@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/community-merged/cwe-276/overly-permissive-file-permission.yaml

@@ -0,0 +1,50 @@
+# Source: semgrep-community | Cluster: java-276
+rules:
+- id: overly-permissive-file-permission
+  message: >-
+    Detected file permissions that are overly permissive (read, write, and execute).
+    It is generally a bad practices to set overly permissive file permission such
+    as read+write+exec for all users.
+    If the file affected is a configuration, a binary, a script or sensitive data,
+    it can lead to privilege escalation or information leakage.
+    Instead, follow the principle of least privilege and give users only the 
+    permissions they need.
+  severity: WARNING
+  languages: [java]
+  metadata:
+    cwe:
+    - 'CWE-276: Incorrect Default Permissions'
+    owasp:
+    - A01:2021 - Broken Access Control
+    - A01:2025 - Broken Access Control
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A01_2021-Broken_Access_Control
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+  pattern-either:
+  - pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"));
+  - pattern: |
+      $TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/");
+      ...
+      java.nio.file.Files.setPosixFilePermissions($FILE, $P);
+  - pattern: |
+      $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ);
+      ...
+      java.nio.file.Files.setPosixFilePermissions($FILE, $P);
+  - pattern: |
+      $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE);
+      ...
+      java.nio.file.Files.setPosixFilePermissions($FILE, $P);
+  - pattern: |-
+      $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE);
+      ...
+      java.nio.file.Files.setPosixFilePermissions($FILE, $P);

package/rules/community-merged/cwe-287/unverified-jwt-decode.yaml

@@ -0,0 +1,51 @@
+# Source: semgrep-community | Cluster: python-287
+rules:
+- id: unverified-jwt-decode
+  patterns:
+    - pattern-either:
+        - patterns:
+          - pattern: |
+              jwt.decode(..., options={..., "verify_signature": $BOOL, ...}, ...)
+          - metavariable-pattern:
+              metavariable: $BOOL
+              pattern: |
+                False
+          - focus-metavariable: $BOOL
+        - patterns:
+            - pattern: |
+                $OPTS = {..., "verify_signature": $BOOL, ...}
+                ...
+                jwt.decode(..., options=$OPTS, ...)
+            - metavariable-pattern:
+                metavariable: $BOOL
+                pattern: |
+                  False
+            - focus-metavariable: $BOOL
+  message: >-
+    Detected JWT token decoded with 'verify=False'. This bypasses any integrity
+    checks for the token which means the token could be tampered with by
+    malicious actors. Ensure that the JWT token is verified.
+  metadata:
+    owasp:
+    - A02:2017 - Broken Authentication
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    cwe:
+    - 'CWE-287: Improper Authentication'
+    references:
+    - https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96
+    category: security
+    technology:
+    - jwt
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  fix: |
+    True
+  severity: ERROR
+  languages:
+  - python

package/rules/community-merged/cwe-289/handler-assignment-from-multiple-sources.yaml

@@ -0,0 +1,49 @@
+# Source: semgrep-community | Cluster: go-289
+rules:
+- id: handler-assignment-from-multiple-sources
+  metadata:
+    cwe:
+    - 'CWE-289: Authentication Bypass by Alternate Name'
+    category: security
+    technology:
+    - gorilla
+    confidence: MEDIUM
+    references:
+    - https://cwe.mitre.org/data/definitions/289.html
+    subcategory:
+    - audit
+    impact: MEDIUM
+    likelihood: LOW
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-inside: |
+        func $HANDLER(..., $R *http.Request, ...) {
+          ...
+        }
+    - focus-metavariable: $R
+    - pattern-either:
+      - pattern: $R.query
+  pattern-sinks:
+  - patterns:
+    - pattern: |
+        $Y, err := store.Get(...)
+        ...
+        $VAR := $Y.Values[...]
+        ...
+        $VAR = $R
+    - focus-metavariable: $R
+  - patterns:
+    - pattern: |
+        $Y, err := store.Get(...)
+        ...
+        var $VAR $INT = $Y.Values["..."].($INT)
+        ...
+        $VAR = $R
+    - focus-metavariable: $R
+  message: >-
+    Variable $VAR is assigned from two different sources: '$Y' and '$R'. Make sure this is intended,
+    as this could cause logic bugs if they are treated as they are the same object.
+  languages:
+  - go
+  severity: WARNING

