@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-265/zm-py-fastapi-cwe265-cwe284-01.yaml

@@ -0,0 +1,49 @@
+# Source: common | Cluster: N/A
+rules:
+  - id: zm-py-fastapi-dep-bypass-001
+    severity: ERROR
+    message: >-
+      FastAPI Depends依赖注入绕过——在handler内手动实例化服务类而非通过Depends()。
+      CVE-2022-24065。修复：始终通过Depends()注入依赖。
+    languages: [python]
+    patterns:
+      - pattern: $X = $Y()
+    metadata:
+      cwe: "CWE-284"
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: "A01:2021"
+      category: fastapi
+      cve: "CVE-2022-24065"
+  - id: zm-py-fastapi-cors-001
+    severity: WARNING
+    message: >-
+      FastAPI CORS中间件允许所有源(allow_origins=["*"])。
+      修复：限制为可信域名白名单。
+    languages: [python]
+    patterns:
+      - pattern-regex: 'CORSMiddleware'
+      - pattern-regex: '\"\*\"'
+    metadata:
+      cwe: "CWE-942"
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: "A01:2021"
+      category: fastapi
+  - id: zm-py-fastapi-openapi-001
+    severity: WARNING
+    message: >-
+      FastAPI OpenAPI文档在生产环境暴露。攻击者可通过/docs或/redoc探测API。
+      修复：生产环境设置docs_url=None, redoc_url=None。
+    languages: [python]
+    patterns:
+      - pattern-regex: 'FastAPI\('
+    metadata:
+      cwe: "CWE-200"
+      confidence: LOW
+      likelihood: LOW
+      impact: LOW
+      owasp: "A05:2021"
+      category: fastapi

package/rules/unified/cwe-269/zm-ansible-cwe269-privilege-escalation.yaml

@@ -0,0 +1,76 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Ansible 权限提升检测
+# V4.1 Sprint — CWE-269: Improper Privilege Management
+
+rules:
+  # ZM-ANSIBLE-CWE269-001: become: yes 未限制 become_user
+  - id: zm-ansible-cwe269-privesc-001
+    severity: HIGH
+    message: |
+      Ansible Playbook 中 `become: yes` 未同时指定 `become_user` — 默认升级为 root 用户执行所有任务。
+      应在 Play 或 Task 级别明确指定 `become_user` 为最小权限所需的非 root 用户:
+      ```yaml
+      become: yes
+      become_user: appuser
+      ```
+    languages:
+      - generic
+    paths:
+      include:
+        - "**/*.yml"
+        - "**/*.yaml"
+    pattern: |
+      become: yes
+    pattern-not: |
+      become_user: $USER
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, privilege-escalation, become, root]
+
+  # ZM-ANSIBLE-CWE269-002: become: true (另一种写法)
+  - id: zm-ansible-cwe269-privesc-002
+    severity: HIGH
+    message: |
+      Ansible Playbook 中 `become: true` 未限制 `become_user` — 可能意外升级为 root。
+      明确指定 `become_user` 并确保目标用户具有完成任务的必要权限而不需要完整 root 权限。
+    languages:
+      - generic
+    paths:
+      include:
+        - "**/*.yml"
+        - "**/*.yaml"
+    pattern: |
+      become: true
+    pattern-not: |
+      become_user: $USER
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: medium
+      confidence: high
+      tags: [ansible, privilege-escalation, become, root]
+
+  # ZM-ANSIBLE-CWE269-003: become_method: su 配合 become: yes
+  - id: zm-ansible-cwe269-privesc-003
+    severity: MEDIUM
+    message: |
+      Ansible 使用 `become_method: su` — su 方法对密码处理不够安全，且通常意味着直接升级为 root。
+      优先使用 `become_method: sudo` 并配合 `/etc/sudoers` 中的细粒度 sudo 规则，
+      仅授予必要命令的执行权限，遵循最小权限原则。
+    languages:
+      - generic
+    paths:
+      include:
+        - "**/*.yml"
+        - "**/*.yaml"
+    pattern: |
+      become_method: su
+    metadata:
+      cwe: "CWE-269: Improper Privilege Management"
+      category: iac-ansible
+      precision: very-high
+      confidence: high
+      tags: [ansible, privilege-escalation, become_method, su]

