@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-306/cwe-306-missing-authentication.yaml

@@ -0,0 +1,45 @@
+# Source: common | Cluster: N/A
+# CWE-306: 关键功能缺少身份验证检测规则 (Sprint 2)
+# 已知限制: Semgrep Java parser 不支持 pattern-not-inside 配合注解 (Parse_error)
+# 无法自动排除已有 @PreAuthorize/@Secured 的方法
+# FPR 28.6% 为已知可接受水平，人工审查可快速过滤
+
+rules:
+
+# ZM-JAVA-MA-001: @RestController + @GetMapping/@PostMapping 无 @PreAuthorize
+- id: zm-java-ma-001
+  severity: MEDIUM
+  message: |
+    @GetMapping/@PostMapping 方法缺少认证注解。应检查是否已添加 @PreAuthorize/@Secured。
+    如已有安全注解且本规则误报，人工忽略。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @GetMapping(...)
+        public $RET $METHOD(...) {
+          ...
+        }
+    - pattern: |
+        @PostMapping(...)
+        public $RET $METHOD(...) {
+          ...
+        }
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: low
+
+# ZM-JAVA-MA-002: Spring Security 配置无认证要求
+- id: zm-java-ma-002
+  severity: MEDIUM
+  message: |
+    Spring Security permitAll() 允许未认证访问，需审查是否所有敏感端点都要求认证。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $HTTP.authorizeRequests().anyRequest().permitAll()
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: low

package/rules/unified/cwe-306/zm-java-cwe306-actuator-exposure.yaml

@@ -0,0 +1,53 @@
+# Source: common | Cluster: N/A
+# CWE-306: Spring Boot Actuator 端点暴露检测
+# 逐码 ZhuMa V4.3 — Spring Boot 框架特化规则
+
+rules:
+
+# ZM-JAVA-CWE306-ACTUATOR-001: management.endpoints.web.exposure.include=*
+- id: zm-java-cwe306-actuator-001
+  severity: WARNING
+  message: |
+    Spring Boot Actuator 配置暴露所有端点（management.endpoints.web.exposure.include=*），
+    包括 env、heapdump、threaddump 等敏感端点。攻击者可通过 /actuator/env 获取环境变量中的密钥，
+    通过 /actuator/heapdump 下载堆转储获取内存中的凭证。
+    修复: 仅暴露 health、info 等非敏感端点，或使用 Spring Security 对 actuator 端点进行认证。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PROPS.setProperty("management.endpoints.web.exposure.include", "*")
+    - pattern: |
+        @Value("management.endpoints.web.exposure.include")
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: WARNING
+    precision: very-high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH
+    references:
+      - "https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html"
+
+# ZM-JAVA-CWE306-ACTUATOR-002: 无 Spring Security 保护 Actuator 端点
+- id: zm-java-cwe306-actuator-002
+  severity: WARNING
+  message: |
+    Spring Boot Actuator 端点（/actuator/**）未配置 Spring Security 认证保护。
+    敏感端点如 env、heapdump、mappings 可被未认证用户访问，泄露环境变量、堆内存、
+    路由映射等敏感信息。
+    修复: 配置 SecurityFilterChain 对 /actuator/** 端点进行认证和授权。
+  languages:
+    - java
+  patterns:
+    - pattern: |
+        $HTTP.authorizeHttpRequests($AUTH -> $AUTH.requestMatchers("/actuator/**").permitAll())
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: WARNING
+    precision: very-high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH

