@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-311/zm-tf-cwe311-iam-wildcard.yaml

@@ -0,0 +1,84 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Terraform IAM 策略通配符检测
+# V4.1 Sprint — CWE-311: Missing Encryption of Sensitive Data / Overprivileged Policy
+
+rules:
+  # ZM-TF-CWE311-001: IAM Policy Action 通配符 "*"
+  - id: zm-tf-cwe311-iam-wildcard-001
+    severity: HIGH
+    message: |
+      IAM 策略中 `Action` 包含通配符 `"*"` 且 `Effect` 为 `"Allow"` — 该策略授予了对所有服务的完全访问权限。
+      将 Action 明确限定为所需的具体操作，如 `["s3:GetObject", "s3:PutObject"]`。
+      生产环境严禁使用 `Action = "*"` 的 Allow 策略。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Action\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Action\": [\"*\"..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, overprivileged]
+
+  # ZM-TF-CWE311-002: IAM Policy Resource 通配符 "*"
+  - id: zm-tf-cwe311-iam-wildcard-002
+    severity: HIGH
+    message: |
+      IAM 策略中 `Resource` 包含通配符 `"*"` 且 `Effect` 为 `"Allow"` — 该策略可操作账户下所有资源。
+      将 Resource 限定为具体 ARN，如 `"arn:aws:s3:::my-bucket/*"`。
+      除非是管理员角色，否则应遵循最小权限原则。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Resource\":\"*\"..."
+            ...
+          }
+      - pattern: |
+          resource "aws_iam_policy" $NAME {
+            ...
+            policy = "...\"Resource\": [\"*\"..."
+            ...
+          }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, overprivileged]
+
+  # ZM-TF-CWE311-003: IAM Policy 同时 Action="*" + Resource="*"
+  - id: zm-tf-cwe311-iam-wildcard-003
+    severity: CRITICAL
+    message: |
+      IAM 策略中同时使用 `Action = "*"` 和 `Resource = "*"` — 这是最危险的策略配置，
+      授予了对所有 AWS 服务的所有资源的完全访问权限（等效于 AdministratorAccess）。
+      必须立即将该策略替换为细粒度权限，仅授予完成任务所需的最小操作和资源。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_iam_policy" $NAME {
+        ...
+        policy = "...\"Action\": \"*\"...\"Resource\": \"*\"..."
+        ...
+      }
+    metadata:
+      cwe: "CWE-311: Missing Encryption of Sensitive Data"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, aws, iam, wildcard, admin, overprivileged]

package/rules/unified/cwe-312/zm-js-cwe312-localstorage-jwt.yaml

@@ -0,0 +1,32 @@
+# Source: common | Cluster: N/A
+# CWE-312: localStorage.setItem 存储 JWT/Token 等敏感凭据
+# 逐码 ZhuMa V4.3 — JS/TS 前端安全规则库
+
+rules:
+
+- id: zm-js-localstorage-001
+  severity: WARNING
+  message: >
+    localStorage.setItem() 存储 token/JWT 等敏感凭据。localStorage 可被 XSS 攻击读取，
+    sessionStorage 或 httpOnly Cookie 是更安全的选择。
+    修复: 使用 httpOnly Secure SameSite Cookie 存储凭据，或使用 sessionStorage 代替。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: localStorage.setItem('token', ...)
+    - pattern: localStorage.setItem("token", ...)
+    - pattern: localStorage.setItem('jwt', ...)
+    - pattern: localStorage.setItem("jwt", ...)
+    - pattern: localStorage.setItem('accessToken', ...)
+    - pattern: localStorage.setItem("accessToken", ...)
+    - pattern: localStorage.setItem('refreshToken', ...)
+    - pattern: localStorage.setItem("refreshToken", ...)
+    - pattern: localStorage.setItem('auth', ...)
+    - pattern: localStorage.setItem("auth", ...)
+  metadata:
+    cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+    owasp: "A04:2021 - Insecure Design"
+    category: security
+    precision: medium
+    confidence: medium

