npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/android/mobile-cwe-312-cleartext-storage.yaml ADDED Viewed

@@ -0,0 +1,109 @@
+# CWE-312: Cleartext Storage of Sensitive Information (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: V3 Audit Engine extension - cleartext storage patterns
+rules:
+  - id: zm-android-sharedprefs-sensitive-key
+    severity: WARNING
+    message: |
+      Detected SharedPreferences storing data with a sensitive key name (password, token, ssn, credit_card, passport, license).
+      Storing sensitive data in SharedPreferences without encryption exposes it to other apps with root access or backup extraction.
+      Remediation: Use EncryptedSharedPreferences (AndroidX Security) or Android Keystore for sensitive data storage.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $SP.edit().putString("$KEY", $VAL)
+          - pattern: $SP.edit().putString("$KEY", $VAL);
+          - pattern: $EDITOR.putString("$KEY", $VAL)
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: '(?i)(password|passwd|pwd|token|secret|ssn|credit_card|creditcard|passport|license|pin|apikey|api_key|access_token|refresh_token|auth_token|bearer)'
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/312.html
+        - https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences
+  - id: zm-android-sqlite-sensitive-column-insert
+    severity: WARNING
+    message: |
+      Detected SQLiteDatabase.insert() or execSQL() operating on a column named password, secret, or token.
+      Storing sensitive values in plaintext SQLite allows extraction via backup or root access.
+      Remediation: Encrypt sensitive columns before storage using Android Keystore-backed AES-GCM.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $DB.insert("$TABLE", null, $VALUES)
+          - pattern: $DB.execSQL("$SQL", $ARGS)
+          - pattern: $DB.rawQuery("$SQL", $ARGS)
+      - metavariable-regex:
+          metavariable: $TABLE
+          regex: '(?i)(user|account|credential|auth|token|session)'
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/312.html
+        - https://developer.android.com/privacy-and-security/risks/sql-injection
+  - id: zm-android-fileoutputstream-password-field
+    severity: WARNING
+    message: |
+      Detected FileOutputStream writing data from an EditText with inputType textPassword or numberPassword.
+      Writing password field content to a file without encryption exposes credentials on disk.
+      Remediation: Encrypt data before writing or avoid persisting password field values to storage.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $FOS.write($PW.getText().toString().getBytes())
+          - pattern: |
+              $FOS.write($PW.getText().toString().getBytes("$ENC"))
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/312.html
+  - id: zm-android-internal-storage-sensitive-write
+    severity: WARNING
+    message: |
+      Detected openFileOutput() writing a file whose name contains sensitive keywords (credential, token, secret, password).
+      Files stored in internal storage can still be accessed via rooted devices or backup extraction.
+      Remediation: Use EncryptedFile (AndroidX Security) for sensitive file storage.
+    languages:
+      - java
+    patterns:
+      - pattern: openFileOutput("$FNAME", $MODE)
+      - metavariable-regex:
+          metavariable: $FNAME
+          regex: '(?i)(credential|token|secret|password|auth|key|ssn|private)'
+    metadata:
+      cwe: "CWE-312: Cleartext Storage of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/312.html

package/rules/android/mobile-cwe-319-cleartext-communication.yaml ADDED Viewed

@@ -0,0 +1,84 @@
+# CWE-319: HTTP 明文通信 / Websocket 明文 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 baseline scan / all_in_one.js
+rules:
+  - id: zm-android-usescleartext-traffic-true
+    severity: HIGH
+    message: |
+      检测到允许 HTTP 明文通信的配置。
+      Android 9+ (API 28) 默认阻止 HTTP 明文流量。如果以下配置存在，
+      则 APP 有意允许 HTTP 流量，存在凭证嗅探和中间人攻击风险。
+      修复: 使用 HTTPS；如需临时调试，仅在 debug builds 中启用。
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: high
+      confidence: high
+      likelihood: high
+      impact: high
+      source: "V3 Audit Engine - baseline scan"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/cleartext-communications
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $A.setExported(true);
+  - id: zm-android-okhttp-http-url
+    severity: HIGH
+    message: |
+      检测到 OkHttp 请求使用 HTTP (非 HTTPS) URL。
+      HTTP 通信无法防止中间人攻击和数据嗅探。
+      修复: 改为 HTTPS；或在服务端强制 301 重定向。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new Request.Builder().url("http://$HOST")
+          - pattern: |
+              $REQ.url("http://$HOST")
+    metavariable-regex:
+      metavariable: $HOST
+      regex: '^(?!localhost|127\.0\.0\.1|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01]))'
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: medium
+      confidence: medium
+      source: "V3 Audit Engine - all_in_one.js HTTP scan"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/cleartext-communications
+  - id: zm-android-httpurlconnection-http
+    severity: HIGH
+    message: |
+      检测到直接打开 HTTP URL 连接。
+      应使用 HttpsURLConnection 替代。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $URL.openConnection()
+          - pattern: |
+              new URL("http://$HOST")
+      - metavariable-regex:
+          metavariable: $HOST
+          regex: '^(?!localhost|127\.0\.0\.1|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01]))'
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: low
+      confidence: low
+      source: "V3 Audit Engine - baseline scan"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/cleartext-communications