package/rules/unified/cwe-269/zm-java-cwe269-requestdumper-valve.yaml

@@ -0,0 +1,55 @@
+# Source: common | Cluster: N/A
+# CWE-269: RequestDumperValve 生产环境启用检测
+# 逐码 ZhuMa V4.3 — Tomcat 安全配置专项
+
+rules:
+
+# ZM-JAVA-CWE269-RDV-001: RequestDumperValve 生产环境启用
+- id: zm-java-cwe269-rdv-001
+  severity: ERROR
+  message: |
+    Tomcat RequestDumperValve 在生产环境中启用，会将完整的 HTTP 请求
+    （包括 Headers、Cookies、请求体）输出到日志，导致会话令牌、密码等
+    敏感信息泄露到日志文件。
+    修复: 1. 生产环境移除 RequestDumperValve 配置
+    2. 仅在开发/测试环境使用，用 profile 隔离
+    3. 使用 Spring Boot logging.level.web=TRACE 替代（可配置脱敏）
+  languages:
+    - java
+  pattern-either:
+    - pattern: $CTX.addValve(new RequestDumperValve())
+    - pattern: $CTX.getPipeline().addValve(new RequestDumperValve())
+  metadata:
+    cwe: "CWE-269: Improper Privilege Management"
+    severity: ERROR
+    precision: very-high
+    category: info-disclosure
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    likelihood: HIGH
+    impact: HIGH
+    tags: [tomcat, info-disclosure, production]
+    references:
+      - "https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Request_Dumper_Valve"
+
+# ZM-JAVA-CWE269-RDV-002: Tomcat Access Log 含敏感Header
+- id: zm-java-cwe269-rdv-002
+  severity: WARNING
+  message: |
+    Tomcat Access Log pattern 包含 %{Authorization}i 或 %{Cookie}i，
+    会将认证令牌和会话 Cookie 记录到明文访问日志。
+    修复: 1. 移除 pattern 中的敏感 Header 占位符
+    2. 对 Cookie Header 做脱敏（仅记录是否含 Cookie）
+    3. 使用 %{JSESSIONID}c 仅记录特定 cookie。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $PROPS.setProperty("server.tomcat.accesslog.pattern", $PATTERN)
+  metadata:
+    cwe: "CWE-269: Improper Privilege Management"
+    severity: WARNING
+    precision: very-high
+    category: info-disclosure
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [tomcat, info-disclosure]

package/rules/unified/cwe-284/zm-java-cwe284-missing-auth-spring.yaml

@@ -0,0 +1,132 @@
+# Source: common | Cluster: N/A
+# CWE-284/862: Missing Authorization — Spring Security deeper patterns
+# ZhuMa V4.1 — complement zm-java-cwe862-authz-depth.yaml and cwe200-actuator-exposure.yaml
+
+rules:
+
+# ZM-JAVA-AUTHZ-SPRING-001: WebSecurityConfig permitAll on sensitive paths
+- id: zm-java-authz-spring-001
+  severity: HIGH
+  message: |
+    Spring Security WebSecurityConfig uses requestMatchers(...).permitAll() on paths likely to be sensitive.
+    Check if these endpoints should be authenticated (e.g. /api/admin, /manage, /internal).
+    Fix: require authentication for sensitive paths; use hasRole/hasAuthority for admin endpoints.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.requestMatchers("/api/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/admin/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/manage/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/internal/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/graphql").permitAll()
+    - pattern: |
+        $HTTP.anyRequest().permitAll()
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: INFO
+    precision: high
+    category: authorization
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-AUTHZ-SPRING-002: POST/PUT/DELETE endpoints without method security
+- id: zm-java-authz-spring-002
+  severity: HIGH
+  message: |
+    Spring MVC controller has state-changing endpoints (@PostMapping/@PutMapping/@DeleteMapping) without @PreAuthorize.
+    These write operations should be explicitly protected with role-based authorization.
+    Fix: add @PreAuthorize("hasRole('ADMIN')") or @Secured("ROLE_ADMIN") to write endpoints.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @PostMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @PutMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @DeleteMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+  pattern-not: |
+    @$CTRL
+    class $CLASS {
+      ...
+      @PreAuthorize($X)
+    }
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    severity: INFO
+    precision: medium
+    category: authorization
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html"
+
+# ZM-JAVA-AUTHZ-SPRING-003: @EnableWebSecurity without @EnableMethodSecurity
+- id: zm-java-authz-spring-003
+  severity: MEDIUM
+  message: |
+    SecurityConfig annotated with @EnableWebSecurity but missing @EnableMethodSecurity.
+    Without method-level security, @PreAuthorize annotations on controllers have no effect.
+    Fix: add @EnableMethodSecurity (Spring Security 6+) or @EnableGlobalMethodSecurity(prePostEnabled = true).
+  languages:
+    - java
+  patterns:
+    - pattern: |
+        @Configuration
+        @EnableWebSecurity
+        class $CLASS {
+          ...
+        }
+    - pattern-not: |
+        @Configuration
+        @EnableWebSecurity
+        @EnableMethodSecurity
+        class $CLASS {
+          ...
+        }
+    - pattern-not: |
+        @Configuration
+        @EnableWebSecurity
+        @EnableGlobalMethodSecurity
+        class $CLASS {
+          ...
+        }
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: MEDIUM
+    precision: medium
+    category: authorization
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A05:2021 - Security Misconfiguration"

