npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/community-merged/cwe-155/system-wildcard-detected.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: python-155
+rules:
+- id: system-wildcard-detected
+  patterns:
+  - pattern-either:
+    - pattern-inside: os.system("...")
+    - pattern-inside: os.popen("...")
+    - pattern-inside: os.popen2("...")
+    - pattern-inside: os.popen3("...")
+    - pattern-inside: os.popen4("...")
+    - pattern-inside: subprocess.$W(..., shell=True, ...)
+  - pattern-regex: (tar|chmod|chown|rsync)(.*?)\*
+  message: >-
+    Detected use of the wildcard character in a system call that spawns a shell.
+    This subjects the wildcard to normal shell expansion, which can have unintended
+    consequences
+    if there exist any non-standard file names. Consider a file named '-e sh script.sh'
+    -- this
+    will execute a script when 'rsync' is called. See
+    https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
+    for more information.
+  metadata:
+    cwe:
+    - 'CWE-155: Improper Neutralization of Wildcards or Matching Symbols'
+    owasp: 'A01:2017 - Injection'
+    source-url-open: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/injection_wildcard.py
+    references:
+    - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
+    category: security
+    technology:
+    - python
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  languages: [python]
+  severity: WARNING

package/rules/community-merged/cwe-183/permissive-cors.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# Source: semgrep-community | Cluster: java-183
+rules:
+- id: permissive-cors
+  message: >-
+    https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS
+    Permissive CORS policy will allow a malicious application to communicate with
+    the victim application in an inappropriate way, leading to spoofing, data theft,
+    relay and other attacks.
+  metadata:
+    cwe:
+    - 'CWE-183: Permissive List of Allowed Inputs'
+    asvs:
+      section: 'V14: Configuration Verification Requirements'
+      control_id: 14.4.8 Permissive CORS
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements
+      version: '4'
+    category: security
+    technology:
+    - java
+    owasp:
+    - A04:2021 - Insecure Design
+    - A06:2025 - Insecure Design
+    references:
+    - https://owasp.org/Top10/A04_2021-Insecure_Design
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  severity: WARNING
+  languages: [java]
+  pattern-either:
+  - pattern: |
+      HttpServletResponse $RES = ...;
+      ...
+      $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+  - pattern: |
+      HttpServletResponse $RES = ...;
+      ...
+      $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+  - pattern: |
+      ServerHttpResponse $RES = ...;
+      ...
+      $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+  - pattern: |
+      HttpHeaders $HEADERS = ...;
+      ...
+      $HEADERS.set("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+  - pattern: |
+      ServerWebExchange $SWE = ...;
+      ...
+      $SWE.getResponse().getHeaders().add("Access-Control-Allow-Origin", "*");
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,ServerHttpResponse $RES,...) {
+        ...
+        $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,ServerWebExchange $SWE,...) {
+        ...
+        $SWE.getResponse().getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
+        ...
+      }
+  - pattern: ResponseEntity.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i")
+  - pattern: ServerResponse.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i")

package/rules/community-merged/cwe-20/django-using-request-post-after-is-valid.yaml ADDED Viewed

@@ -0,0 +1,28 @@
+# Source: semgrep-community | Cluster: python-20
+rules:
+  - id: django-using-request-post-after-is-valid
+    patterns:
+      - pattern-inside: |
+          def $FUNC(request, ...):
+            ...
+      - pattern-inside: |
+          if $FORM.is_valid():
+            ...
+      - pattern-either:
+        - pattern: request.POST[...]
+        - pattern: request.POST.get(...)
+    message: Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data
+    languages: [python]
+    severity: WARNING
+    metadata:
+      category: security
+      cwe: "CWE-20: Improper Input Validation"
+      references:
+      - https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data
+      confidence: MEDIUM
+      likelihood: MEDIUM
+      impact: MEDIUM
+      subcategory:
+        - audit
+      technology:
+        - django

