@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

package/rules/unified/cwe-798/zm-tf-cwe798-hardcoded-creds.yaml

@@ -0,0 +1,103 @@
+# Source: iac | Cluster: N/A
+# 逐码 ZhuMa IaC 规则 — Terraform 硬编码凭证检测
+# V4.1 Sprint — CWE-798: Use of Hard-coded Credentials
+
+rules:
+  # ZM-TF-CWE798-001: variable 默认值含密码/密钥
+  - id: zm-tf-cwe798-creds-001
+    severity: CRITICAL
+    message: |
+      Terraform variable 的 default 值中包含疑似密码/密钥/Token 的硬编码明文。
+      应移除默认值，通过环境变量 `TF_VAR_xxx` 或 `.tfvars` 文件（不提交到 Git）传入敏感值，
+      或使用 Vault/AWS Secrets Manager 等密钥管理服务动态获取。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          variable "$VAR" {
+            ...
+            default = "$SECRET"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, variable]
+
+  # ZM-TF-CWE798-002: resource 中直接写 access_key / secret_key
+  - id: zm-tf-cwe798-creds-002
+    severity: CRITICAL
+    message: |
+      Terraform resource 中直接硬编码 `access_key` / `secret_key` / `password` 等凭证字段。
+      应改用 variable + 敏感标记 (`sensitive = true`)，并通过环境变量或密钥管理服务注入值。
+      示例:
+      ```hcl
+      variable "db_password" {
+        type      = string
+        sensitive = true
+      }
+      ```
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            access_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            secret_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          resource "$TYPE" "$NAME" {
+            ...
+            password = "$VAL"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: medium
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, resource]
+
+  # ZM-TF-CWE798-003: provider 块中硬编码凭证
+  - id: zm-tf-cwe798-creds-003
+    severity: CRITICAL
+    message: |
+      Terraform provider 块中硬编码 `access_key` / `secret_key` / `token` — 这些凭证会被写入 state 文件和执行日志。
+      应使用环境变量 (`AWS_ACCESS_KEY_ID` / `ALICLOUD_ACCESS_KEY`) 或 shared_credentials_file，
+      切勿在 provider 块中直接写入凭证。
+    languages:
+      - terraform
+    pattern-either:
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            access_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            secret_key = "$VAL"
+            ...
+          }
+      - pattern: |
+          provider "$PROVIDER" {
+            ...
+            token = "$VAL"
+            ...
+          }
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      category: iac-terraform
+      precision: very-high
+      confidence: high
+      tags: [terraform, hardcoded-credentials, secrets, provider]

package/rules/unified/cwe-862/zm-js-cwe862-nestjs-skip-auth.yaml

@@ -0,0 +1,24 @@
+# Source: common | Cluster: N/A
+# CWE-862: NestJS @SkipAuth/@Public 跳过认证
+# 逐码 ZhuMa V4.3 — JS/TS NestJS 规则库
+
+rules:
+
+- id: zm-js-nestjs-auth-001
+  severity: ERROR
+  message: >
+    NestJS 控制器/路由上使用 @SkipAuth() 或 @Public() 装饰器跳过认证检查，
+    导致端点无需身份验证即可访问。
+    修复: 移除 @SkipAuth/@Public 装饰器，仅在公开端点(如登录/注册)使用。
+  languages:
+    - javascript
+    - typescript
+  pattern-either:
+    - pattern: '@SkipAuth()'
+    - pattern: '@Public()'
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    category: security
+    precision: very-high
+    confidence: high