package/rules/unified/cwe-284/zm-java-cwe284-permitall-overauth.yaml

@@ -0,0 +1,57 @@
+# Source: common | Cluster: N/A
+# CWE-284: Spring Security permitAll() 过度授权检测
+# 逐码 ZhuMa V4.3 — Spring Security 框架特化规则
+
+rules:
+
+# ZM-JAVA-CWE284-PERMITALL-001: SecurityFilterChain permitAll() 过度授权
+- id: zm-java-cwe284-permitall-001
+  severity: WARNING
+  message: |
+    Spring Security FilterChain 中 permitAll() 应用于管理端或敏感 API 端点，
+    使得未认证用户可以访问受限功能。
+    修复: 使用 authenticated() 或 hasRole() 限制访问，仅对公开资源（如 login、static）使用 permitAll()。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.authorizeHttpRequests($AUTH -> $AUTH.requestMatchers($PATHS).permitAll().anyRequest().permitAll())
+    - pattern: |
+        $HTTP.authorizeHttpRequests($AUTH -> $AUTH.anyRequest().permitAll())
+    - pattern: |
+        $HTTP.authorizeHttpRequests($AUTH -> $AUTH.requestMatchers("/admin/**").permitAll())
+    - pattern: |
+        $HTTP.authorizeHttpRequests($AUTH -> $AUTH.requestMatchers("/api/**").permitAll())
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: WARNING
+    precision: high
+    category: access-control
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH
+
+# ZM-JAVA-CWE284-PERMITALL-002: @PreAuthorize("permitAll()") 过度授权
+- id: zm-java-cwe284-permitall-002
+  severity: WARNING
+  message: |
+    方法级别 @PreAuthorize("permitAll()") 注解标记敏感操作（如 delete、admin 方法），
+    任何人都可调用该方法。
+    修复: 使用 @PreAuthorize("hasRole('ADMIN')") 或 @PreAuthorize("hasAuthority('DELETE')")。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @PreAuthorize("permitAll()")
+        public $RET $DELETE(...) { ... }
+    - pattern: |
+        @PreAuthorize("permitAll()")
+        public $RET $ADMIN(...) { ... }
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: WARNING
+    precision: medium
+    category: access-control
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: MEDIUM
+    impact: HIGH

package/rules/unified/cwe-284/zm-java-cwe284-tomcat-ajp.yaml

@@ -0,0 +1,57 @@
+# Source: common | Cluster: N/A
+# CWE-284: Tomcat AJP 协议暴露检测
+# 逐码 ZhuMa V4.3 — Tomcat 安全配置专项
+
+rules:
+
+# ZM-JAVA-CWE284-AJP-001: Tomcat AJP Connector 暴露
+- id: zm-java-cwe284-ajp-001
+  severity: CRITICAL
+  message: |
+    Tomcat 启用了 AJP Connector 且未设置 secretRequired="true" 或未配置 secret 属性，
+    攻击者可通过 AJP 协议（Ghostcat, CVE-2020-1938）读取 Tomcat webapps 下任意文件，
+    或通过 AJP 协议绕过认证。
+    修复: 1. 禁用 AJP Connector（如不需要） 2. 设置 secretRequired="true" 并配置强密码 secret
+    3. 绑定到本地地址: address="127.0.0.1"
+  languages:
+    - java
+  pattern-either:
+    - pattern: $CONNECTOR.setProtocol("AJP/1.3")
+    - pattern: $TOMCAT.getConnector().setProtocol("AJP/1.3")
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: CRITICAL
+    precision: very-high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [tomcat, ajp, ghostcat, cve-2020-1938]
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-1938"
+      - "https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html"
+
+# ZM-JAVA-CWE284-AJP-002: Tomcat AJP Connector 弱 secret
+- id: zm-java-cwe284-ajp-002
+  severity: ERROR
+  message: |
+    Tomcat AJP Connector secret 属性使用弱密码或默认值，攻击者可通过
+    Ghostcat (CVE-2020-1938) 漏洞读取文件或绕过认证。
+    修复: 设置 secret="强随机密码（64+字符）"，使用 openssl rand 64 | base64 生成。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $CONNECTOR.setSecret("secret")
+    - pattern: $CONNECTOR.setSecret("tomcat")
+    - pattern: $CONNECTOR.setSecret("ajp")
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: ERROR
+    precision: very-high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: CRITICAL
+    tags: [tomcat, ajp, ghostcat]
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2020-1938"