package/rules/community-merged/cwe-20/host-header-injection-python.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+# Source: semgrep-community | Cluster: python-20
+rules:
+- id: host-header-injection-python
+  message: >-
+    The `flask.request.host` is used to construct an HTTP request.
+    This can lead to host header injection issues. Vulnerabilities
+    that generally occur due to this issue are authentication bypasses,
+    password reset issues, Server-Side-Request-Forgery (SSRF), and many more.
+    It is recommended to validate the URL before passing it to a
+    request library, or using application logic such as authentication
+    or password resets.
+  patterns:
+  - pattern-either:
+    - pattern: |
+        $X = <... "=~/.*http[s]*:///" + flask.request.host ...>;
+    - pattern: |
+        $X = <... "=~/.*http[s]*:///" + flask.request["host"] ...>;
+    - pattern: |
+        $Z = flask.request.host;
+        ...
+        $X = <... "=~/.*http[s]*:///" + $Z ...>;
+    - pattern: |
+        $Z = flask.request["host"];
+        ...
+        $X = <... "=~/.*http[s]*:///" + $Z ...>;
+  - pattern-inside: |
+      @$APP.route($ROUTE, ...)
+      def $FUNC():
+        ...
+  languages:
+  - python
+  severity: INFO
+  metadata:
+    cwe:
+      - 'CWE-20: Improper Input Validation'
+    category: security
+    references:
+    -  https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
+    - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    technology:
+    - flask
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW

package/rules/community-merged/cwe-200/bind.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: semgrep-community | Cluster: python-200
+rules:
+- id: avoid-bind-to-all-interfaces
+  message: >-
+    Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly
+    expose the server publicly as it binds to all available interfaces. Consider
+    instead getting correct address from an environment variable or
+    configuration file.
+  metadata:
+    cwe:
+    - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    category: security
+    technology:
+    - python
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+  languages: [python]
+  severity: INFO
+  pattern-either:
+  - pattern: |
+      $S = socket.socket(...)
+      ...
+      $S.bind(("0.0.0.0", ...))
+  - pattern: |
+      $S = socket.socket(...)
+      ...
+      $S.bind(("::", ...))
+  - pattern: |
+      $S = socket.socket(...)
+      ...
+      $S.bind(("", ...))

package/rules/community-merged/cwe-200/bind_all.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+# Source: semgrep-community | Cluster: go-200
+rules:
+- id: avoid-bind-to-all-interfaces
+  message: >-
+    Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose
+    the server publicly as it binds to all available interfaces. Instead, specify another IP address
+    that is not 0.0.0.0 nor the empty string.
+  languages: [go]
+  severity: WARNING
+  metadata:
+    cwe:
+    - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    source-rule-url: https://github.com/securego/gosec
+    category: security
+    technology:
+    - go
+    confidence: HIGH
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+  pattern-either:
+  - pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
+  - pattern: net.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...)
+  - pattern: tls.Listen($NETWORK, "=~/^:.*$/", ...)
+  - pattern: net.Listen($NETWORK, "=~/^:.*$/", ...)

package/rules/community-merged/cwe-200/spring-actuator-fully-enabled.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+# Source: semgrep-community | Cluster: java-200
+rules:
+- id: spring-actuator-fully-enabled
+  pattern: management.endpoints.web.exposure.include=*
+  message: >-
+    Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile,
+    /actuator/heapdump and others.
+    Unless you have Spring Security enabled or another means to protect these endpoints, this functionality
+    is available without authentication, causing a significant security risk.
+  severity: ERROR
+  languages: [generic]
+  paths:
+    include:
+    - '*properties'
+  metadata:
+    cwe:
+    - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    references:
+    - https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints
+    - https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785
+    - https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators
+    category: security
+    technology:
+    - spring
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM

package/rules/community-merged/cwe-200/url-rewriting.yaml ADDED Viewed

@@ -0,0 +1,83 @@
+# Source: semgrep-community | Cluster: java-200
+rules:
+- id: url-rewriting
+  message: >-
+    URL rewriting has significant security risks.
+    Since session ID appears in the URL, it may be easily seen by third parties.
+  metadata:
+    cwe:
+    - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+  severity: WARNING
+  languages: [java]
+  pattern-either:
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.encodeURL(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.encodeUrl(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.encodeRedirectURL(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...,HttpServletResponse $RES,...) {
+        ...
+        $RES.encodeRedirectUrl(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...) {
+        ...
+        HttpServletResponse $RES = ...;
+        ...
+        $RES.encodeURL(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...) {
+        ...
+        HttpServletResponse $RES = ...;
+        ...
+        $RES.encodeUrl(...);
+        ...
+      }
+  - pattern: |
+      $X $METHOD(...) {
+        ...
+        HttpServletResponse $RES = ...;
+        ...
+        $RES.encodeRedirectURL(...);
+        ...
+      }
+  - pattern: |-
+      $X $METHOD(...) {
+        ...
+        HttpServletResponse $RES = ...;
+        ...
+        $RES.encodeRedirectUrl(...);
+        ...
+      }