package/rules/unified/cwe-89/cwe-89-sqli.yaml

@@ -0,0 +1,90 @@
+# Source: common | Cluster: N/A
+# CWE-89: SQL 注入检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-SQLI-001: JDBC Statement 字符串拼接
+- id: zm-java-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 JDBC Statement 使用字符串拼接构造 SQL 查询。
+    攻击者可通过控制变量注入恶意 SQL 语句。
+    应使用 PreparedStatement + 参数化查询。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Statement $STMT = $CONN.createStatement();
+        ...
+        $STMT.executeQuery($SQL + $PARAM);
+    - pattern: |
+        Statement $STMT = $CONN.createStatement();
+        ...
+        $STMT.execute($SQL + $PARAM);
+    - pattern: |
+        Statement $STMT = $CONN.createStatement();
+        ...
+        $STMT.executeUpdate($SQL + $PARAM);
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    precision: very-high
+
+# ZM-JAVA-SQLI-002: MyBatis ${} 动态 SQL (非预编译)
+- id: zm-java-sqli-002
+  severity: CRITICAL
+  message: |
+    MyBatis 使用 ${} 语法进行字符串替换而非预编译参数绑定。
+    除非是 ORDER BY / GROUP BY 等无法参数化的场景，否则应使用 #{}。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @$ANNOTATION("...${...$EXPR}...")
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    precision: high
+
+# ZM-JAVA-SQLI-003: JdbcTemplate 字符串拼接
+- id: zm-java-sqli-003
+  severity: HIGH
+  message: |
+    JdbcTemplate 使用字符串拼接构造 SQL 查询。
+    应使用参数化查询：jdbcTemplate.query(sql, params, mapper)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $T.jdbcTemplate.query($SQL + $PARAM, ...);
+    - pattern: |
+        $T.jdbcTemplate.update($SQL + $PARAM, ...);
+    - pattern: |
+        $T.jdbcTemplate.queryForObject($SQL + $PARAM, ...);
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    precision: high
+
+# ZM-JAVA-SQLI-004: String.format 构造 SQL
+- id: zm-java-sqli-004
+  severity: HIGH
+  message: |
+    String.format() 构造 SQL 查询，参数值直接拼接。
+    应使用 PreparedStatement 参数化。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $SQL = String.format("...SELECT...%s...", $PARAM);
+        ...
+        $STMT.executeQuery($SQL);
+    - pattern: |
+        $SQL = String.format("...INSERT...%s...", $PARAM);
+        ...
+        $STMT.executeUpdate($SQL);
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    precision: medium

package/rules/unified/cwe-89/zm-cs-cwe89-sql-injection.yaml

@@ -0,0 +1,95 @@
+# Source: common | Cluster: N/A
+# CWE-89: C# SQL 注入检测规则
+# 逐码 ZhuMa V4.3 — C# 规则库
+#
+# 检测 C# / ASP.NET / Entity Framework 中的 SQL 注入漏洞。
+
+rules:
+
+# ZM-CS-CWE89-001: SqlCommand 字符串拼接 (ADONET)
+- id: zm-cs-cwe89-sql-injection-001
+  severity: ERROR
+  message: |
+    检测到 SqlCommand 使用字符串拼接构造 SQL 语句。
+    攻击者可通过用户输入注入恶意 SQL 代码，导致数据泄露、篡改或删除。
+
+    修复方案：
+    - 使用参数化查询: cmd.Parameters.AddWithValue("@param", value);
+    - 使用 SqlParameter: new SqlParameter("@id", userInput)
+    - 永远不要使用字符串拼接或 string.Format() 构造 SQL
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: |
+        new SqlCommand($SQL + $PARAM, ...)
+    - pattern: |
+        new SqlCommand(String.Format($SQL, ...), ...)
+    - pattern: |
+        new SqlCommand($"{$SQL}{$PARAM}", ...)
+    - pattern: |
+        $CMD.CommandText = $SQL + $PARAM
+    - pattern: |
+        $CMD.CommandText = String.Format($SQL, ...)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: medium
+    references:
+      - "https://cwe.mitre.org/data/definitions/89.html"
+      - "https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/sql-and-stored-procedures"
+
+# ZM-CS-CWE89-002: EF Core FromSqlRaw/ExecuteSqlRaw 拼接
+- id: zm-cs-cwe89-sql-injection-002
+  severity: ERROR
+  message: |
+    检测到 Entity Framework Core 的 FromSqlRaw/ExecuteSqlRaw 
+    使用字符串拼接或内插字符串构造 SQL 查询。
+    这些方法明确接受原始 SQL，拼接用户输入将导致 SQL 注入。
+
+    修复方案：
+    - 使用 FromSqlInterpolated() 配合 FormattableString 参数化
+    - 使用 FromSqlRaw() + 显式 SqlParameter 参数
+    - 使用 LINQ 查询代替原始 SQL（优先选择）
+    - 如必须使用原始 SQL，确保所有用户输入通过参数传递
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: $CTX.Database.ExecuteSqlRaw($SQL + $PARAM)
+    - pattern: $CTX.Database.ExecuteSqlRaw(String.Format(...))
+    - pattern: $CTX.Set<T>().FromSqlRaw($SQL + $PARAM)
+    - pattern: $CTX.Set<T>().FromSqlRaw(String.Format(...))
+    - pattern: $DB.ExecuteSqlRaw($SQL + $PARAM)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: high
+    references:
+      - "https://cwe.mitre.org/data/definitions/89.html"
+      - "https://learn.microsoft.com/en-us/ef/core/querying/sql-queries"
+
+# ZM-CS-CWE89-003: 字符串拼接构造 SQL
+- id: zm-cs-cwe89-sql-injection-003
+  severity: WARNING
+  message: |
+    检测到 SQL 查询字符串通过拼接构造且包含 WHERE/IN 子句等用户可控输入。
+    任何将用户输入直接拼接到 SQL 语句中的操作都可能导致注入攻击。
+
+    修复方案：
+    - 始终使用参数化查询（@param / SqlParameter）
+    - 动态 ORDER BY 使用白名单映射
+    - 使用存储过程配合参数化调用
+  languages:
+    - csharp
+  pattern-either:
+    - pattern: $SQL = $STR + $VAR
+    - pattern: $SQL = $"SELECT ... WHERE ... {$VAR} ..."
+    - pattern: $SQL = String.Format("SELECT ... WHERE ...", $VAR)
+  metadata:
+    cwe: "CWE-89: SQL Injection"
+    owasp: "A03:2021 - Injection"
+    category: security
+    precision: very-low
+    references:
+      - "https://cwe.mitre.org/data/definitions/89.html"