package/rules/unified/cwe-306/zm-java-cwe306-cloud-config-server.yaml

@@ -0,0 +1,56 @@
+# Source: common | Cluster: N/A
+# CWE-306: Spring Cloud Config Server 无认证检测
+# 逐码 ZhuMa V4.3 — Spring Cloud 框架特化规则
+
+rules:
+
+# ZM-JAVA-CWE306-CONFIG-001: Spring Cloud Config Server 无认证
+- id: zm-java-cwe306-config-001
+  severity: ERROR
+  message: |
+    Spring Cloud Config Server 未启用认证（spring.cloud.config.server.security.enabled=false
+    或未配置 spring.security.user），任何人均可访问配置文件中的数据库密码、API 密钥等敏感信息。
+    修复: 启用 Spring Security HTTP Basic 认证，配置 spring.security.user.name/password，
+    或使用 OAuth2 + Spring Cloud Config 加密功能。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        spring.cloud.config.server.security.enabled=false
+    - pattern: |
+        $PROPS.setProperty("spring.cloud.config.server.security.enabled", "false")
+    - pattern: |
+        spring.cloud.config.server.security.enable=false
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: ERROR
+    precision: very-high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: CRITICAL
+    references:
+      - "https://cloud.spring.io/spring-cloud-config/reference/html/"
+
+# ZM-JAVA-CWE306-CONFIG-002: @EnableConfigServer 未配置安全
+- id: zm-java-cwe306-config-002
+  severity: WARNING
+  message: |
+    @EnableConfigServer 注解类未同时配置 SecurityFilterChain，
+    Spring Cloud Config Server 暴露 /{application}/{profile} 端点，
+    无需认证即可读取所有微服务的配置文件。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @EnableConfigServer
+        @SpringBootApplication
+        public class $APP { ... }
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: WARNING
+    precision: medium
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: HIGH

package/rules/unified/cwe-306/zm-java-cwe306-rabbitmq-no-auth.yaml

@@ -0,0 +1,58 @@
+# Source: common | Cluster: N/A
+# CWE-306: Spring AMQP RabbitMQ Listener 无认证检测
+# 逐码 ZhuMa V4.3 — Spring AMQP 框架特化规则
+
+rules:
+
+# ZM-JAVA-CWE306-RABBIT-001: RabbitMQ 连接无认证
+- id: zm-java-cwe306-rabbit-001
+  severity: WARNING
+  message: |
+    Spring AMQP RabbitMQ 连接工厂未配置认证凭据（username/password），
+    使用默认 guest/guest 账号连接消息队列，攻击者可直接连接 RabbitMQ 消费/篡改消息。
+    修复: 配置 spring.rabbitmq.username 和 spring.rabbitmq.password，
+    禁用 guest 远程登录（loopback_users 配置）。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new CachingConnectionFactory("localhost")
+    - pattern: |
+        $FACTORY = new CachingConnectionFactory();
+        ...
+        $FACTORY.setHost($HOST);
+    - pattern: |
+        spring.rabbitmq.username=guest
+    - pattern: |
+        spring.rabbitmq.password=guest
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: WARNING
+    precision: high
+    category: config
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: HIGH
+    impact: MEDIUM
+
+# ZM-JAVA-CWE306-RABBIT-002: RabbitListener 无访问控制
+- id: zm-java-cwe306-rabbit-002
+  severity: WARNING
+  message: |
+    @RabbitListener 注解方法处理消息队列消息，队列无独立认证/授权机制，
+    任何能连接 RabbitMQ 的客户端都可向该队列发送消息触发业务逻辑。
+    修复: 在 RabbitMQ 服务端配置 vhost 隔离 + 用户权限 ACL，
+    对敏感队列启用 SSL/TLS 客户端证书认证。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @RabbitListener(queues = $Q)
+        public void $HANDLER(...) { ... }
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: WARNING
+    precision: very-low
+    category: access-control
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: MEDIUM
+    impact: MEDIUM

package/rules/unified/cwe-306/zm-py-cwe306-flask-login.yaml

@@ -0,0 +1,38 @@
+# Source: common | Cluster: N/A
+# CWE-306: Flask-Login 缺少 @login_required 保护
+# 逐码 ZhuMa V4.3 — Python 框架特化规则库
+# 检测: 视图函数使用current_user但无@login_required装饰器
+
+rules:
+
+# ZM-PY-FLASK-AUTH-001: Flask-Login无@login_required
+- id: zm-py-flask-auth-001
+  severity: ERROR
+  message: |
+    检测到 Flask 视图函数中使用了 current_user 但缺少 @login_required 装饰器。
+    未认证用户可能直接访问需要登录才能使用的功能。
+
+    修复方案:
+    1. 添加 @login_required 装饰器保护路由
+    2. 对API路由使用 @jwt_required 或自定义认证装饰器
+    3. 设置 LOGIN_DISABLED 仅用于测试环境
+    4. 为未认证用户配置重定向: app.config['LOGIN_VIEW'] = 'login'
+  languages:
+    - python
+  pattern: |
+    @$APP.route($ROUTE)
+    def $FUNC():
+      ...
+      $DUMMY = current_user
+      ...
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: ERROR
+    precision: medium
+    category: authentication
+    framework: flask
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://flask-login.readthedocs.io/en/latest/#flask_login.login_required"

