npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/android/mobile-cwe-489-root-detection-weak.yaml ADDED Viewed

@@ -0,0 +1,125 @@
+# CWE-489: Weak Root Detection and Anti-Tamper Patterns (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - root detection and integrity gaps
+rules:
+  - id: zm-android-weak-root-detection
+    severity: MEDIUM
+    message: |
+      Detected weak root detection pattern that only checks for common 'su' binary paths
+      or Superuser.apk existence. These checks are trivially bypassed by Magisk, KernelSU,
+      or APatch which can hide su and mount custom paths.
+      Remediation: Use multiple detection methods: check system properties (ro.debuggable, ro.secure),
+      check for magisk binaries, verify bootloader status, check for test-keys build,
+      and use SafetyNet/Play Integrity as an additional signal.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new File("/system/app/Superuser.apk").exists()
+          - pattern: |
+              new File("/system/bin/su").exists()
+          - pattern: |
+              new File("/sbin/su").exists()
+          - pattern: |
+              new File("/system/xbin/su").exists()
+          - pattern: |
+              new File("/data/local/xbin/su").exists()
+          - pattern: |
+              new File("/data/local/bin/su").exists()
+          - pattern: |
+              new File("/vendor/bin/su").exists()
+          - pattern: |
+              new File("/system/sd/xbin/su").exists()
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-1"
+      category: android-anti-tamper
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+        - https://developer.android.com/privacy-and-security/risks/root-detection
+  - id: zm-android-root-check-exec-su
+    severity: MEDIUM
+    message: |
+      Detected Runtime.exec("su") or ProcessBuilder("su") for root detection.
+      Executing 'su' on a rooted device triggers a Superuser prompt, alerting the user
+      that the app is performing root detection. Modern root solutions can also intercept this.
+      Remediation: Use passive detection methods that do not trigger shell execution or user prompts.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Runtime.getRuntime().exec("su")
+          - pattern: Runtime.getRuntime().exec("su -c")
+          - pattern: Runtime.getRuntime().exec(new String[] {"su", "-c", "$CMD"})
+          - pattern: $RT.exec("su")
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-1"
+      category: android-anti-tamper
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+  - id: zm-android-root-beer-library-check
+    severity: INFO
+    message: |
+      Detected RootBeer library usage for root detection.
+      RootBeer uses well-known detection methods that are specifically targeted by MagiskHide
+      and other root-hiding frameworks. Consider supplementing with additional techniques.
+      Remediation: Combine RootBeer with native checks (TracerPid, proc maps), Play Integrity API,
+      and obfuscated detection logic.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: RootBeer($CTX).isRooted()
+          - pattern: new RootBeer($CTX).isRooted()
+          - pattern: new com.scottyab.rootbeer.RootBeer($CTX).isRooted()
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-1"
+      category: android-anti-tamper
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+  - id: zm-android-emulator-detection-only
+    severity: LOW
+    message: |
+      Detected emulator detection using Build.FINGERPRINT or Build.MODEL checks only.
+      These checks are easily spoofed by modifying system properties.
+      Remediation: Use hardware-backed attestation (KeyStore with TEE attestation) for stronger checks.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $BUILD_FINGERPRINT.contains("generic")
+          - pattern: $BUILD_FINGERPRINT.contains("sdk")
+          - pattern: Build.FINGERPRINT.startsWith("generic")
+          - pattern: Build.MODEL.contains("google_sdk")
+          - pattern: Build.MODEL.contains("Emulator")
+          - pattern: Build.MODEL.contains("Android SDK")
+          - pattern: Build.MANUFACTURER.contains("Genymotion")
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-anti-tamper
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html