package/rules/unified/cwe-89/zm-go-cwe89-framework-sqli.yaml

@@ -0,0 +1,154 @@
+# Source: common | Cluster: N/A
+# CWE-89: Gin/Echo/gorilla/mux SQL注入检测
+# 逐码 ZhuMa V4.3 — Go 框架特化规则库
+# 检测: c.Query/c.Param拼SQL、ctx.QueryParam拼SQL、mux.Vars拼SQL
+
+rules:
+
+# ZM-GO-GIN-SQLI-001: Gin c.Query/c.Param直接拼SQL
+- id: zm-go-gin-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 Gin 框架的 c.Query() / c.Param() / c.PostForm() 返回值
+    直接拼接入SQL语句(fmt.Sprintf或字符串拼接)。
+
+    典型危险模式:
+    func handler(c *gin.Context) {
+      userID := c.Query("id")
+      db.Exec("DELETE FROM users WHERE id = " + userID)  // ← SQL注入
+    }
+
+    修复方案:
+    1. 使用参数化查询: db.Exec("DELETE FROM users WHERE id = ?", userID)
+    2. GORM: db.Where("id = ?", userID).Delete(&User{})
+    3. 对表名/列名使用白名单映射
+    4. 禁止使用 + 或 fmt.Sprintf 拼接SQL
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $DB.Exec($SQL + c.Query($KEY))
+    - pattern: |
+        $DB.Exec($SQL + c.Param($KEY))
+    - pattern: |
+        $DB.Exec($SQL + c.PostForm($KEY))
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, c.Query($KEY)))
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, c.Param($KEY)))
+    - pattern: |
+        $DB.Query($SQL + c.Query($KEY))
+    - pattern: |
+        $DB.Query($SQL + c.Param($KEY))
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, c.Query($KEY)))
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, c.Param($KEY)))
+    - pattern: |
+        $DB.QueryRow($SQL + c.Query($KEY))
+    - pattern: |
+        $DB.QueryRow($SQL + c.Param($KEY))
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, c.Query($KEY)))
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, c.Param($KEY)))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: gin
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://gin-gonic.com/docs/examples/query-and-post-form/"
+
+# ZM-GO-ECHO-SQLI-001: Echo ctx.QueryParam拼SQL
+- id: zm-go-echo-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 Echo 框架的 ctx.QueryParam() / ctx.Param() 返回值
+    直接拼接入SQL语句。
+
+    修复方案:
+    1. 使用参数化查询: db.Exec("SELECT * FROM users WHERE id = ?", ctx.QueryParam("id"))
+    2. GORM: db.Where("id = ?", ctx.QueryParam("id")).First(&user)
+    3. 禁止使用 + 拼接用户输入构造SQL
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $DB.Exec($SQL + ctx.QueryParam($KEY))
+    - pattern: |
+        $DB.Exec($SQL + ctx.Param($KEY))
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, ctx.QueryParam($KEY)))
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, ctx.Param($KEY)))
+    - pattern: |
+        $DB.Query($SQL + ctx.QueryParam($KEY))
+    - pattern: |
+        $DB.Query($SQL + ctx.Param($KEY))
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, ctx.QueryParam($KEY)))
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, ctx.Param($KEY)))
+    - pattern: |
+        $DB.QueryRow($SQL + ctx.QueryParam($KEY))
+    - pattern: |
+        $DB.QueryRow($SQL + ctx.Param($KEY))
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, ctx.QueryParam($KEY)))
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, ctx.Param($KEY)))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: echo
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://echo.labstack.com/docs/request"
+
+# ZM-GO-GORILLA-SQLI-001: gorilla/mux Vars拼SQL
+- id: zm-go-gorilla-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 gorilla/mux 的 mux.Vars() 返回值直接拼接入SQL语句。
+    URL路径参数虽然可能不含空格，但攻击者仍可通过注入注释符和子查询
+    实现SQL注入。
+
+    修复方案:
+    1. 使用参数化查询: db.Exec("SELECT * FROM users WHERE id = ?", mux.Vars(r)["id"])
+    2. 对mux.Vars返回值做数据类型转换和校验: strconv.Atoi(mux.Vars(r)["id"])
+    3. 禁止使用 + 拼接构造SQL
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $DB.Exec($SQL + mux.Vars($R)[$KEY])
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, mux.Vars($R)[$KEY]))
+    - pattern: |
+        $DB.Query($SQL + mux.Vars($R)[$KEY])
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, mux.Vars($R)[$KEY]))
+    - pattern: |
+        $DB.QueryRow($SQL + mux.Vars($R)[$KEY])
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, mux.Vars($R)[$KEY]))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: gorilla
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://github.com/gorilla/mux"