package/rules/unified/cwe-307/zm-go-cwe307-brute-force.yaml

@@ -0,0 +1,130 @@
+# Source: common | Cluster: N/A
+# CWE-307: Go 暴力破解防护缺失检测
+# 逐码 ZhuMa V4.1 Sprint — Go 规则库
+# 覆盖: bcrypt cost<10、登录无rate limit、JWT secret太短
+
+rules:
+
+# ZM-GO-BF-001: bcrypt cost 过低
+- id: zm-go-bf-001
+  severity: WARNING
+  message: |
+    检测到 bcrypt.GenerateFromPassword 的 cost 参数 < 10。
+    cost 过低使哈希计算速度过快，攻击者可高效进行离线暴力破解。
+
+    OWASP 建议 bcrypt cost >= 10 (2024年建议 >= 12)。
+
+    修复方案:
+    1. 将 cost 提升至 >= 12: bcrypt.GenerateFromPassword(password, 12)
+    2. 考虑使用 argon2 替代(更抗GPU/ASIC)
+    3. 定期评估并上调 cost 值(随硬件性能提升)
+    4. 使用 bcrypt.DefaultCost(10) 作为最低标准
+  languages:
+    - go
+  pattern-either:
+    - pattern: bcrypt.GenerateFromPassword($PASS, 1)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 2)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 3)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 4)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 5)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 6)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 7)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 8)
+    - pattern: bcrypt.GenerateFromPassword($PASS, 9)
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    severity: WARNING
+    precision: very-high
+    category: brute-force
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
+      - "https://pkg.go.dev/golang.org/x/crypto/bcrypt"
+
+# ZM-GO-BF-002: 登录接口无 rate limit
+- id: zm-go-bf-002
+  severity: HIGH
+  message: |
+    检测到 Gin/Echo/标准库登录路由处理函数中未使用 rate limiter 中间件。
+    攻击者可对登录接口发起暴力破解攻击，尝试大量用户名/密码组合。
+
+    修复方案:
+    1. 使用 tollbooth / go-redis/redis_rate 等限流库:
+       limiter := tollbooth.NewLimiter(5, nil)
+       limiter.SetIPLookups([]string{"X-Forwarded-For", "RemoteAddr", "X-Real-IP"})
+       router.POST("/login", tollbooth.LimitFuncHandler(limiter, loginHandler))
+    2. 基于用户名/IP的渐进式延迟
+    3. 实现账户锁定策略(连续N次失败锁定M分钟)
+    4. 添加验证码机制
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $ROUTER.POST("/login", $HANDLER)
+    - pattern: |
+        $ROUTER.GET("/login", $HANDLER)
+    - pattern: |
+        $G.POST("/login", $HANDLER)
+    - pattern: |
+        $E.POST("/login", $HANDLER)
+    - pattern: |
+        http.HandleFunc("/login", $HANDLER)
+    - pattern: |
+        $MUX.HandleFunc("/login", $HANDLER)
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    severity: HIGH
+    precision: low
+    category: brute-force
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+
+# ZM-GO-BF-003: JWT HMAC secret 过短
+- id: zm-go-bf-003
+  severity: HIGH
+  message: |
+    检测到 JWT 签名密钥(HMAC secret)可能为硬编码短字符串(如 "secret" / "mykey")。
+    过短的 HMAC 密钥可被暴力破解，攻击者可伪造任意 JWT token。
+
+    HMAC-SHA256 密钥最低要求 256 bits (32 bytes)。
+
+    修复方案:
+    1. 密钥长度 >= 32 字节: jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+    2. 从环境变量/密钥管理服务加载密钥
+    3. 使用 RSA/ECDSA 非对称签名替代对称签名
+    4. 禁止硬编码密钥字符串
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        []byte("secret")
+    - pattern: |
+        []byte("mykey")
+    - pattern: |
+        []byte("key")
+    - pattern: |
+        []byte("password")
+    - pattern: |
+        []byte("jwt-secret")
+    - pattern: |
+        []byte("secret-key")
+    - pattern: |
+        []byte("my-secret")
+    - pattern: |
+        []byte("my_secret_key")
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    severity: HIGH
+    precision: medium
+    category: brute-force
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html"
+      - "https://pkg.go.dev/github.com/golang-jwt/jwt/v5"