package/rules/community-merged/cwe-23/tainted-file-path.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# Source: semgrep-community | Cluster: java-23
+rules:
+- id: tainted-file-path
+  languages:
+  - java
+  severity: ERROR
+  message: >-
+    Detected user input controlling a file path. An attacker could control the location of this
+    file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled
+    variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...)
+    to only retrieve the file name from the path.
+  options:
+    interfile: true
+  metadata:
+    cwe:
+    - 'CWE-23: Relative Path Traversal'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    references:
+    - https://owasp.org/www-community/attacks/Path_Traversal
+    category: security
+    technology:
+    - java
+    - spring
+    subcategory:
+    - vuln
+    impact: HIGH
+    likelihood: MEDIUM
+    confidence: HIGH
+    interfile: true
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern-inside: |
+          $METHODNAME(..., @$REQ(...) $TYPE $SOURCE,...) {
+            ...
+          }
+      - pattern-inside: |
+          $METHODNAME(..., @$REQ $TYPE $SOURCE,...) {
+            ...
+          }
+    - metavariable-regex:
+        metavariable: $TYPE
+        regex: ^(?!(Integer|Long|Float|Double|Char|Boolean|int|long|float|double|char|boolean))
+    - metavariable-regex:
+        metavariable: $REQ
+        regex: (RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)
+    - focus-metavariable: $SOURCE
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: new File(...)
+      - pattern: new java.io.File(...)
+      - pattern: new FileReader(...)
+      - pattern: new java.io.FileReader(...)
+      - pattern: new FileInputStream(...)
+      - pattern: new java.io.FileInputStream(...)
+      - pattern: (Paths $PATHS).get(...)
+      - patterns:
+        - pattern: |
+            $CLASS.$FUNC(...)
+        - metavariable-regex:
+            metavariable: $FUNC
+            regex: ^(getResourceAsStream|getResource)$
+      - patterns:
+        - pattern-either:
+          - pattern: new ClassPathResource($FILE, ...)
+          - pattern: ResourceUtils.getFile($FILE, ...)
+          - pattern: new FileOutputStream($FILE, ...)
+          - pattern: new java.io.FileOutputStream($FILE, ...)
+          - pattern: new StreamSource($FILE, ...)
+          - pattern: new javax.xml.transform.StreamSource($FILE, ...)
+          - pattern: FileUtils.openOutputStream($FILE, ...)
+        - focus-metavariable: $FILE
+  pattern-sanitizers:
+  - pattern: org.apache.commons.io.FilenameUtils.getName(...)

package/rules/community-merged/cwe-242/unsafe.yaml ADDED Viewed

@@ -0,0 +1,25 @@
+# Source: semgrep-community | Cluster: go-242
+rules:
+- id: use-of-unsafe-block
+  message: >-
+    Using the unsafe package in Go gives you low-level memory management and many of the strengths of
+    the C language, but also steps around the type safety of Go and can lead to buffer overflows and
+    possible arbitrary code execution by an attacker.
+    Only use this package if you absolutely know what you're doing.
+  languages: [go]
+  severity: WARNING
+  metadata:
+    cwe:
+    - 'CWE-242: Use of Inherently Dangerous Function'
+    source_rule_url: https://github.com/securego/gosec/blob/master/rules/unsafe.go
+    category: security
+    technology:
+    - go
+    confidence: LOW
+    references:
+    - https://cwe.mitre.org/data/definitions/242.html
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  pattern: unsafe.$FUNC(...)

package/rules/community-merged/cwe-250/docker-arbitrary-container-run.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+# Source: semgrep-community | Cluster: python-250
+rules:
+- id: docker-arbitrary-container-run
+  patterns:
+  - pattern-either:
+    - pattern-inside: |
+        $CLIENT = docker.from_env()
+        ...
+    - pattern-inside: |
+        $CLIENT = docker.DockerClient(...)
+        ...
+  - pattern-either:
+    - pattern: |
+        $CLIENT.containers.run(...)
+    - pattern: |
+        $CLIENT.containers.create(...)
+  - pattern-not: |
+      $CLIENT.containers.run("...",...)
+  - pattern-not: |
+      $CLIENT.containers.create("...",...)
+  message: >-
+    If unverified user data can reach the `run` or `create` method it can result in running arbitrary
+    container.
+  languages:
+  - python
+  severity: WARNING
+  metadata:
+    cwe:
+    - 'CWE-250: Execution with Unnecessary Privileges'
+    category: security
+    technology:
+    - docker
+    references:
+    - https://cwe.mitre.org/data/definitions/250.html
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW

package/rules/community-merged/cwe-269/do-privileged-use.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+# Source: semgrep-community | Cluster: java-269
+rules:
+- id: do-privileged-use
+  severity: WARNING
+  languages:
+  - java
+  metadata:
+    cwe:
+    - 'CWE-269: Improper Privilege Management'
+    references:
+    - https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html
+    - https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation
+    - http://phrack.org/papers/escaping_the_java_sandbox.html
+    category: security
+    technology:
+    - java
+    owasp:
+    - A04:2021 - Insecure Design
+    - A06:2025 - Insecure Design
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+  message: >-
+    Marking code as privileged enables a piece of trusted code to temporarily
+    enable access to more resources than are available directly to the code
+    that called it. Be very careful in your use of the privileged construct,
+    and always remember to make the privileged code section as small as possible.
+  patterns:
+  - pattern-inside: |
+      import java.security.*;
+      ...
+  - pattern-either:
+    - pattern: AccessController.doPrivileged(...);
+    - pattern: class $ACTION implements PrivilegedAction<Void> { ... }

package/rules/community-merged/cwe-276/file_permission.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+# Source: semgrep-community | Cluster: go-276
+rules:
+  - id: incorrect-default-permission
+    message:
+      Detected file permissions that are set to more than `0600` (user/owner can read and write). Setting file permissions
+      to higher than `0600` is most likely unnecessary and violates the principle of least privilege. Instead, set permissions
+      to be `0600` or less for os.Chmod, os.Mkdir, os.OpenFile, os.MkdirAll, and ioutil.WriteFile
+    metadata:
+      cwe: "CWE-276: Incorrect Default Permissions"
+      source_rule_url: https://github.com/securego/gosec
+      category: correctness
+      references:
+        - https://github.com/securego/gosec/blob/master/rules/fileperms.go
+      technology:
+        - go
+    severity: WARNING
+    languages: [go]
+    patterns:
+      - pattern-either:
+          - pattern: os.Chmod($NAME, $PERM)
+          - pattern: os.Mkdir($NAME, $PERM)
+          - pattern: os.OpenFile($NAME, $FLAG, $PERM)
+          - pattern: os.MkdirAll($NAME, $PERM)
+          - pattern: ioutil.WriteFile($NAME, $DATA, $PERM)
+      - metavariable-comparison:
+          metavariable: $PERM
+          comparison: $PERM > 0o600
+          base: 8
+      - focus-metavariable:
+          - $PERM
+    fix: |
+      0600

package/rules/community-merged/cwe-276/insecure-file-permissions.yaml ADDED Viewed

@@ -0,0 +1,64 @@
+# Source: semgrep-community | Cluster: python-276
+rules:
+- id: insecure-file-permissions
+  languages: [python]
+  severity: WARNING
+  metadata:
+    category: security
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    cwe:
+    - 'CWE-276: Incorrect Default Permissions'
+    technology:
+    - python
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  message: >-
+    These permissions `$BITS` are widely permissive and grant access
+    to more people than may be necessary. A good default is `0o644` which
+    gives read and write access to yourself and read access to everyone else.
+  patterns:
+  - pattern-inside: os.$METHOD(...)
+  - metavariable-pattern:
+      metavariable: $METHOD
+      patterns:
+      - pattern-either:
+        - pattern: chmod
+        - pattern: lchmod
+        - pattern: fchmod
+  - pattern-either:
+    - patterns:
+      - pattern: os.$METHOD($FILE, $BITS, ...)
+      - metavariable-comparison:
+          metavariable: $BITS
+          comparison: $BITS >= 0o650 and $BITS < 0o100000
+    - patterns:
+      - pattern: os.$METHOD($FILE, $BITS)
+      - metavariable-comparison:
+          metavariable: $BITS
+          comparison: $BITS >= 0o100650
+    - patterns:
+      - pattern: os.$METHOD($FILE, $BITS, ...)
+      - metavariable-pattern:
+          metavariable: $BITS
+          patterns:
+          - pattern-either:
+            - pattern: <... stat.S_IWGRP ...>
+            - pattern: <... stat.S_IXGRP ...>
+            - pattern: <... stat.S_IWOTH ...>
+            - pattern: <... stat.S_IXOTH ...>
+            - pattern: <... stat.S_IRWXO ...>
+            - pattern: <... stat.S_IRWXG ...>
+    - patterns:
+      - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...)
+      - metavariable-comparison:
+          metavariable: $MOD
+          comparison: $MOD == 0o111