package/rules/unified/cwe-89/zm-go-cwe89-gorm-sqli.yaml

@@ -0,0 +1,105 @@
+# Source: common | Cluster: N/A
+# CWE-89: GORM / Go-MySQL-Driver SQL注入 (fmt.Sprintf/字符串拼接)
+# 逐码 ZhuMa V4.3 — Go 框架特化规则库
+# 检测: GORM db.Exec/db.Raw含fmt.Sprintf、MySQL Driver fmt.Sprintf拼SQL
+
+rules:
+
+# ZM-GO-GORM-SQLI-001: GORM db.Exec/db.Raw 含 fmt.Sprintf
+- id: zm-go-gorm-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 GORM 的 db.Exec() / db.Raw() 方法使用 fmt.Sprintf 构造SQL语句。
+    虽然GORM的Where/Find等方法自动参数化，但Raw/Exec直接执行原始SQL，
+    fmt.Sprintf拼接会导致SQL注入。
+
+    典型危险模式:
+    name := c.Query("name")
+    db.Raw(fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", name)).Scan(&users)
+
+    修复方案:
+    1. db.Raw("SELECT * FROM users WHERE name = ?", name).Scan(&users)
+    2. db.Exec("UPDATE users SET name = ? WHERE id = ?", name, id)
+    3. 使用GORM链式查询: db.Where("name = ?", name).Find(&users)
+    4. 禁止在Raw/Exec中使用fmt.Sprintf或+拼接用户输入
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Exec(fmt.Sprintf(...))
+    - pattern: $DB.Raw(fmt.Sprintf(...))
+    - pattern: $DB.Exec($STR + $VAR)
+    - pattern: $DB.Exec($VAR + $STR)
+    - pattern: $DB.Raw($STR + $VAR)
+    - pattern: $DB.Raw($VAR + $STR)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: gorm
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://gorm.io/docs/sql_builder.html"
+
+# ZM-GO-GORM-SQLI-002: GORM db.Where字符串拼接
+- id: zm-go-gorm-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 GORM 的 db.Where() 使用字符串拼接构造条件。
+    虽然 db.Where("name = ?", userInput) 是安全的参数化查询，
+    但 db.Where("name = '" + userInput + "'") 会导致SQL注入。
+
+    修复方案:
+    1. db.Where("name = ?", userInput) — 正确，?是参数化占位符
+    2. 禁止: db.Where("name = '" + userInput + "'")
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Where($STR + $VAR)
+    - pattern: $DB.Where($VAR + $STR)
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: gorm
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://gorm.io/docs/query.html"
+
+# ZM-GO-MYSQL-SQLI-001: go-sql-driver/mysql fmt.Sprintf拼SQL
+- id: zm-go-mysql-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 go-sql-driver/mysql 使用 fmt.Sprintf 构造SQL查询。
+    虽然该驱动支持参数化查询(?占位符)，但使用fmt.Sprintf拼接用户输入
+    会绕过占位符保护，导致SQL注入。
+
+    修复方案:
+    1. 使用?占位符: db.Query("SELECT * FROM users WHERE name = ?", userInput)
+    2. 对IN子句使用 sqlx.In() 或手动构造占位符
+    3. 禁止将用户输入通过fmt.Sprintf拼入SQL字符串
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $DB.Query(fmt.Sprintf($FMT, $VAR))
+    - pattern: |
+        $DB.QueryRow(fmt.Sprintf($FMT, $VAR))
+    - pattern: |
+        $DB.Exec(fmt.Sprintf($FMT, $VAR))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    framework: go-sql-driver
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://github.com/go-sql-driver/mysql"