package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml ADDED Viewed

@@ -0,0 +1,132 @@
+# CWE-321: 硬编码加密密钥 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CRYPTO-* (scan_crypto_expanded)
+rules:
+  - id: zm-android-hardcoded-aes-key
+    severity: CRITICAL
+    message: |
+      检测到硬编码 AES 密钥。AES 密钥硬编码在源码中可被逆向提取，
+      导致所有以此密钥加密的数据失效。
+      应使用 Android Keystore System + TEE/StrongBox 生成和管理密钥。
+      修复: KeyGenParameterSpec + AndroidKeyStore provider
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new SecretKeySpec($BYTES, $ALG)
+    metavariable-regex:
+      metavariable: $KEY
+      regex: '.{8,}'
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - VULN-CRYPTO-*"
+      references:
+        - https://developer.android.com/privacy-and-security/cryptography
+        - https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec
+  - id: zm-android-hardcoded-des-key
+    severity: CRITICAL
+    message: |
+      检测到硬编码 DES 密钥。DES 密钥长度仅 56 位，可在数小时内暴力破解。
+      且密钥硬编码在源码中可直接逆向提取。
+      立即迁移至 Android Keystore System + AES-256-GCM。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new SecretKeySpec($BYTES, $ALG)
+    metavariable-regex:
+      metavariable: $KEY
+      regex: '.{8,}'
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-CRYPTO-*"
+  - id: zm-android-hardcoded-pbe-password
+    severity: CRITICAL
+    message: |
+      检测到硬编码 PBE (Password-Based Encryption) 密码。
+      PBE 密钥派生密码硬编码使得密钥可通过静态分析直接提取。
+      应使用 Android Keystore System 或从用户输入派生密码。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: new PBEKeySpec($PWD)
+    metavariable-regex:
+      metavariable: $PWD
+      regex: '.{6,}'
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-CRYPTO-*"
+  - id: zm-android-hardcoded-iv
+    severity: HIGH
+    message: |
+      检测到硬编码/静态初始化向量（IV）。
+      对于 CBC 模式，固定 IV 使加密确定性化，可遭受块重放攻击。
+      对于 GCM 模式，IV 重用会完全破坏认证加密的安全性。
+      必须使用 SecureRandom 为每次加密生成随机 IV。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new IvParameterSpec($IV_BYTES)
+          - pattern: |
+              new GCMParameterSpec(128, $IV_BYTES)
+    metavariable-regex:
+      metavariable: $IV
+      regex: '.{8,}'
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-2"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-CRYPTO-*"
+      references:
+        - https://csrc.nist.gov/glossary/term/initialization_vector
+  - id: zm-android-hardcoded-rsa-private-key
+    severity: CRITICAL
+    message: |
+      检测到硬编码 RSA 私钥（PKCS8EncodedKeySpec）。
+      私钥硬编码在客户端 APK 中可被直接逆向提取，相当于将私钥公开发布。
+      应立即吊销该密钥对，迁移至 Android Keystore System 生成和存储私钥。
+    languages:
+      - java
+    pattern: |
+      new PKCS8EncodedKeySpec("$KEY".getBytes())
+    metavariable-regex:
+      metavariable: $KEY
+      regex: '.{20,}'
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "V3 Audit Engine - VULN-CRYPTO-*"

