@zhuma4/cli 4.0.0-alpha.1

package/rules/android/mobile-cwe-200-webview-debugging.yaml

@@ -0,0 +1,56 @@
+# CWE-200: WebView 远程调试已开启 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-WV-005
+
+rules:
+  - id: zm-android-webview-debugging-enabled
+    severity: WARNING
+    message: |
+      WebView 远程调试 (setWebContentsDebuggingEnabled) 已启用。
+      在生产环境中，攻击者可通过 chrome://inspect 直接调试 WebView、注入任意 JavaScript、
+      窃取 Cookie/Token 等敏感数据。
+      修复: 仅在 BuildConfig.DEBUG 条件下启用；Release 构建必须关闭。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $WV.setWebContentsDebuggingEnabled(true)
+      - pattern-not: |
+          if (BuildConfig.DEBUG) {
+            $WV.setWebContentsDebuggingEnabled(true);
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-webview
+      precision: medium
+      confidence: high
+      likelihood: medium
+      impact: medium
+      source: "V3 Audit Engine - VULN-WV-005"
+      references:
+        - https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)
+
+  - id: zm-android-webview-debugging-enabled-kotlin
+    severity: WARNING
+    message: |
+      WebView 远程调试已开启 (Kotlin)。
+      生产环境应禁用 WebView 远程调试。
+    languages:
+      - kotlin
+    patterns:
+      - pattern: |
+          $WV.setWebContentsDebuggingEnabled(true)
+      - pattern-not: |
+          if (BuildConfig.DEBUG) {
+            $WV.setWebContentsDebuggingEnabled(true)
+          }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-webview
+      precision: medium
+      confidence: high
+      source: "V3 Audit Engine - VULN-WV-005"

package/rules/android/mobile-cwe-200-webview-universal-access.yaml

@@ -0,0 +1,30 @@
+# CWE-200: WebView setAllowUniversalAccessFromFileURLs (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-WV-008
+
+rules:
+  - id: zm-android-webview-universal-access-file-urls
+    severity: CRITICAL
+    message: |
+      检测到 setAllowUniversalAccessFromFileURLs(true) - 极危配置。
+      这使得 file:// 页面可通过 XMLHttpRequest 访问任意源，完全绕过同源策略。
+      攻击者可通过恶意 file:// 页面窃取本地文件并通过网络发送到攻击者服务器。
+      这是 Google 官方声明后悔引入的 API，必须禁用。
+      修复: setAllowUniversalAccessFromFileURLs(false);
+    languages:
+      - java
+    pattern: |
+      $WV.getSettings().setAllowUniversalAccessFromFileURLs(true)
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      likelihood: critical
+      impact: high
+      source: "V3 Audit Engine - VULN-WV-008"
+      references:
+        - https://developer.android.com/reference/android/webkit/WebSettings#setAllowUniversalAccessFromFileURLs(boolean)
+        - https://bugs.chromium.org/p/chromium/issues/detail?id=522896

package/rules/android/mobile-cwe-200-window-flags.yaml

@@ -0,0 +1,96 @@
+# CWE-200: Missing FLAG_SECURE for Sensitive Screens (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - screen capture and clipboard protection
+
+rules:
+  - id: zm-android-activity-no-flag-secure
+    severity: MEDIUM
+    message: |
+      Detected Activity.onCreate() without getWindow().setFlags(FLAG_SECURE).
+      Without FLAG_SECURE, the screen content can be captured via screenshot, screen recording,
+      or the task switcher thumbnail, exposing sensitive data.
+      Remediation: Add getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, ...) in onCreate().
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              public void onCreate(Bundle $B) {
+                ...
+                super.onCreate($B);
+                ...
+                setContentView($LAYOUT);
+                ...
+              }
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html
+        - https://developer.android.com/privacy-and-security/risks/screenshots
+
+  - id: zm-android-sensitive-activity-no-flag-secure
+    severity: MEDIUM
+    message: |
+      Detected an Activity with a sensitive name (password, payment, creditcard, login, auth, transfer) 
+      that does not use FLAG_SECURE. Screenshots and screen recording can capture credentials or financial data.
+      Remediation: Add getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, ...) in onCreate().
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              class $ACT extends Activity {
+                ...
+              }
+          - pattern: |
+              class $ACT extends AppCompatActivity {
+                ...
+              }
+          - pattern: |
+              class $ACT extends FragmentActivity {
+                ...
+              }
+      - metavariable-regex:
+          metavariable: $ACT
+          regex: '(?i)(.*[Pp]assword.*|.*[Pp]ayment.*|.*[Cc]redit[Cc]ard.*|.*[Ll]ogin.*|.*[Aa]uth.*|.*[Tt]ransfer.*|.*[Cc]heckout.*|.*[Ww]allet.*)'
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html
+
+  - id: zm-android-window-flags-no-secure
+    severity: MEDIUM
+    message: |
+      Detected window flag configuration without FLAG_SECURE.
+      If this window displays sensitive content (passwords, financial data), it may be captured.
+      Remediation: Add WindowManager.LayoutParams.FLAG_SECURE to window flags on sensitive screens.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              getWindow().setFlags($FLAGS, $MASK)
+          - pattern: |
+              getWindow().addFlags($FLAGS)
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html