package/rules/unified/cwe-89/zm-go-cwe89-sqli.yaml

@@ -0,0 +1,90 @@
+# Source: common | Cluster: N/A
+# CWE-89: Go SQL 注入检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: database/sql Query/Exec/QueryRow 字符串拼接构造SQL
+
+rules:
+
+# ZM-GO-SQLI-001: db.Query() 字符串拼接SQL注入
+- id: zm-go-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 Query() 方法使用了字符串拼接构造SQL语句。
+    攻击者可通过用户输入注入恶意SQL（如 UNION SELECT、-- 注释符等），
+    绕过认证、窃取数据或破坏数据库。
+
+    修复方案:
+    1. 使用参数化查询: db.Query("SELECT * FROM users WHERE id = ?", userID)
+    2. 禁止使用字符串拼接构造SQL（+、fmt.Sprintf）
+    3. 对表名/列名等动态标识符使用白名单校验
+    4. 参考 OWASP SQL 注入防御指南
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Query($SQL + $VAR)
+    - pattern: $DB.Query($VAR + $SQL)
+    - pattern: $DB.Query(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://go.dev/doc/database/sql-injection"
+      - "https://owasp.org/www-community/attacks/SQL_Injection"
+
+# ZM-GO-SQLI-002: db.Exec() 字符串拼接SQL注入
+- id: zm-go-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 Exec() 方法使用了字符串拼接或 fmt.Sprintf
+    构造SQL语句。Exec 常用于 INSERT/UPDATE/DELETE，注入可能造成数据
+    被篡改或删除。
+
+    修复方案:
+    1. 使用参数化查询: db.Exec("UPDATE users SET name = ? WHERE id = ?", name, id)
+    2. 禁止将变量直接拼入SQL字符串
+    3. 使用 ORM 框架（GORM/Ent）的内置安全查询方法
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Exec($SQL + $VAR)
+    - pattern: $DB.Exec($VAR + $SQL)
+    - pattern: $DB.Exec(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-GO-SQLI-003: db.QueryRow() 字符串拼接SQL注入
+- id: zm-go-sqli-003
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 QueryRow() 方法使用了字符串拼接构造SQL。
+    QueryRow 用于单行查询场景（如登录认证），注入可直接绕过认证。
+
+    修复方案:
+    1. db.QueryRow("SELECT * FROM users WHERE id = ?", userID)
+    2. 使用命名参数: sql.Named("id", userID)
+    3. 对动态排序/分组字段做白名单映射
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.QueryRow($SQL + $VAR)
+    - pattern: $DB.QueryRow($VAR + $SQL)
+    - pattern: $DB.QueryRow(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"