package/rules/unified/cwe-319/zm-go-cwe319-grpc-notls.yaml

@@ -0,0 +1,119 @@
+# Source: common | Cluster: N/A
+# CWE-319: Go gRPC 明文传输（无TLS）
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: gRPC Server 未配置TLS / gRPC Client使用 insecure 拨号
+
+rules:
+
+# ZM-GO-GRPC-001: gRPC Server 未启用TLS
+- id: zm-go-grpc-tls-001
+  severity: ERROR
+  message: |
+    检测到 gRPC Server 未配置 TLS 传输层加密，所有通信数据将以明文
+    在网络上传输。攻击者可通过中间人攻击（MITM）窃听或篡改 RPC 调用，
+    包括认证令牌、业务数据和敏感参数。
+
+    CVE参考:
+    - CVE-2022-31081: gRPC Go 明文通信可被中间人攻击利用
+    - 违反 NIST SP 800-52 Rev.2 TLS 传输层加密要求
+
+    修复方案:
+    1. 使用 grpc.Creds(credentials.NewServerTLSFromFile(certFile, keyFile))
+    2. 生产环境使用来自 Let's Encrypt 或企业 CA 的有效证书
+    3. 开发环境可使用 insecure.NewCredentials() + 网络隔离，但禁止用于生产
+    4. 配置 TLS 1.2+ 并禁用弱密码套件
+    5. 服务间通信使用 mTLS 双向认证
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        grpc.NewServer()
+    - pattern: |
+        grpc.NewServer(grpc.Creds(insecure.NewCredentials()))
+  metadata:
+    cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+    severity: ERROR
+    precision: high
+    category: grpc-security
+    likelihood: HIGH
+    impact: HIGH
+    cve: "CVE-2022-31081"
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://grpc.io/docs/guides/auth/"
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf"
+
+# ZM-GO-GRPC-002: gRPC Client 使用 insecure 连接
+- id: zm-go-grpc-tls-002
+  severity: ERROR
+  message: |
+    检测到 gRPC Client 使用 grpc.WithInsecure()（已弃用）或
+    insecure.NewCredentials() 建立明文连接。攻击者可通过中间人攻击
+    拦截和篡改 gRPC 请求/响应，窃取认证令牌或注入恶意数据。
+
+    CVE参考:
+    - CVE-2019-9512/CVE-2019-9514/CVE-2019-9515: HTTP/2 DoS 漏洞，
+      使用明文 gRPC 时加剧影响
+    - gRPC-Go v1.43.0 起 WithInsecure() 已标记为弃用
+
+    修复方案:
+    1. 使用 grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(...))
+    2. 使用 grpc.WithCredentialsBundle 配置完整TLS
+    3. 至少使用系统根CA: credentials.NewClientTLSFromCert(nil, "")
+    4. 禁止在生产代码中使用 insecure 包
+  languages:
+    - go
+  pattern-either:
+    - pattern: grpc.WithInsecure()
+    - pattern: grpc.Dial($ADDR, grpc.WithInsecure(), ...)
+    - pattern: grpc.DialContext($CTX, $ADDR, grpc.WithInsecure(), ...)
+    - pattern: grpc.Dial($ADDR, grpc.WithTransportCredentials(insecure.NewCredentials()))
+    - pattern: grpc.NewClient($ADDR, grpc.WithTransportCredentials(insecure.NewCredentials()))
+  metadata:
+    cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+    severity: ERROR
+    precision: high
+    category: grpc-security
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://github.com/grpc/grpc-go/issues/5087"
+      - "https://grpc.io/docs/guides/auth/"
+
+# ZM-GO-GRPC-003: gRPC Service 无认证拦截器
+- id: zm-go-grpc-auth-001
+  severity: ERROR
+  message: |
+    检测到 gRPC Server 注册了Service但未配置认证拦截器（UnaryInterceptor
+    或 StreamInterceptor）。缺少认证机制意味着任何可网络访问该服务的
+    攻击者都可以调用所有 RPC 方法，执行任意操作。
+
+    常见危险场景:
+    - 微服务架构中 gRPC 端口未做网络隔离且无认证
+    - 暴露在公网或内网中的 gRPC 服务无 JWT/OAuth2 校验
+
+    修复方案:
+    1. Unary RPC 认证:
+       grpc.UnaryInterceptor(grpc_auth.UnaryServerInterceptor(authFunc))
+    2. Stream RPC 认证:
+       grpc.StreamInterceptor(grpc_auth.StreamServerInterceptor(authFunc))
+    3. 使用 grpc-ecosystem/go-grpc-middleware 的 auth 中间件
+    4. 实现 JWT/OAuth2/mTLS Token 校验逻辑
+    5. 结合网络策略限制 gRPC 端口访问来源
+  languages:
+    - go
+  pattern-either:
+    - pattern: $SERVER.RegisterService($SD, $IMPL)
+    - pattern: $SERVER.RegisterService($SD, $SS)
+  metadata:
+    cwe: "CWE-306: Missing Authentication for Critical Function"
+    severity: ERROR
+    precision: medium
+    category: grpc-security
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://github.com/grpc-ecosystem/go-grpc-middleware/tree/main/auth"
+      - "https://grpc.io/docs/guides/auth/"