package/rules/android/mobile-cwe-326-short-rsa.yaml ADDED Viewed

@@ -0,0 +1,108 @@
+# CWE-326: Inadequate Encryption Strength - Short RSA Key (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - key size validation
+rules:
+  - id: zm-android-rsa-key-less-than-2048
+    severity: HIGH
+    message: |
+      Detected RSA key generation with key size less than 2048 bits.
+      RSA keys shorter than 2048 bits are considered breakable and do not meet NIST minimum requirements.
+      Remediation: Use at least 2048-bit RSA keys. For new deployments, prefer 3072-bit or ECC.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: KeyPairGenerator.getInstance("RSA").initialize($SIZE)
+          - pattern: KeyPairGenerator.getInstance("RSA").initialize($SIZE, $RANDOM)
+          - pattern: KeyPairGenerator.getInstance("RSA", "$P").initialize($SIZE)
+      - metavariable-comparison:
+          metavariable: $SIZE
+          comparison: $SIZE < 2048
+    metadata:
+      cwe: "CWE-326: Inadequate Encryption Strength"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/326.html
+        - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
+  - id: zm-android-ec-key-less-than-256
+    severity: MEDIUM
+    message: |
+      Detected EC key generation with key size less than 256 bits.
+      EC keys below 256 bits (e.g., secp224r1) do not provide adequate security margins.
+      Remediation: Use at least 256-bit EC curves (secp256r1/P-256 or secp384r1/P-384).
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: KeyPairGenerator.getInstance("EC").initialize($SIZE)
+          - pattern: KeyPairGenerator.getInstance("EC").initialize($SIZE, $RANDOM)
+          - pattern: KeyPairGenerator.getInstance("ECDSA").initialize($SIZE)
+      - metavariable-comparison:
+          metavariable: $SIZE
+          comparison: $SIZE < 256
+    metadata:
+      cwe: "CWE-326: Inadequate Encryption Strength"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/326.html
+  - id: zm-android-aes-key-less-than-128
+    severity: CRITICAL
+    message: |
+      Detected AES/SecretKeySpec with key length less than 128 bits.
+      AES minimum security strength is 128 bits. Shorter keys are trivially brute-forceable.
+      Remediation: Use at least 128-bit keys. For long-term security, prefer AES-256.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: KeyGenerator.getInstance("AES").init($SIZE)
+          - pattern: KeyGenerator.getInstance("AES").init($SIZE, $RANDOM)
+      - metavariable-comparison:
+          metavariable: $SIZE
+          comparison: $SIZE < 128
+    metadata:
+      cwe: "CWE-326: Inadequate Encryption Strength"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/326.html
+  - id: zm-android-secure-random-weak-seed
+    severity: MEDIUM
+    message: |
+      Detected SecureRandom seeded with a predictable or static value.
+      Using a fixed seed (e.g., system time, hardcoded byte array) makes the RNG output predictable,
+      compromising any cryptographic operations that depend on it.
+      Remediation: Use new SecureRandom() without a seed; Android's SecureRandom is automatically seeded from /dev/urandom.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $SR.setSeed($SEED)
+    metadata:
+      cwe: "CWE-326: Inadequate Encryption Strength"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/326.html

package/rules/android/mobile-cwe-327-rc4-3des.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# CWE-327: Broken/Risky Cryptographic Algorithm (RC4, 3DES, Blowfish)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - legacy cipher detection
+rules:
+  - id: zm-android-rc4-cipher
+    severity: HIGH
+    message: |
+      Detected RC4 (ARCFOUR) cipher usage. RC4 has known statistical biases allowing plaintext recovery
+      from ciphertext after observing sufficient encrypted traffic.
+      RC4 is prohibited by RFC 7465 and should never be used.
+      Remediation: Replace RC4 with AES/GCM/NoPadding.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("RC4")
+          - pattern: Cipher.getInstance("RC4", "$P")
+          - pattern: Cipher.getInstance("ARCFOUR")
+          - pattern: Cipher.getInstance("ARCFOUR", "$P")
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html
+        - https://datatracker.ietf.org/doc/rfc7465/
+  - id: zm-android-3des-cipher
+    severity: MEDIUM
+    message: |
+      Detected 3DES (Triple DES / DESede) cipher usage. 3DES has an effective security of only 112 bits
+      and is vulnerable to Sweet32 birthday attacks when encrypting large amounts of data.
+      3DES is being deprecated by NIST and should be replaced.
+      Remediation: Replace 3DES with AES/GCM/NoPadding (minimum AES-128, prefer AES-256).
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("DESede")
+          - pattern: Cipher.getInstance("DESede/$MODE/$PAD")
+          - pattern: Cipher.getInstance("DESede", "$P")
+          - pattern: Cipher.getInstance("DESede/$MODE/$PAD", "$P")
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html
+        - https://sweet32.info/
+  - id: zm-android-blowfish-cipher
+    severity: MEDIUM
+    message: |
+      Detected Blowfish cipher usage. Blowfish has a 64-bit block size, making it vulnerable to
+      Sweet32-style birthday attacks (same class as 3DES) after ~4GB of encrypted data.
+      Remediation: Replace Blowfish with AES/GCM/NoPadding or another 128-bit block cipher.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("Blowfish")
+          - pattern: Cipher.getInstance("Blowfish/$MODE/$PAD")
+          - pattern: Cipher.getInstance("Blowfish", "$P")
+          - pattern: Cipher.getInstance("Blowfish/$MODE/$PAD", "$P")
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html
+  - id: zm-android-des-single-cipher
+    severity: CRITICAL
+    message: |
+      Detected single DES cipher usage. DES uses a 56-bit key which is trivially brute-forceable
+      and has been broken for decades. Single DES must never be used.
+      Remediation: Replace DES with AES/GCM/NoPadding (minimum 128-bit key).
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("DES")
+          - pattern: Cipher.getInstance("DES/$MODE/$PAD")
+          - pattern: Cipher.getInstance("DES", "$P")
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html