package/rules/unified/cwe-307/zm-js-cwe307-brute-force.yaml

@@ -0,0 +1,137 @@
+# Source: common | Cluster: N/A
+# CWE-307: Node.js 暴力破解防护缺失检测
+# 逐码 ZhuMa V4.1 Sprint — JS/TS 规则库
+# 覆盖: 登录接口无限速、express-rate-limit未配置、验证码缺失
+
+rules:
+
+# ZM-JS-BF-001: 登录接口未使用 rate limiter
+- id: zm-js-bf-001
+  severity: HIGH
+  message: |
+    检测到登录路由未使用 express-rate-limit 或其他限速中间件。
+    攻击者可对登录接口发起暴力破解攻击，尝试大量用户名/密码组合。
+
+    修复:
+    1. 对登录接口使用 express-rate-limit:
+       const loginLimiter = rateLimit({
+         windowMs: 15 * 60 * 1000,  // 15分钟
+         max: 5,                      // 最多5次尝试
+         message: 'Too many login attempts'
+       })
+       app.post('/login', loginLimiter, handler)
+    2. 基于用户名/IP的渐进式延迟(每次失败增加等待时间)
+    3. 实现账户锁定策略(连续N次失败锁定M分钟)
+    4. 添加 CAPTCHA 验证码
+    5. 使用 helmet 等安全头中间件
+  languages:
+    - javascript
+    - typescript
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $APP.post('/login', $HANDLER)
+        - pattern: |
+            $APP.post('/login', $MIDDLEWARE, $HANDLER)
+        - pattern: |
+            $ROUTER.post('/login', $HANDLER)
+        - pattern: |
+            $ROUTER.post('/login', $MIDDLEWARE, $HANDLER)
+        - pattern: |
+            $APP.post('/signin', $HANDLER)
+        - pattern: |
+            $ROUTER.post('/signin', $HANDLER)
+        - pattern: |
+            $APP.post('/auth/login', $HANDLER)
+        - pattern: |
+            $ROUTER.post('/auth/login', $HANDLER)
+    - pattern-not: |
+        $APP.post('/login', rateLimit(...), $X)
+    - pattern-not: |
+        $ROUTER.post('/login', rateLimit(...), $X)
+    - pattern-not: |
+        $APP.post('/login', $LIMIT, $X)
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: brute-force
+    precision: medium
+    confidence: medium
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html"
+
+# ZM-JS-BF-002: bcrypt / argon2 cost factor 过低
+- id: zm-js-bf-002
+  severity: WARNING
+  message: |
+    检测到密码哈希函数(bcrypt/argon2)的 cost/saltRounds 参数过低。
+    cost 过低使哈希计算速度过快，攻击者可高效进行离线暴力破解。
+
+    bcrypt saltRounds < 10: 过弱，建议 >= 12
+    argon2 timeCost < 3: 过弱，建议 >= 3
+
+    修复:
+    1. bcrypt: saltRounds >= 12 (生产环境)
+    2. argon2: timeCost >= 3, memoryCost >= 65536
+    3. 定期评估并上调 cost(随硬件性能提升)
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: bcrypt.hash($PASS, 1)
+    - pattern: bcrypt.hash($PASS, 2)
+    - pattern: bcrypt.hash($PASS, 3)
+    - pattern: bcrypt.hash($PASS, 4)
+    - pattern: bcrypt.hash($PASS, 5)
+    - pattern: bcrypt.hash($PASS, 6)
+    - pattern: bcrypt.hash($PASS, 7)
+    - pattern: bcrypt.hash($PASS, 8)
+    - pattern: bcrypt.hash($PASS, 9)
+    - pattern: bcrypt.hashSync($PASS, $LOW_COST)
+    - pattern: bcrypt.genSalt(1)
+    - pattern: bcrypt.genSalt(2)
+    - pattern: bcrypt.genSalt(3)
+    - pattern: bcrypt.genSalt(4)
+    - pattern: bcrypt.genSalt(5)
+    - pattern: bcrypt.genSalt(6)
+    - pattern: bcrypt.genSalt(7)
+    - pattern: bcrypt.genSalt(8)
+    - pattern: bcrypt.genSalt(9)
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: brute-force
+    precision: very-high
+    confidence: high
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html"
+
+# ZM-JS-BF-003: rate-limit 配置过于宽松
+- id: zm-js-bf-003
+  severity: WARNING
+  message: |
+    检测到 express-rate-limit 配置的 max 值过高或 windowMs 过短。
+    过于宽松的限速无法有效阻止暴力破解攻击。
+
+    登录接口建议配置:
+    - max: 5-10 次 / 15分钟
+    - 全局/API: max: 100 次 / 15分钟
+
+    修复:
+    1. 登录接口 max <= 10, windowMs >= 15 * 60 * 1000
+    2. 敏感操作(密码重置)使用更严格的限制
+    3. 使用 Redis/Memcached 做分布式环境限流
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: |
+        rateLimit({max: $HIGH})
+  metadata:
+    cwe: "CWE-307: Improper Restriction of Excessive Authentication Attempts"
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    category: brute-force
+    precision: low
+    confidence: low
+    references:
+      - "https://express-rate-limit.mintlify.app/overview"