package/rules/unified/cwe-284/zm-java-springsec-cwe284-001.yaml

@@ -0,0 +1,110 @@
+# Source: common | Cluster: N/A
+# CWE-284/862/863: Spring Security配置缺陷 — 访问控制绕过多维度
+# ZhuMa V4.1 — Spring Security Misconfiguration深度检测
+# 覆盖: antMatcher顺序错误 / permitAll过度使用 / 方法级安全缺失 / CSRF误配置
+
+rules:
+
+# ZM-JAVA-SPRINGSEC-MATCHER-001: SecurityFilterChain规则顺序错误(仅permitAll优先)
+- id: zm-java-springsec-matcher-001
+  severity: ERROR
+  message: |
+    Spring Security antMatchers规则中 permitAll() 出现在 authenticated() 之前 — 访问控制失效。
+    规则按顺序匹配，若先匹配到 permitAll("/**")，后续所有authenticated规则被绕过。
+    这是严重的Spring Security反模式，导致整站无需认证即可访问。
+    CVE-2022-22978: Spring Security 授权绕过(asterisk模式匹配缺陷)。
+    修复: 1) 最具体的规则写在最前面 2) permitAll 仅限于静态资源和公开路由 3) 使用 requestMatchers 替代 antMatchers
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP
+            .antMatchers("/**").permitAll()
+            .antMatchers($SECURE).authenticated()
+    - pattern: |
+        $HTTP
+            .requestMatchers("/**").permitAll()
+            .requestMatchers($SECURE).authenticated()
+    - pattern: |
+        $HTTP
+            .authorizeRequests()
+            .antMatchers("/**").permitAll()
+            .anyRequest().authenticated()
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: INFO
+    precision: high
+    category: structural-config
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2022-22978"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
+      - "https://spring.io/security/cve-2022-22978"
+      - "https://cwe.mitre.org/data/definitions/284.html"
+
+# ZM-JAVA-SPRINGSEC-METHOD-001: 方法级安全注解缺失
+- id: zm-java-springsec-method-001
+  severity: WARNING
+  message: |
+    Controller/RestController 方法未添加 @PreAuthorize/@Secured/@RolesAllowed 注解 — 缺少方法级授权。
+    仅依赖URL级安全(antMatchers)可能导致IDOR: 已认证用户可操作其他用户的资源。
+    CVE-2023-34034: Spring Security WebFlux 方法级Bypass; CVE-2023-20860: Spring MVC IDOR。
+    修复: 1) @PreAuthorize("hasRole('ADMIN')") 方法级授权 2) @PostAuthorize 过滤返回结果
+    3) @PreFilter 过滤集合参数中的未授权元素
+  languages:
+    - java
+  pattern-either:
+    - patterns:
+      - pattern: |
+          @RequestMapping(...)
+      - pattern-not: |
+          @PreAuthorize(...)
+      - pattern-not: |
+          @Secured(...)
+      - pattern-not: |
+          @RolesAllowed(...)
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    severity: INFO
+    precision: low
+    category: spring-security
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
+      - "https://spring.io/guides/topicals/spring-security-architecture"
+
+# ZM-JAVA-SPRINGSEC-CSRF-001: SecurityFilterChain中CSRF保护被意外禁用
+- id: zm-java-springsec-csrf-001
+  severity: ERROR
+  message: |
+    SecurityFilterChain中显式调用了 .csrf().disable() — CSRF保护被禁用。
+    关闭CSRF保护时，所有state-changing操作(GET/POST/PUT/DELETE)易受跨站请求伪造攻击。
+    仅在无状态REST API中使用JWT/bearer Token可考虑禁用，但需确保无Cookie-based Session。
+    CVE-2021-22044: Spring Cloud CSRF保护不足; CVE-2023-20863: CSRF token验证绕过。
+    修复: 1) 恢复CSRF保护 2) 仅对无状态API禁用并添加注释说明 3) 使用 CsrfTokenRequestHandler
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.csrf().disable()
+    - pattern: |
+        $HTTP.csrf($CSRF -> $CSRF.disable())
+    - pattern: |
+        $HTTP.csrf(AbstractHttpConfigurer::disable)
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    severity: INFO
+    precision: high
+    category: spring-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://nvd.nist.gov/vuln/detail/CVE-2021-22044"
+      - "https://nvd.nist.gov/vuln/detail/CVE-2023-20863"
+      - "https://docs.spring.io/spring-security/reference/features/exploits/csrf.html"