package/rules/android/mobile-cwe-489-stetho-debug.yaml ADDED Viewed

@@ -0,0 +1,107 @@
+# CWE-489: Debug Bridge Detection - Stetho / Flipper / Debug Tools in Release (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - debug tool leakage
+rules:
+  - id: zm-android-stetho-debug-bridge
+    severity: MEDIUM
+    message: |
+      Detected Facebook Stetho initialization. Stetho enables Chrome DevTools inspection of the app's
+      network traffic, databases, and SharedPreferences. If this leaks into a release build,
+      attackers can attach DevTools and exfiltrate sensitive data.
+      Remediation: Wrap Stetho initialization in a BuildConfig.DEBUG check, or use debugImplementation
+      dependency scope so it is stripped from release builds.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Stetho.initializeWithDefaults($CTX)
+          - pattern: Stetho.initialize($INITIALIZER)
+          - pattern: new Stetho.DefaultInspectorModulesBuilder($CTX).build()
+          - pattern: com.facebook.stetho.Stetho.initializeWithDefaults($CTX)
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-debug
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+        - https://facebook.github.io/stetho/
+  - id: zm-android-flipper-debug-bridge
+    severity: MEDIUM
+    message: |
+      Detected Facebook Flipper debug bridge initialization. Flipper provides a desktop debugging
+      interface for inspecting network traffic, databases, and app state. In release builds,
+      this creates a data exfiltration surface.
+      Remediation: Use debugImplementation for Flipper dependencies and guard initialization with BuildConfig.DEBUG.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: SoLoader.init($CTX, false)
+          - pattern: Flipper.init($CTX, $CONFIG)
+          - pattern: com.facebook.flipper.android.Flipper.init($CTX, $CONFIG)
+          - pattern: new FlipperClient($CTX)
+          - pattern: $CLIENT.addPlugin($PLUGIN)
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-debug
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+  - id: zm-android-chuck-interceptor-debug
+    severity: MEDIUM
+    message: |
+      Detected Chuck HTTP interceptor initialization. Chuck captures all HTTP traffic and
+      exposes it through a notification-based UI. Leaving this in release builds leaks all
+      API requests, responses, tokens, and credentials to anyone with physical access.
+      Remediation: Use debugImplementation for Chuck and guard with BuildConfig.DEBUG.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: new ChuckInterceptor($CTX)
+          - pattern: com.readystatesoftware.chuck.ChuckInterceptor($CTX)
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-debug
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html
+  - id: zm-android-leakcanary-debug
+    severity: LOW
+    message: |
+      Detected LeakCanary memory leak detector initialization in potential release code.
+      LeakCanary adds a launcher icon and notification in debug builds, which is a
+      signal that the app is debuggable or has debug code.
+      Remediation: Use debugImplementation for LeakCanary dependency.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: LeakCanary.install($APP)
+          - pattern: com.squareup.leakcanary.LeakCanary.install($APP)
+    metadata:
+      cwe: "CWE-489: Active Debug Code / Leftover Debug Code"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-debug
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/489.html

package/rules/android/mobile-cwe-502-insecure-deserialization.yaml ADDED Viewed

@@ -0,0 +1,76 @@
+# CWE-502: 不安全反序列化 / 序列化注入 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-SE-001 / VULN-SE-002
+rules:
+  - id: zm-android-serializable-readobject-intent-extra
+    severity: CRITICAL
+    message: |
+      检测到可序列化对象通过 Intent 传递 + readObject() 自定义实现。
+      这构成反序列化注入攻击面 (CVE-2020-0069 类似)。
+      如果接收方组件为导出组件（exported=true），攻击者可通过构造恶意序列化对象
+      触发 readObject() 中的代码执行 — 在 Android Binder 反序列化过程中即可触发。
+      修复: 禁用 Java 原生 Serializable，改用 Parcelable；
+      或对 readObject() 做严格的类型安全校验和 whitelist。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          class $CLASS implements Serializable {
+            ...
+            private void readObject(ObjectInputStream $S) {
+              ...
+            }
+            ...
+          }
+      - pattern-inside: |
+          ...
+          $INTENT.putExtra($KEY, $OBJECT);
+          ...
+    metadata:
+      cwe: "CWE-502: Deserialization of Untrusted Data"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-CODE-4"
+      category: android-serialization
+      precision: medium
+      confidence: medium
+      likelihood: medium
+      impact: critical
+      source: "V3 Audit Engine - VULN-SE-001"
+      references:
+        - https://cwe.mitre.org/data/definitions/502.html
+        - https://nvd.nist.gov/vuln/detail/CVE-2020-0069
+  - id: zm-android-parcelable-no-instanceof-check
+    severity: HIGH
+    message: |
+      检测到 getParcelableExtra() / getParcelable() 的结果未做 instanceof 检查
+      就直接强制类型转换。攻击者可通过 Intent 注入传递类型不匹配的 Parcelable，
+      导致意外的类型转换或内存布局利用。
+      修复: 提取 Parcelable 后始终先做 instanceof 检查再强制转换。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              ($TYPE) $INTENT.getParcelableExtra($KEY)
+          - pattern: |
+              ($TYPE) getIntent().getParcelableExtra($KEY)
+          - pattern: |
+              ($TYPE) $BUNDLE.getParcelable($KEY)
+      - pattern-not: |
+          if ($OBJ instanceof $TYPE) {
+            ...
+            ($TYPE) $INTENT.getParcelableExtra($KEY);
+            ...
+          }
+    metadata:
+      cwe: "CWE-502: Deserialization of Untrusted Data"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-CODE-4"
+      category: android-serialization
+      precision: medium
+      confidence: low
+      source: "V3 Audit Engine - VULN-SE-002"
+      references:
+        - https://developer.android.com/reference/android/os/Bundle#getParcelable(java.lang.String,%20java.lang.Class%3CT%3E)

