguish variable name from variable value. Informational only.
+  # CONSTRAINT: log pattern MUST include metavariable-regex to exclude: field names ("password field"), function names, conditional checks, test assertions
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-532-ALL-158
+  # cwe: CWE-532 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 0 | tier: N/A

package/rules/quarantined/cwe-532/cl-532-all-159.yaml

@@ -0,0 +1,45 @@
+# zhuma-nvd-532-532-all-159.yaml
+# Generated: 2026-06-28T10:37:40.302Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-532-ALL-159 | CWE: CWE-532 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 227 | KEV: 0 | Exploit: 1
+
+rules:
+- id: zhuma-nvd-532-532-all-159
+  metadata:
+    category: A09:2021-Security Logging and Monitoring Failures
+    cwe: "CWE-532: Sensitive Info in Logs"
+    cve: "CVE-2024-48852, CVE-2021-37760, CVE-2021-37759, CVE-2019-17395, CVE-2019-17398, CVE-2019-17396, CVE-2019-17394, CVE-2019-17355"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-48852
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37760
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37759
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17395
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17398
+      - https://cwe.mitre.org/data/definitions/532.html
+
+  message: |
+    检测到敏感信息泄露至日志风险。密码/token/密钥等敏感数据出现在日志输出中。
+        修复: 在日志输出前脱敏处理，使用结构化日志过滤字段。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: '.printStackTrace\(\)'
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+  # CONSTRAINT: LIMIT: Semgrep OSS cannot distinguish variable name from variable value. Informational only.
+  # CONSTRAINT: log pattern MUST include metavariable-regex to exclude: field names ("password field"), function names, conditional checks, test assertions
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-532-ALL-159
+  # cwe: CWE-532 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 0 | tier: N/A

package/rules/quarantined/cwe-532/cl-532-all-160.yaml

@@ -0,0 +1,45 @@
+# zhuma-nvd-532-532-all-160.yaml
+# Generated: 2026-06-28T10:37:40.302Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-532-ALL-160 | CWE: CWE-532 | Lang: all
+# Precision: LOW | Noise: HIGH
+# CVEs: 227 | KEV: 0 | Exploit: 1
+
+rules:
+- id: zhuma-nvd-532-532-all-160
+  metadata:
+    category: A09:2021-Security Logging and Monitoring Failures
+    cwe: "CWE-532: Sensitive Info in Logs"
+    cve: "CVE-2024-48852, CVE-2021-37760, CVE-2021-37759, CVE-2019-17395, CVE-2019-17398, CVE-2019-17396, CVE-2019-17394, CVE-2019-17355"
+    likelihood: LOW
+    precision: LOW
+    impact: LOW
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-48852
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37760
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-37759
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17395
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-17398
+      - https://cwe.mitre.org/data/definitions/532.html
+
+  message: |
+    检测到敏感信息泄露至日志风险。密码/token/密钥等敏感数据出现在日志输出中。
+        修复: 在日志输出前脱敏处理，使用结构化日志过滤字段。
+
+  severity: INFO
+  languages:
+    - generic
+
+  patterns:
+  - pattern-regex: 'log.*response|log.*body'
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+  # CONSTRAINT: LIMIT: Semgrep OSS cannot distinguish variable name from variable value. Informational only.
+  # CONSTRAINT: log pattern MUST include metavariable-regex to exclude: field names ("password field"), function names, conditional checks, test assertions
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-532-ALL-160
+  # cwe: CWE-532 | language: all
+  # sink_patterns: [object Object]
+  # wooyun_cases: 0 | tier: N/A

package/rules/quarantined/cwe-862/cl-862-go-150.yaml

@@ -0,0 +1,44 @@
+# zhuma-nvd-862-862-go-150.yaml
+# Generated: 2026-06-28T10:37:40.283Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-862-GO-150 | CWE: CWE-862 | Lang: go
+# Precision: MEDIUM | Noise: MEDIUM
+# CVEs: 2070 | KEV: 3 | Exploit: 17
+
+rules:
+- id: zhuma-nvd-862-862-go-150
+  metadata:
+    category: A01:2021-Broken Access Control
+    cwe: "CWE-862: Missing Authorization"
+    cve: "CVE-2025-6205, CVE-2024-57726, CVE-2023-52163, CVE-2021-32172, CVE-2020-14944, CVE-2021-40379, CVE-2021-24146, CVE-2019-10849"
+    likelihood: MEDIUM
+    precision: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2025-6205
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-57726
+      - https://nvd.nist.gov/vuln/detail/CVE-2023-52163
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-32172
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-14944
+      - https://cwe.mitre.org/data/definitions/862.html
+
+  message: |
+    检测到缺失授权检查。API端点/函数缺少用户权限验证。
+        修复: 在业务逻辑前添加角色/权限检查(如@PreAuthorize、isAuthenticated装饰器)。
+
+  severity: WARNING
+  languages:
+    - go
+
+  patterns:
+  - pattern-regex: 'r.GET|r.POST \(no middleware\)'
+  # CONSTRAINT: pattern-not: whitelist known-public paths (/login, /register, /health, /static)
+  # CONSTRAINT: Reduce severity to INFO — public endpoints may be intentional
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-862-GO-150
+  # cwe: CWE-862 | language: go
+  # sink_patterns: [object Object]
+  # wooyun_cases: 1 | tier: N/A

package/rules/quarantined/cwe-862/cl-862-go-151.yaml

@@ -0,0 +1,43 @@
+# zhuma-nvd-862-862-go-151.yaml
+# Generated: 2026-06-28T10:37:40.283Z
+# Source: P2 auto-generation (fixed) from P1.5 classified clusters
+# Cluster: CL-862-GO-151 | CWE: CWE-862 | Lang: go
+# Precision: MEDIUM | Noise: MEDIUM
+# CVEs: 2070 | KEV: 3 | Exploit: 17
+
+rules:
+- id: zhuma-nvd-862-862-go-151
+  metadata:
+    category: A01:2021-Broken Access Control
+    cwe: "CWE-862: Missing Authorization"
+    cve: "CVE-2025-6205, CVE-2024-57726, CVE-2023-52163, CVE-2021-32172, CVE-2020-14944, CVE-2021-40379, CVE-2021-24146, CVE-2019-10849"
+    likelihood: MEDIUM
+    precision: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+    source: nvd+wooyun
+    references:
+      - https://nvd.nist.gov/vuln/detail/CVE-2025-6205
+      - https://nvd.nist.gov/vuln/detail/CVE-2024-57726
+      - https://nvd.nist.gov/vuln/detail/CVE-2023-52163
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-32172
+      - https://nvd.nist.gov/vuln/detail/CVE-2020-14944
+      - https://cwe.mitre.org/data/definitions/862.html
+
+  message: |
+    检测到缺失授权检查。API端点/函数缺少用户权限验证。
+        修复: 在业务逻辑前添加角色/权限检查(如@PreAuthorize、isAuthenticated装饰器)。
+
+  severity: WARNING
+  languages:
+    - go
+
+  patterns:
+  - pattern: $OBJ.HandleFunc(...)
+  # CONSTRAINT: pattern: verify sink is in security-sensitive context
+
+  # --- P2 METADATA ---
+  # cluster_id: CL-862-GO-151
+  # cwe: CWE-862 | language: go
+  # sink_patterns: [object Object]
+  # wooyun_cases: 1 | tier: N/A