package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml ADDED Viewed

@@ -0,0 +1,76 @@
+# CWE-329: CBC Mode Without Integrity Check (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - padding oracle attack surface
+rules:
+  - id: zm-android-cbc-without-mac
+    severity: HIGH
+    message: |
+      Detected AES/CBC cipher mode without HMAC or authenticated encryption.
+      CBC mode alone is vulnerable to padding oracle attacks when used without integrity protection.
+      An attacker can modify ciphertexts and observe decryption error behavior to recover plaintext.
+      Remediation: Use AES/GCM which provides built-in authentication, or apply Encrypt-then-MAC with HMAC-SHA256.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("AES/CBC/$PADDING")
+          - pattern: Cipher.getInstance("AES/CBC/$PADDING", "$PROVIDER")
+    metadata:
+      cwe: "CWE-329: Generation of Predictable IV with CBC Mode"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/329.html
+        - https://developer.android.com/privacy-and-security/risks/crypto-deprecation
+  - id: zm-android-cbc-pkcs5-padding-oracle
+    severity: HIGH
+    message: |
+      Detected AES/CBC/PKCS5Padding (or PKCS7Padding) without MAC verification.
+      PKCS5/PKCS7 padding in CBC mode creates a padding oracle if the server returns different
+      error messages for valid vs invalid padding.
+      Remediation: Use AES/GCM/NoPadding instead of CBC with PKCS padding.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding")
+          - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding", "$PROVIDER")
+    metadata:
+      cwe: "CWE-329: Generation of Predictable IV with CBC Mode"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/329.html
+  - id: zm-android-custom-cipher-decrypt-no-integrity
+    severity: MEDIUM
+    message: |
+      Detected Cipher.doFinal() in decrypt mode without any subsequent MAC/hash verification.
+      Data decrypted without integrity verification is vulnerable to bit-flipping and padding oracle attacks.
+      Remediation: Use authenticated encryption (AES/GCM) or verify an HMAC before decrypting.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $DECRYPT.init(Cipher.DECRYPT_MODE, $KEY, $IV)
+          - pattern: $DECRYPT.doFinal($DATA)
+    metadata:
+      cwe: "CWE-329: Generation of Predictable IV with CBC Mode"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/329.html

package/rules/android/mobile-cwe-470-reflection-injection.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+# CWE-470: 反射调用使用不可信类名 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CE-003
+rules:
+  - id: zm-android-reflection-untrusted-classname
+    severity: HIGH
+    message: |
+      检测到 Class.forName() 使用可能来自用户输入的类名。
+      攻击者可通过 JS Bridge / Deeplink / Intent Extra 传入恶意类名，
+      利用反射实例化任意类，可能导致代码执行或安全绕过。
+      修复: 使用白名单映射限制允许的类名；绝不从外部输入直接获取类名。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Class.forName($INPUT)
+          - pattern: |
+              Class.forName($INPUT, $INIT, $LOADER)
+      - pattern-either:
+          - pattern-regex: 'getString'
+          - pattern-regex: 'getIntent'
+          - pattern-regex: 'getParam'
+          - pattern-regex: 'getQuery'
+          - pattern-regex: 'getData'
+          - pattern-regex: 'getExtras'
+    metadata:
+      cwe: "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-CODE-4"
+      category: android-code-execution
+      precision: medium
+      confidence: medium
+      likelihood: medium
+      impact: high
+      source: "V3 Audit Engine - VULN-CE-003"
+      references:
+        - https://cwe.mitre.org/data/definitions/470.html