package/rules/unified/cwe-311/zm-docker-cwe311-secrets-in-build-arg.yaml

@@ -0,0 +1,65 @@
+# Source: iac | Cluster: N/A
+rules:
+  - id: zm-docker-cwe311-secrets-in-build-arg
+    metadata:
+      cwe: ["CWE-311: Missing Encryption of Sensitive Data", "CWE-798: Use of Hard-coded Credentials"]
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: ["A02:2021 - Cryptographic Failures"]
+      cve: ["CVE-2014-0160"]
+    message: >-
+      Dockerfile中使用ARG传递构建时密钥(TOKEN/API_KEY/PASSWORD)。
+      ARG值被写入镜像层历史，docker history即可提取。
+      修复：使用BuildKit --mount=type=secret。
+    languages: [dockerfile]
+    severity: ERROR
+    patterns:
+      - pattern-regex: 'ARG\s+(TOKEN|SECRET|API_KEY|PASSWORD|PASSWD|CRED|PRIVATE_KEY)'
+  - id: zm-docker-cwe250-suid-binaries
+    metadata:
+      cwe: ["CWE-250: Execution with Unnecessary Privileges", "CWE-269: Improper Privilege Management"]
+      confidence: LOW
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A05:2021 - Security Misconfiguration"]
+      cve: ["CVE-2019-5021"]
+    message: >-
+      Dockefile中使用chmod +s设置SUID位。SUID二进制文件可被利用进行本地提权。
+      修复：移除chmod +s/u+s/g+s行。
+    languages: [dockerfile]
+    severity: WARNING
+    patterns:
+      - pattern-regex: 'chmod\s+[ug]?\+s'
+  - id: zm-docker-cwe434-untrusted-base-image
+    metadata:
+      cwe: ["CWE-1104: Use of Unmaintained Third-Party Components"]
+      confidence: MEDIUM
+      likelihood: LOW
+      impact: MEDIUM
+      owasp: ["A06:2021 - Vulnerable and Outdated Components"]
+      cve: ["CVE-2020-15093"]
+    message: >-
+      使用latest/edge/nightly标签的基础镜像可能导致供应链风险。
+      修复：锁定具体版本标签，使用digest锁定。
+    languages: [dockerfile]
+    severity: WARNING
+    patterns:
+      - pattern-regex: 'FROM\s+\S+:\s*(latest|nightly|edge)\b'
+  - id: zm-docker-cwe400-no-healthcheck
+    metadata:
+      cwe: ["CWE-400: Uncontrolled Resource Consumption"]
+      confidence: LOW
+      likelihood: MEDIUM
+      impact: LOW
+      owasp: ["A06:2021 - Vulnerable and Outdated Components"]
+      cve: ["CVE-2016-7799"]
+    message: >-
+      Dockerfile缺少HEALTHCHECK指令。应用崩溃后不会被编排系统自动重启。
+      修复：添加HEALTHCHECK --interval=30s CMD ... || exit 1。
+    languages: [dockerfile]
+    severity: INFO
+    match: patterns
+    patterns:
+      - pattern: "FROM ..."
+      - pattern-not: "HEALTHCHECK ..."