package/rules/community-merged/cwe-295/disabled-cert-validation.yaml

@@ -0,0 +1,36 @@
+# Source: semgrep-community | Cluster: python-295
+rules:
+- id: disabled-cert-validation
+  patterns:
+  - pattern-either:
+    - pattern: urllib3.PoolManager(..., cert_reqs=$REQS, ...)
+    - pattern: urllib3.ProxyManager(..., cert_reqs=$REQS, ...)
+    - pattern: urllib3.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
+    - pattern: urllib3.connectionpool.HTTPSConnectionPool(..., cert_reqs=$REQS, ...)
+    - pattern: urllib3.connection_from_url(..., cert_reqs=$REQS, ...)
+    - pattern: urllib3.proxy_from_url(..., cert_reqs=$REQS, ...)
+    - pattern: $CONTEXT.wrap_socket(..., cert_reqs=$REQS, ...)
+    - pattern: ssl.wrap_socket(..., cert_reqs=$REQS, ...)
+  - metavariable-regex:
+      metavariable: $REQS
+      regex: (NONE|CERT_NONE|CERT_OPTIONAL|ssl\.CERT_NONE|ssl\.CERT_OPTIONAL|\'NONE\'|\"NONE\"|\'OPTIONAL\'|\"OPTIONAL\")
+  message: certificate verification explicitly disabled, insecure connections possible
+  metadata:
+    cwe:
+    - 'CWE-295: Improper Certificate Validation'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    category: security
+    technology:
+    - python
+    references:
+    - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: ERROR

package/rules/community-merged/cwe-295/unverified-ssl-context.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: python-295
+rules:
+- id: unverified-ssl-context
+  patterns:
+  - pattern-either:
+    - pattern: ssl._create_unverified_context(...)
+    - pattern: ssl._create_default_https_context = ssl._create_unverified_context
+  fix-regex:
+    regex: _create_unverified_context
+    replacement: create_default_context
+  message: >-
+    Unverified SSL context detected. This will permit insecure connections without
+    verifying
+    SSL certificates. Use 'ssl.create_default_context' instead.
+  metadata:
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    cwe:
+    - 'CWE-295: Improper Certificate Validation'
+    references:
+    - https://docs.python.org/3/library/ssl.html#ssl-security
+    - https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection
+    category: security
+    technology:
+    - python
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  severity: ERROR
+  languages:
+  - python

package/rules/community-merged/cwe-297/insecure-smtp-connection.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: java-297
+rules:
+- id: insecure-smtp-connection
+  metadata:
+    cwe:
+    - 'CWE-297: Improper Validation of Certificate with Host Mismatch'
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  message: >-
+    Insecure SMTP connection detected. This connection will trust any SSL certificate.
+    Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.
+  severity: WARNING
+  patterns:
+  - pattern-not-inside: |
+      $EMAIL.setSSLCheckServerIdentity(true);
+      ...
+  - pattern-inside: |
+      $EMAIL = new SimpleEmail(...);
+      ...
+  - pattern: |-
+      $EMAIL.send(...);
+  languages:
+  - java

package/rules/community-merged/cwe-300/grpc-client-insecure-connection.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: go-300
+rules:
+- id: grpc-client-insecure-connection
+  metadata:
+    cwe:
+    - 'CWE-300: Channel Accessible by Non-Endpoint'
+    references:
+    - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
+    category: security
+    technology:
+    - grpc
+    confidence: HIGH
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  message: >-
+    Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a
+    connection without encryption to a gRPC
+    server. A malicious attacker could tamper with the gRPC message, which could compromise
+    the machine. Instead, establish
+    a secure connection with an
+    SSL certificate using the 'grpc.WithTransportCredentials()' function. You can
+    create a create credentials using a 'tls.Config{}'
+    struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS(<config>))'.
+  languages:
+  - go
+  severity: ERROR
+  pattern: $GRPC.Dial($ADDR, ..., $GRPC.WithInsecure(...), ...)
+  fix-regex:
+    regex: (.*)WithInsecure\(.*?\)
+    replacement: \1WithTransportCredentials(credentials.NewTLS(<your_tls_config_here>))