package/rules/unified/cwe-319/zm-tf-cwe319-rds-public-snapshot.yaml

@@ -0,0 +1,47 @@
+# Source: iac | Cluster: N/A
+rules:
+  - id: zm-tf-cwe319-rds-public-snapshot
+    metadata:
+      cwe: ["CWE-200"]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: ["A01:2021"]
+      cve: ["CVE-2021-35941"]
+    message: >-
+      RDS数据库快照公开共享。修复：设置publicly_accessible=false并KMS加密。
+    languages: [hcl]
+    severity: ERROR
+    patterns:
+      - pattern: publicly_accessible = true
+  - id: zm-tf-cwe489-cloudtrail-logging-disabled
+    metadata:
+      cwe: ["CWE-778"]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      owasp: ["A09:2021"]
+      cve: ["CVE-2019-12873"]
+    message: >-
+      CloudTrail未启用日志文件验证。修复：enable_log_file_validation=true。
+    languages: [hcl]
+    severity: WARNING
+    patterns:
+      - pattern: enable_log_file_validation = false
+  - id: zm-tf-cwe200-s3-encryption-missing
+    metadata:
+      cwe: ["CWE-200"]
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: MEDIUM
+      owasp: ["A02:2021"]
+      cve: ["CVE-2017-7753"]
+    message: >-
+      S3 Bucket未启用默认加密。修复：添加server_side_encryption_configuration。
+    languages: [generic]
+    severity: WARNING
+    paths:
+      include: ["*.tf"]
+    patterns:
+      - pattern-regex: 'aws_s3_bucket'
+      - pattern-not-regex: 'server_side_encryption_configuration'

package/rules/unified/cwe-319/zm-tf-cwe319-rds-public.yaml

@@ -0,0 +1,73 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Terraform RDS/数据库公网暴露检测
+# V4.1 Sprint — CWE-319: Cleartext Transmission of Sensitive Information
+
+rules:
+  # ZM-TF-CWE319-001: AWS RDS publicly_accessible = true
+  - id: zm-tf-cwe319-rds-public-001
+    severity: HIGH
+    message: |
+      AWS RDS 实例 `publicly_accessible` 设为 `true` — 数据库直接暴露在公网，极易被扫描和暴力破解。
+      将 `publicly_accessible` 改为 `false`，数据库仅通过 VPC 内部访问。
+      如需外部管理，使用堡垒机或 SSM Session Manager 转发。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_db_instance" $NAME {
+        ...
+        publicly_accessible = true
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, aws, rds, public-access, database-exposure]
+
+  # ZM-TF-CWE319-002: AWS RDS publicly_accessible 未显式设 false
+  - id: zm-tf-cwe319-rds-public-002
+    severity: MEDIUM
+    message: |
+      AWS RDS 实例未显式设置 `publicly_accessible = false` — 默认值取决于子网是否为公有子网。
+      应在 resource 中显式声明 `publicly_accessible = false` 以确保数据库不对外暴露。
+    languages:
+      - terraform
+    pattern: |
+      resource "aws_db_instance" $NAME {
+        ...
+      }
+    pattern-not: |
+      resource "aws_db_instance" $NAME {
+        ...
+        publicly_accessible = ...
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: medium
+      confidence: medium
+      tags: [terraform, aws, rds, public-access, missing-config]
+
+  # ZM-TF-CWE319-003: 阿里云 RDS address_type "Internet"
+  - id: zm-tf-cwe319-rds-public-003
+    severity: HIGH
+    message: |
+      阿里云 RDS 实例分配了公网连接地址 (`address_type = "Internet"`) — 数据库暴露在公网。
+      移除 `alicloud_db_connection` 中的公网地址配置，仅保留 `Intranet` 类型地址，
+      或通过 DMS 等管控平台进行安全访问。
+    languages:
+      - terraform
+    pattern: |
+      resource "alicloud_db_connection" $NAME {
+        ...
+        address_type = "Internet"
+        ...
+      }
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, alicloud, rds, public-access, database-exposure]