package/rules/unified/cwe-284/zm-tf-cwe284-sg-egress-any.yaml

@@ -0,0 +1,33 @@
+# Source: iac | Cluster: N/A
+rules:
+  - id: zm-tf-cwe284-sg-egress-any
+    metadata:
+      cwe: ["CWE-284"]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: ["A01:2021"]
+      cve: ["CVE-2020-8554"]
+    message: >-
+      安全组出站规则CIDR为0.0.0.0/0。修复：限制出站到必要地址范围。
+    languages: [generic]
+    severity: WARNING
+    paths:
+      include: ["*.tf"]
+    patterns:
+      - pattern-regex: 'aws_security_group'
+      - pattern-regex: '"0\.0\.0\.0/0"'
+  - id: zm-tf-cwe311-kms-key-rotation-missing
+    metadata:
+      cwe: ["CWE-311"]
+      confidence: HIGH
+      likelihood: LOW
+      impact: HIGH
+      owasp: ["A02:2021"]
+      cve: ["CVE-2018-1000810"]
+    message: >-
+      KMS密钥未启用自动轮转。修复：设置enable_key_rotation=true。
+    languages: [hcl]
+    severity: WARNING
+    patterns:
+      - pattern: enable_key_rotation = false

package/rules/unified/cwe-284/zm-tf-cwe284-sg-wide-open.yaml

@@ -0,0 +1,89 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Terraform 安全组全网段开放检测
+# V4.1 Sprint — CWE-284: Improper Access Control
+
+rules:
+  # ZM-TF-CWE284-001: AWS 安全组 ingress 0.0.0.0/0
+  - id: zm-tf-cwe284-sg-open-001
+    severity: CRITICAL
+    message: |
+      AWS 安全组规则 cidr_blocks 包含 `0.0.0.0/0` — 入站流量对全网开放。
+      将 cidr_blocks 限制为业务所需的最小 IP 段 (如办公网出口 IP、VPC CIDR)，
+      避免数据库端口 (3306/5432/6379/27017)、SSH (22)、RDP (3389) 等管理端口对公网暴露。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            cidr_blocks = ["0.0.0.0/0"]
+            ...
+          }
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            cidr_blocks = ["0.0.0.0/0", ...]
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, security-group, 0.0.0.0/0, network-exposure]
+
+  # ZM-TF-CWE284-002: AWS 安全组 ipv6_cidr_blocks ::/0
+  - id: zm-tf-cwe284-sg-open-002
+    severity: CRITICAL
+    message: |
+      AWS 安全组规则 ipv6_cidr_blocks 包含 `::/0` — IPv6 全网段开放入站流量。
+      与 0.0.0.0/0 同理，应将 ipv6_cidr_blocks 限制为最小必要范围。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            ipv6_cidr_blocks = ["::/0"]
+            ...
+          }
+      - pattern: |
+          resource "aws_security_group_rule" $NAME {
+            ...
+            ipv6_cidr_blocks = ["::/0", ...]
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, security-group, ipv6, network-exposure]
+
+  # ZM-TF-CWE284-003: 阿里云安全组 0.0.0.0/0
+  - id: zm-tf-cwe284-sg-open-003
+    severity: CRITICAL
+    message: |
+      阿里云安全组规则 cidr_ip 为 `0.0.0.0/0` — 入站流量对全网开放。
+      将 cidr_ip 限制为业务所需的最小 IP 段，管理端口（22/3389/3306 等）严禁对 0.0.0.0/0 开放。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "alicloud_security_group_rule" $NAME {
+            ...
+            cidr_ip = "0.0.0.0/0"
+            ...
+          }
+      - pattern: |
+          resource "alicloud_security_group_rule" $NAME {
+            ...
+            source_cidr_ip = "0.0.0.0/0"
+            ...
+          }
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, security-group, 0.0.0.0/0, network-exposure]