package/rules/android/mobile-cwe-22-content-provider-openfile.yaml

@@ -0,0 +1,73 @@
+# CWE-22: Content Provider openFile Path Traversal (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - content provider path traversal hardening
+
+rules:
+  - id: zm-android-openfile-no-path-validation
+    severity: HIGH
+    message: |
+      Detected ContentProvider.openFile() that constructs a file path from Uri without canonical path check.
+      An attacker can use "../" sequences in the Uri path to escape the intended directory and read arbitrary files
+      (e.g., /data/data/com.other.app/databases/accounts.db) via path traversal.
+      Remediation: Resolve to canonical path and verify it starts with the allowed base directory before opening.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $URI.getPath()
+          - pattern: new File($BASE, $URI.getPath())
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html
+
+  - id: zm-android-contentresolver-access-no-validation
+    severity: MEDIUM
+    message: |
+      Detected ContentResolver accessing a content:// Uri without input validation on the path.
+      If the Uri comes from an external source (Intent, deeplink), an attacker can manipulate 
+      the path to access unauthorized content providers or perform path traversal.
+      Remediation: Validate the Uri authority and path against expected values before accessing.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $CR.query($URI, $PROJ, $SEL, $ARGS, $SORT)
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html
+
+  - id: zm-android-file-constructor-user-input
+    severity: MEDIUM
+    message: |
+      Detected File constructor using user-controlled input (Intent data, EditText text, URI parameter).
+      Using unsanitized input in file paths enables path traversal attacks to read/write arbitrary files.
+      Remediation: Always validate and sanitize user-supplied paths. Use getCanonicalPath() and prefix checks.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: new File($BASE, $USER_INPUT)
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html

package/rules/android/mobile-cwe-22-path-traversal.yaml

@@ -0,0 +1,86 @@
+# CWE-22: 路径遍历 / WebView file:// 协议 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-WV-001 / VULN-WV-006
+
+rules:
+  - id: zm-android-webview-file-access-enabled
+    severity: CRITICAL
+    message: |
+      检测到 WebView 允许 file:// 协议访问本地文件。
+      结合 JavaScript 启用时，攻击者可通过恶意 HTML 页面读取 APP 私有目录下的任意文件，
+      包括 databases/.db (含明文凭据)、shared_prefs/.xml (含 Token) 等。
+      修复: setAllowFileAccess(false); 并从 AndroidManifest 中移除 android:allowFileAccess="true"。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.getSettings().setAllowFileAccess(true)
+          - pattern: |
+              $WV.getSettings().setAllowFileAccessFromFileURLs(true)
+      - pattern-not: |
+          $WV.getSettings().setAllowFileAccess(false)
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - VULN-WV-001"
+      references:
+        - https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)
+        - https://dre.vanderbilt.edu/~schmidt/android/android-4.0/out/target/common/docs/doc-comment-check/guide/webapps/managingWebView.html
+
+  - id: zm-android-webview-file-access-kotlin
+    severity: CRITICAL
+    message: |
+      WebView 文件协议访问已启用 (Kotlin)。
+      修复: getSettings().setAllowFileAccess(false)
+    languages:
+      - kotlin
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.getSettings().setAllowFileAccess(true)
+          - pattern: |
+              $WV.getSettings().setAllowFileAccessFromFileURLs(true)
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-WV-001"
+
+  - id: zm-android-http-server-path-traversal
+    severity: CRITICAL
+    message: |
+      检测到内嵌 HTTP Server 中用户输入直接构造文件路径，存在路径遍历风险。
+      常见于 APK 内嵌的 NanoHTTPD / SimpleWebServer 实现中。
+      攻击者可通过 HTTP Request URI 注入 "../" 序列读取任意文件。
+      修复: 对用户输入做 canonical path 校验 + 白名单目录限制。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new FileInputStream($BASE + $PARAM)
+          - pattern: |
+              new File($BASE + $PARAM)
+      - metavariable-regex:
+          metavariable: $PARAM
+          regex: '(?i)(getPath|getParameter|getQuery|getURI|queryParameter|getParam)'
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: medium
+      confidence: medium
+      source: "V3 Audit Engine - VULN-LS-003"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html