package/rules/unified/cwe-326/cwe-326-weak-key-size.yaml

@@ -0,0 +1,108 @@
+# Source: common | Cluster: N/A
+# CWE-326: Inadequate Encryption Strength
+# ZhuMa V4.0 Alpha -- Common Rules
+
+rules:
+
+# ZM-JAVA-WEAKKEY-001: AES key size < 128 bits
+- id: zm-java-weakkey-001
+  severity: CRITICAL
+  message: |
+    AES key size below 128 bits detected. NIST SP 800-57 Part 1 requires >= 128-bit
+    security strength. Standard AES key lengths are 128, 192, or 256 bits.
+    Production environments should use AES-256.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $KG.init(64)
+    - pattern: |
+        $KG.init(96)
+    - pattern: |
+        $KG.init(8)
+    - pattern: |
+        $KG.init(16)
+    - pattern: |
+        $KG.init(32)
+    - pattern: |
+        $KG.init(40)
+    - pattern: |
+        $KG.init(48)
+    - pattern: |
+        $KG.init(56)
+    - pattern: |
+        $KG.init(80)
+    - pattern: |
+        $KG.init(112)
+    - pattern: |
+        $KG.init(127)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    industries:
+      - common
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
+      - "https://cwe.mitre.org/data/definitions/326.html"
+
+# ZM-JAVA-WEAKKEY-002: RSA key size < 2048 bits
+- id: zm-java-weakkey-002
+  severity: CRITICAL
+  message: |
+    RSA key size below 2048 bits detected. NIST SP 800-131A Rev.2 requires RSA >= 2048.
+    RSA-512/768/1024 have been demonstrated factorable.
+    Use 2048, 3072, or 4096 bits.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $KPG.initialize(512)
+    - pattern: |
+        $KPG.initialize(768)
+    - pattern: |
+        $KPG.initialize(1024)
+    - pattern: |
+        $KPG.initialize(1536)
+    - pattern: |
+        $KPG.initialize(2047)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    industries:
+      - common
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
+      - "https://cwe.mitre.org/data/definitions/326.html"
+
+# ZM-JAVA-WEAKKEY-003: EC key size < 256 bits
+- id: zm-java-weakkey-003
+  severity: HIGH
+  message: |
+    EC key size below 256 bits detected. NIST SP 800-57 recommends >= 256-bit curves.
+    secp192r1/secp224r1 provide < 128-bit equivalent security.
+    Use secp256r1 (P-256), secp384r1 (P-384), secp521r1 (P-521), or Curve25519.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $KPG.initialize(192)
+    - pattern: |
+        $KPG.initialize(224)
+    - pattern: |
+        $KPG.initialize(128)
+    - pattern: |
+        $KPG.initialize(160)
+    - pattern: |
+        $KPG.initialize(255)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: high
+    industries:
+      - common
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf"
+      - "https://safecurves.cr.yp.to/"
+      - "https://cwe.mitre.org/data/definitions/326.html"

package/rules/unified/cwe-326/zm-go-cwe326-hmac-iv-nonce.yaml

@@ -0,0 +1,73 @@
+# Source: common | Cluster: N/A
+# CWE-326: Go HMAC弱key / crypto/rand IV/nonce场景
+# 逐码 ZhuMa V4.3 — Go 通用规则库
+# 检测: HMAC使用弱key(长度不足)、IV/nonce使用math/rand
+
+rules:
+
+# ZM-GO-WEAKCRYPTO-004: HMAC弱key(长度不足)
+- id: zm-go-weakcrypto-004
+  severity: WARNING
+  message: |
+    检测到 HMAC 使用长度不足的密钥。
+    HMAC 安全强度取决于密钥长度：HMAC-SHA256需要≥32字节密钥，
+    短密钥降低暴力破解难度。
+
+    修复方案:
+    1. 使用 crypto/rand 生成≥32字节随机密钥: 
+       key := make([]byte, 32); rand.Read(key)
+    2. HMAC-SHA256: hmac.New(sha256.New, key) 密钥≥32字节
+    3. HMAC-SHA512: 密钥≥64字节
+    4. 使用 golang.org/x/crypto/pbkdf2 从密码派生密钥
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        hmac.New(sha256.New, []byte($SHORTKEY))
+    - pattern: |
+        hmac.New(md5.New, ...)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: WARNING
+    precision: medium
+    category: crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://pkg.go.dev/crypto/hmac"
+
+# ZM-GO-WEAKCRYPTO-005: IV/nonce使用math/rand
+- id: zm-go-weakcrypto-005
+  severity: ERROR
+  message: |
+    检测到加密IV(初始化向量)或nonce使用了 math/rand 生成。
+    IV/nonce在AES-GCM/AES-CBC等模式中必须使用密码学安全随机数。
+    math/rand 是可预测的，攻击者预测IV后可破坏加密安全性。
+
+    修复方案:
+    1. 使用 crypto/rand 生成IV: iv := make([]byte, 12); rand.Read(iv)
+    2. AES-GCM推荐12字节nonce: gcm.Seal(nil, nonce, plaintext, nil)
+    3. 使用 crypto/cipher.NewGCM 自动管理nonce更安全
+    4. 代码审查: 检查所有 enc/dec/cipher 上下文中是否误用 math/rand
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $IV[rand.Intn($N)]
+    - pattern: |
+        cipher.NewCBCEncrypter($BLOCK, $IV)
+    - pattern: |
+        cipher.NewCTR($BLOCK, $IV)
+    - pattern: |
+        $GCM.Seal($DST, $NONCE, $PLAINTEXT, $AAD)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: ERROR
+    precision: medium
+    category: crypto
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://pkg.go.dev/crypto/cipher"