package/rules/community-merged/cwe-300/grpc-server-insecure-connection.yaml

@@ -0,0 +1,45 @@
+# Source: semgrep-community | Cluster: go-300
+rules:
+- id: grpc-server-insecure-connection
+  metadata:
+    cwe:
+    - 'CWE-300: Channel Accessible by Non-Endpoint'
+    references:
+    - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption
+    category: security
+    technology:
+    - grpc
+    confidence: HIGH
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  message: >-
+    Found an insecure gRPC server without 'grpc.Creds()' or options with credentials.
+    This allows for a connection without
+    encryption to this server.
+    A malicious attacker could tamper with the gRPC message, which could compromise
+    the machine. Include credentials derived
+    from an SSL certificate in order to create a secure gRPC connection. You can create
+    credentials using 'credentials.NewServerTLSFromFile("cert.pem",
+    "cert.key")'.
+  languages:
+  - go
+  severity: ERROR
+  mode: taint
+  pattern-sinks:
+    - requires: OPTIONS and not CREDS
+      pattern: grpc.NewServer($OPT, ...)
+    - requires: EMPTY_CONSTRUCTOR
+      pattern: grpc.NewServer()
+  pattern-sources:
+    - label: OPTIONS
+      pattern: grpc.ServerOption{ ... }
+    - label: CREDS 
+      pattern: grpc.Creds(...)
+    - label: EMPTY_CONSTRUCTOR
+      pattern: grpc.NewServer()
+

package/rules/community-merged/cwe-310/aead-no-final.yaml

@@ -0,0 +1,39 @@
+# Source: semgrep-community | Cluster: javascript-310
+rules:
+- id: aead-no-final
+  message: >-
+    The 'final' call of a Decipher object checks the authentication tag in a mode for authenticated encryption.
+    Failing to call 'final' will invalidate all integrity guarantees of the released ciphertext.
+  metadata:
+    cwe:
+    - 'CWE-310: CWE CATEGORY: Cryptographic Issues'
+    owasp:
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    category: security
+    subcategory:
+    - vuln
+    technology:
+    - node-crypto
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+    references:
+    - https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding
+    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+  languages:
+  - javascript
+  - typescript
+  severity: ERROR
+  patterns:
+  - pattern: |
+      $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...)
+      ...
+      $DECIPHER.update(...)
+  - pattern-not-inside: |
+        $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...)
+        ...
+        $DECIPHER.final(...)
+  - metavariable-regex:
+      metavariable: $ALGO
+      regex: ".*(-gcm|-ccm|-ocb|chacha20-poly1305)$"

package/rules/community-merged/cwe-310/gcm-no-tag-length.yaml

@@ -0,0 +1,35 @@
+# Source: semgrep-community | Cluster: javascript-310
+rules:
+- id: gcm-no-tag-length
+  message: >-
+    The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length.
+    If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag.
+    This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.
+  metadata:
+    cwe:
+    - 'CWE-310: CWE CATEGORY: Cryptographic Issues'
+    owasp:
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    category: security
+    subcategory:
+    - vuln
+    technology:
+    - node-crypto
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+    references:
+    - https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/
+    - https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options
+    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+  languages:
+  - javascript
+  - typescript
+  severity: ERROR
+  patterns:
+  - pattern: |
+      $CRYPTO.createDecipheriv('$ALGO', $KEY, $IV)
+  - metavariable-regex:
+      metavariable: $ALGO
+      regex: ".*(-gcm)$"

package/rules/community-merged/cwe-319/cookie-issecure-false.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: java-319
+rules:
+  - id: cookie-issecure-false
+    patterns:
+      - pattern: $COOKIE = new Cookie($...ARGS);
+      - pattern-not-inside: |
+          $COOKIE = new Cookie(...);
+          ...
+          $COOKIE.setSecure(...);
+    message: "Default session middleware settings: `setSecure` not set to true. This
+      ensures that the cookie is sent only over HTTPS to prevent cross-site
+      scripting attacks."
+    fix: |
+        $COOKIE = new Cookie($...ARGS);
+        $COOKIE.setSecure(true);
+    metadata:
+      vulnerability: Insecure Transport
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+        - A04:2025 - Cryptographic Failures
+      cwe:
+        - "CWE-319: Cleartext Transmission of Sensitive Information"
+      references:
+        - https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
+        - https://owasp.org/www-community/controls/SecureCookieAttribute
+      category: security
+      technology: 
+       - java
+       - cookie
+      subcategory:
+        - audit
+      likelihood: LOW
+      impact: LOW
+      confidence: LOW
+    languages:
+      - java
+    severity: WARNING

package/rules/community-merged/cwe-319/detect-insecure-websocket.yaml

@@ -0,0 +1,33 @@
+# Source: semgrep-community | Cluster: javascript-319
+rules:
+- id: detect-insecure-websocket
+  message: Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
+  metadata:
+    cwe:
+    - 'CWE-319: Cleartext Transmission of Sensitive Information'
+    asvs:
+      section: 'V13: API and Web Service Verification Requirements'
+      control_id: 13.5.1 Insecure WebSocket
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v135-websocket-security-requirements
+      version: '4'
+    category: security
+    technology:
+    - regex
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+    references:
+    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+  languages:
+  - regex
+  severity: ERROR
+  patterns:
+  - pattern-regex: \bws:\/\/
+  - pattern-not-inside: \bws:\/\/localhost.*
+  - pattern-not-inside: \bws:\/\/127.0.0.1.*