package/rules/unified/cwe-311/zm-java-cwe311-cookie-flags.yaml

@@ -0,0 +1,94 @@
+# Source: common | Cluster: N/A
+# CWE-311: Cookie — secure/httpOnly 缺失检测
+# 逐码 ZhuMa V4.3 — Cookie 安全专项
+
+rules:
+
+# ZM-JAVA-CWE311-COOKIE-001: Cookie 缺少 secure 标志
+- id: zm-java-cwe311-cookie-001
+  severity: WARNING
+  message: |
+    javax.servlet.http.Cookie 创建后未设置 setSecure(true)，cookie 可能通过
+    非加密 HTTP 连接传输，中间人攻击者可截获 cookie 窃取会话。
+    修复: cookie.setSecure(true)，并确保应用仅通过 HTTPS 提供服务。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CK = new Cookie($NAME, $VALUE);
+        ...
+        $RESP.addCookie($CK);
+    - pattern: |
+        $RESP.addCookie(new Cookie($NAME, $VALUE));
+  metadata:
+    cwe: "CWE-311: Missing Encryption of Sensitive Data"
+    severity: WARNING
+    precision: medium
+    category: cookie
+    owasp: "A02:2021 - Cryptographic Failures"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [cookie, secure, transport-security]
+
+# ZM-JAVA-CWE311-COOKIE-002: Cookie 缺少 httpOnly 标志
+- id: zm-java-cwe311-cookie-002
+  severity: WARNING
+  message: |
+    javax.servlet.http.Cookie 未设置 setHttpOnly(true)，JavaScript 可通过
+    document.cookie 读取该 cookie，配合 XSS 漏洞可窃取会话令牌。
+    修复: cookie.setHttpOnly(true) 禁止客户端脚本访问 cookie。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CK = new Cookie($NAME, $VALUE);
+        ...
+        $CK.setSecure(true);
+        ...
+        $RESP.addCookie($CK);
+    - pattern: |
+        $CK = new Cookie($NAME, $VALUE);
+        ...
+        $CK.setMaxAge($N);
+        ...
+        $RESP.addCookie($CK);
+  metadata:
+    cwe: "CWE-311: Missing Encryption of Sensitive Data"
+    severity: WARNING
+    precision: medium
+    category: cookie
+    owasp: "A02:2021 - Cryptographic Failures"
+    likelihood: HIGH
+    impact: MEDIUM
+    tags: [cookie, httponly, xss]
+
+# ZM-JAVA-CWE311-COOKIE-003: Cookie 缺少 SameSite 属性
+- id: zm-java-cwe311-cookie-003
+  severity: WARNING
+  message: |
+    Cookie 未设置 SameSite 属性（Lax/Strict），容易遭受 CSRF 攻击。
+    SameSite=Lax 是保护 cookie 不被跨站请求附带的现代方案。
+    修复: 使用 ResponseCookie 设置 SameSite(String.format("%s=%s; SameSite=Lax; Secure", name, value))
+    或使用 Spring Session 的 DefaultCookieSerializer.setSameSite("Lax")。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CK = new Cookie("JSESSIONID", ...);
+        ...
+        $CK.setSecure(true);
+        ...
+        $CK.setHttpOnly(true);
+        ...
+        $RESP.addCookie($CK);
+    - pattern: |
+        $RESP.setHeader("Set-Cookie", ...);
+  metadata:
+    cwe: "CWE-311: Missing Encryption of Sensitive Data"
+    severity: WARNING
+    precision: medium
+    category: cookie
+    owasp: "A01:2021 - Broken Access Control"
+    likelihood: MEDIUM
+    impact: MEDIUM
+    tags: [cookie, samesite, csrf]