package/rules/unified/cwe-326/zm-go-cwe326-weak-crypto.yaml

@@ -0,0 +1,125 @@
+# Source: common | Cluster: N/A
+# CWE-326: Go 弱加密算法检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: crypto/md5、crypto/sha1、crypto/des、crypto/rc4 使用
+
+rules:
+
+# ZM-GO-WEAKCRYPTO-001: MD5 哈希算法使用
+- id: zm-go-weakcrypto-001
+  severity: WARNING
+  message: |
+    检测到使用 crypto/md5 哈希算法。
+    MD5 已被证实存在碰撞攻击（2004年王小云），SHA-1 也于2017年
+    被Google实现首个碰撞攻击（SHAttered）。
+    MD5 不应用于安全场景（密码存储、数字签名、证书验证、完整性校验）。
+
+    修复方案:
+    1. 数字签名/完整性校验: crypto/sha256 或 crypto/sha512
+    2. 密码存储: golang.org/x/crypto/bcrypt 或 argon2
+    3. HMAC: crypto/hmac + sha256
+    4. 若仅用于非安全用途（如哈希表键），添加 //nolint 注释忽略
+  languages:
+    - go
+  pattern-either:
+    - pattern: md5.New()
+    - pattern: md5.Sum($DATA)
+    - pattern: md5Sum($DATA)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://shattered.io/"
+      - "https://cwe.mitre.org/data/definitions/326.html"
+
+# ZM-GO-WEAKCRYPTO-002: SHA-1 哈希算法使用
+- id: zm-go-weakcrypto-002
+  severity: WARNING
+  message: |
+    检测到使用 crypto/sha1 哈希算法。
+    SHA-1 已被 Google 实现碰撞攻击（SHAttered, 2017）。
+    主流浏览器和CA机构已于2017年停止信任SHA-1证书。
+    SHA-1 不应用于数字签名、证书或密码存储。
+
+    修复方案:
+    1. 升级至 crypto/sha256 或更安全的哈希算法
+    2. 密码存储使用 bcrypt/argon2
+    3. 签名场景使用 SHA256withRSA 或 ECDSA
+  languages:
+    - go
+  pattern-either:
+    - pattern: sha1.New()
+    - pattern: sha1.Sum($DATA)
+    - pattern: sha1Sum($DATA)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://shattered.io/"
+      - "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html"
+
+# ZM-GO-WEAKCRYPTO-003: DES 对称加密使用
+- id: zm-go-weakcrypto-003
+  severity: WARNING
+  message: |
+    检测到使用 crypto/des 对称加密算法。
+    DES 使用56位密钥（有效仅56位），现代硬件可在数小时内暴力破解。
+    Triple DES (3DES) 也仅提供112位有效安全强度，且存在Sweet32攻击。
+    不符合 NIST SP 800-131A Rev.2 标准。
+
+    修复方案:
+    1. 使用 crypto/aes + GCM 模式: AES-256-GCM
+    2. 使用 nacl/secretbox (XSalsa20-Poly1305)
+    3. 迁移所有 DES 加密数据到 AES
+  languages:
+    - go
+  pattern-either:
+    - pattern: des.NewCipher($KEY)
+    - pattern: des.NewTripleDESCipher($KEY)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
+
+# ZM-GO-WEAKCRYPTO-004: RC4 流密码使用
+- id: zm-go-weakcrypto-004
+  severity: WARNING
+  message: |
+    检测到使用 crypto/rc4 流密码。
+    RC4 存在已知的密钥流偏向性攻击（2013年RFC 7465已禁止在TLS中使用RC4）。
+    流密码本身的使用模式若不正确也易引入重放攻击。
+
+    修复方案:
+    1. 使用 AES-GCM（认证加密）替代RC4
+    2. 或使用 ChaCha20-Poly1305 (golang.org/x/crypto/chacha20poly1305)
+    3. 所有敏感数据使用AEAD（带关联数据的认证加密）模式
+  languages:
+    - go
+  pattern-either:
+    - pattern: rc4.NewCipher($KEY)
+  metadata:
+    cwe: "CWE-326: Inadequate Encryption Strength"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://datatracker.ietf.org/doc/rfc7465/"