package/rules/android/mobile-cwe-287-biometric-weakness.yaml

@@ -0,0 +1,102 @@
+# CWE-287: Biometric Authentication Weakness (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: V3 Audit Engine extension - biometric bypass patterns
+
+rules:
+  - id: zm-android-biometric-no-crypto-object
+    severity: HIGH
+    message: |
+      Detected BiometricPrompt.authenticate() called without a CryptoObject.
+      Without CryptoObject, the biometric result can be bypassed via instrumentation or Frida hooking,
+      allowing authentication bypass while the app treats it as successful.
+      Remediation: Always pass a CryptoObject (Cipher/MessageDigest/Mac/Signature) to authenticate().
+      The crypto operation will fail if biometric was tampered with.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $BP.authenticate($PROMPT)
+          - pattern: $BP.authenticate($PROMPT, $INFO)
+    metadata:
+      cwe: "CWE-287: Improper Authentication"
+      owasp-mobile: "M4: Insecure Authentication"
+      masvs: "MASVS-AUTH-3"
+      category: android-auth
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/287.html
+        - https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt
+
+  - id: zm-android-biometric-negative-button-no-crypto
+    severity: HIGH
+    message: |
+      Detected BiometricPrompt.setNegativeButton() used with authenticate() where no CryptoObject is passed.
+      The negative button (device credential fallback) without CryptoObject enables downgrade attack -
+      an attacker can cancel biometric and fall back to device PIN/pattern, bypassing biometric entirely.
+      Remediation: If using setNegativeButton (device credential fallback), ensure CryptoObject is always set.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $PROMPT.setNegativeButton($TEXT, $EXECUTOR, $LISTENER)
+    metadata:
+      cwe: "CWE-287: Improper Authentication"
+      owasp-mobile: "M4: Insecure Authentication"
+      masvs: "MASVS-AUTH-3"
+      category: android-auth
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/287.html
+
+  - id: zm-android-fingerprint-no-crypto-object
+    severity: HIGH
+    message: |
+      Detected FingerprintManager.authenticate() called without a CryptoObject (legacy biometric API).
+      Without CryptoObject, the fingerprint result is vulnerable to bypass via hooking frameworks.
+      Remediation: Always pass a CryptoObject to FingerprintManager.authenticate().
+      Prefer migrating to BiometricPrompt (AndroidX) which enforces CryptoObject usage more strongly.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $FM.authenticate(null, $CANCEL, 0, $CALLBACK, null)
+          - pattern: $FM.authenticate(null, $CANCEL, $FLAGS, $CALLBACK, null)
+    metadata:
+      cwe: "CWE-287: Improper Authentication"
+      owasp-mobile: "M4: Insecure Authentication"
+      masvs: "MASVS-AUTH-3"
+      category: android-auth
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/287.html
+        - https://developer.android.com/reference/android/hardware/fingerprint/FingerprintManager
+
+  - id: zm-android-keygen-no-user-auth
+    severity: HIGH
+    message: |
+      Detected KeyGenerator or KeyPairGenerator without setUserAuthenticationRequired(true).
+      Keys generated without user authentication requirement can be used without biometric/PIN confirmation,
+      meaning any code running in the app context can use the key.
+      Remediation: Call setUserAuthenticationRequired(true) on the KeyGenParameterSpec.Builder.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: new KeyGenParameterSpec.Builder($ALIAS, $PURPOSES)
+    metadata:
+      cwe: "CWE-287: Improper Authentication"
+      owasp-mobile: "M4: Insecure Authentication"
+      masvs: "MASVS-CRYPTO-2"
+      category: android-crypto
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/287.html
+        - https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder

package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml

@@ -0,0 +1,78 @@
+# CWE-295: Missing Certificate Pinning (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: V3 Audit Engine extension - cert pinning gaps
+
+rules:
+  - id: zm-android-okhttp-no-cert-pinner
+    severity: MEDIUM
+    message: |
+      Detected OkHttpClient built without CertificatePinner.
+      Without certificate pinning, the app trusts any certificate signed by a system CA,
+      making it vulnerable to compromised CAs or corporate MITM proxies.
+      Remediation: Add CertificatePinner to the OkHttpClient.Builder with pin hashes for your server certificates.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: new OkHttpClient.Builder()
+          - pattern: new OkHttpClient()
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-4"
+      category: android-network
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/295.html
+        - https://square.github.io/okhttp/features/https/#certificate-pinning
+
+  - id: zm-android-httpsurlconnection-no-hostname-verifier
+    severity: MEDIUM
+    message: |
+      Detected HttpsURLConnection used without a custom HostnameVerifier.
+      Default hostname verification only checks CN/SAN match; it does not pin to a specific certificate.
+      Remediation: Implement a custom HostnameVerifier that validates the certificate public key or SPKI hash.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: (HttpsURLConnection) $URL.openConnection()
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-4"
+      category: android-network
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/295.html
+
+  - id: zm-android-trustmanager-empty-check
+    severity: HIGH
+    message: |
+      Detected a TrustManager or X509TrustManager implementation with empty checkServerTrusted() method body.
+      This disables all server certificate validation for TLS connections, enabling MITM attacks.
+      Remediation: Never leave checkServerTrusted() empty. Implement proper certificate chain validation.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              public void checkServerTrusted(X509Certificate[] $CHAIN, String $AUTH) {
+                }
+          - pattern: |
+              public void checkServerTrusted(X509Certificate[] $C, String $S) throws CertificateException { }
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/295.html
+        - https://developer.android.com/privacy-and-security/risks/ssl-validation

package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml

@@ -0,0 +1,104 @@
+# CWE-295: WebView SSL 错误处理 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-LS-004 (TLS 全信任)
+
+rules:
+  - id: zm-android-webview-ssl-error-handler-proceed
+    severity: CRITICAL
+    message: |
+      检测到 WebView SSL 错误处理器调用 SslErrorHandler.proceed()，忽略所有证书错误。
+      这使得 WebView 中所有 HTTPS 通信暴露于中间人攻击 (MITM)。
+      攻击者可通过自签名证书拦截并篡改 WebView 中加载的所有内容。
+      修复: 调用 SslErrorHandler.cancel()；在 release 构建中绝不应调用 proceed()。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              public void onReceivedSslError(WebView $WV, SslErrorHandler $H, SslError $E) {
+                $H.proceed();
+              }
+          - pattern: |
+              $WV.setWebViewClient(new WebViewClient() {
+                public void onReceivedSslError(WebView $V, SslErrorHandler $H, SslError $E) {
+                  $H.proceed();
+                }
+              })
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-webview
+      precision: very-high
+      confidence: very-high
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - VULN-LS-004 (extended)"
+      references:
+        - https://developer.android.com/reference/android/webkit/SslErrorHandler#proceed()
+        - https://developer.android.com/privacy-and-security/risks/ssl-error-handling
+
+  - id: zm-android-okhttp-client-allowallssltls
+    severity: CRITICAL
+    message: |
+      检测到 OkHttp 客户端配置绕过 SSL 证书和主机名验证。
+      典型模式: hostnameVerifier(ALLOW_ALL) + 空 TrustManager。
+      这使得所有 HTTPS 通信完全暴露于 MITM 攻击。
+      修复: 使用 OkHttp 默认的证书验证；需要证书固定时使用 CertificatePinner。
+      参考: https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: high
+      confidence: high
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - baseline scan"
+      references:
+        - https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/
+    languages:
+      - java
+    patterns:
+      - pattern-inside: |
+          new OkHttpClient.Builder()
+            .hostnameVerifier($HV)
+            .sslSocketFactory($SSF, $TM)
+            .build()
+      - metavariable-regex:
+          metavariable: $SSF
+          regex: '.*'
+      - metavariable-regex:
+          metavariable: $TM
+          regex: '.*'
+    note: |
+      此规则检测 OkHttpClient Builder 中同时出现 hostnameVerifier + sslSocketFactory 的模式。
+      需结合人工审计确认传入的 TrustManager 和 HostnameVerifier 是否为空实现。
+    precision: low
+    confidence: low
+
+  - id: zm-android-httpurlconnection-ssl-bypass
+    severity: CRITICAL
+    message: |
+      检测到 HttpsURLConnection 禁用 SSL 验证。
+      通过设置 ALLOW_ALL_HOSTNAME_VERIFIER 和空 TrustManager，
+      所有 HTTPS 通信可被中间人攻击者拦截。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              HttpsURLConnection.setDefaultHostnameVerifier($ALLOW_ALL)
+          - pattern: |
+              $CONN.setHostnameVerifier($ALLOW_ALL)
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: medium
+      confidence: medium
+      source: "V3 Audit Engine - VULN-LS-004"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/ssl-validation