package/rules/community-merged/cwe-319/http-not-https-connection.yaml

@@ -0,0 +1,29 @@
+# Source: semgrep-community | Cluster: python-319
+rules:
+- id: http-not-https-connection
+  message: >-
+    Detected HTTPConnectionPool. This will transmit data in cleartext.
+    It is recommended to use HTTPSConnectionPool instead for to encrypt
+    communications.
+  metadata:
+    cwe:
+    - 'CWE-319: Cleartext Transmission of Sensitive Information'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    references:
+    - https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool
+    category: security
+    technology:
+    - python
+    subcategory:
+    - audit
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: ERROR
+  pattern-either:
+  - pattern: urllib3.HTTPConnectionPool(...)
+  - pattern: urllib3.connectionpool.HTTPConnectionPool(...)

package/rules/community-merged/cwe-319/security.yaml

@@ -0,0 +1,36 @@
+# Source: semgrep-community | Cluster: python-319
+rules:
+- id: require-encryption
+  patterns:
+  - pattern: |
+      distributed.security.Security(..., require_encryption=$VAL, ...)
+  - metavariable-pattern:
+      metavariable: $VAL
+      pattern: |
+        False
+  - focus-metavariable: $VAL
+  fix: |
+    True
+  message: >-
+    Initializing a security context for Dask (`distributed`) without "require_encryption" keyword
+    argument may silently fail to provide security.
+  severity: WARNING
+  metadata:
+    cwe:
+    - 'CWE-319: Cleartext Transmission of Sensitive Information'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    references:
+    - https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters
+    category: security
+    technology:
+    - distributed
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages:
+  - python

package/rules/community-merged/cwe-319/sequelize-enforce-tls.yaml

@@ -0,0 +1,61 @@
+# Source: semgrep-community | Cluster: javascript-319
+rules:
+- id: sequelize-enforce-tls
+  message: >-
+    If TLS is disabled on server side (Postgresql server),
+    Sequelize establishes connection without TLS and no
+    error will be thrown. To prevent MITN (Man In The Middle)
+    attack, TLS must be enforce by Sequelize.
+    Set "ssl: true" or define settings "ssl: {...}"
+  metadata:
+    cwe:
+    - 'CWE-319: Cleartext Transmission of Sensitive Information'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    references:
+    - https://node-postgres.com/features/ssl
+    - https://nodejs.org/api/tls.html#tls_class_tls_tlssocket
+    - https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
+    - https://nodejs.org/api/tls.html#tls_tls_default_min_version
+    category: security
+    technology:
+    - sequelize
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  patterns:
+  - pattern: |
+      {
+        host: $HOST,
+        database: $DATABASE,
+        dialect: $DIALECT
+       }
+  - pattern-not: |
+      {
+        host: $HOST,
+        database: $DATABASE,
+        dialect: "postgres",
+        dialectOptions: {
+            ssl: true
+        }
+      }
+  - pattern-not: |
+      {
+        host: $HOST,
+        database: $DATABASE,
+        dialect: $DIALECT,
+        dialectOptions: {
+          ssl: { ... }
+        }
+      }
+  - metavariable-regex:
+      metavariable: $DIALECT
+      regex: "['\"](mariadb|mysql|postgres)['\"]"

package/rules/community-merged/cwe-319/unencrypted-socket.yaml

@@ -0,0 +1,38 @@
+# Source: semgrep-community | Cluster: java-319
+rules:
+- id: unencrypted-socket
+  metadata:
+    functional-categories:
+      - 'net::search::crypto-config::java.net'
+    cwe:
+    - 'CWE-319: Cleartext Transmission of Sensitive Information'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET
+    asvs:
+      section: V6 Stored Cryptography Verification Requirements
+      control_id: 6.2.5 Insecure Algorithm
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
+      version: '4'
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: HIGH
+  message: >-
+    Detected use of a Java socket that is not encrypted.
+    As a result, the traffic could be read by an attacker intercepting the network traffic.
+    Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+    instead.
+  severity: WARNING
+  languages: [java]
+  pattern-either:
+  - pattern: new ServerSocket(...)
+  - pattern: new Socket(...)