package/rules/android/mobile-cwe-552-world-readable-files.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+# CWE-552: 文件全局可读 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-FD-002
+rules:
+  - id: zm-android-world-readable-writable
+    severity: HIGH
+    message: |
+      检测到使用已废弃的 MODE_WORLD_READABLE 或 MODE_WORLD_WRITEABLE 文件模式。
+      这使得任何 APP 都可以读取/写入该文件，导致敏感数据泄露或配置篡改。
+      Android 7.0+ 已完全禁止此模式（将抛出 SecurityException）。
+      修复: 使用 Context.MODE_PRIVATE；跨进程共享数据使用 ContentProvider。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CTX.openFileOutput($NAME, Context.MODE_WORLD_READABLE)
+          - pattern: |
+              $CTX.openFileOutput($NAME, Context.MODE_WORLD_WRITEABLE)
+          - pattern: |
+              getSharedPreferences($NAME, Context.MODE_WORLD_READABLE)
+          - pattern: |
+              getSharedPreferences($NAME, Context.MODE_WORLD_WRITEABLE)
+    metadata:
+      cwe: "CWE-552: Files or Directories Accessible to External Parties"
+      owasp-mobile: "M8: Security Decisions Via Untrusted Inputs"
+      masvs: "MASVS-STORAGE-2"
+      category: android-storage
+      precision: very-high
+      confidence: very-high
+      likelihood: medium
+      impact: high
+      source: "V3 Audit Engine - VULN-FD-002"
+      references:
+        - https://developer.android.com/reference/android/content/Context#MODE_WORLD_READABLE
+        - https://developer.android.com/privacy-and-security/risks/world-readable
+  - id: zm-android-world-readable-sharedpref
+    severity: HIGH
+    message: |
+      检测到已废弃的 MODE_MULTI_PROCESS SharedPreferences 模式。
+      多进程同时写入 SP 可能导致 XML 损坏、安全配置回退到不安全默认值。
+      修复: 跨进程数据共享使用 ContentProvider 或 DataStore。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CTX.getSharedPreferences($NAME, Context.MODE_MULTI_PROCESS)
+          - pattern: |
+              getSharedPreferences($NAME, Context.MODE_MULTI_PROCESS)
+    metadata:
+      cwe: "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"
+      owasp-mobile: "M8: Security Decisions Via Untrusted Inputs"
+      masvs: "MASVS-STORAGE-2"
+      category: android-storage
+      precision: very-high
+      confidence: very-high
+      source: "V3 Audit Engine - VULN-TOCTOU-002"
+      references:
+        - https://developer.android.com/reference/android/content/Context#MODE_MULTI_PROCESS
+        - https://developer.android.com/topic/libraries/architecture/datastore

package/rules/android/mobile-cwe-749-webview-java-objects.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# CWE-749: WebView addJavascriptInterface Without Annotation (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - JSBridge hardening
+rules:
+  - id: zm-android-addjavascriptinterface-no-annotation
+    severity: HIGH
+    message: |
+      Detected addJavascriptInterface() exposing an object whose methods lack @JavascriptInterface annotation.
+      On API < 17 (Android 4.2), all public methods are exposed. On API >= 17, only annotated methods
+      are exposed. However, the exposed object may inadvertently inherit dangerous methods
+      (e.g., getClass() leading to Runtime.exec() via reflection) if not carefully restricted.
+      Remediation: Ensure all exposed methods have @JavascriptInterface annotation.
+      Restrict the interface to minimal required methods. Consider message-passing patterns instead.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $WV.addJavascriptInterface($OBJ, "$NAME")
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html
+        - https://developer.android.com/privacy-and-security/risks/webview-addjavascriptinterface
+  - id: zm-android-javascriptinterface-exposed-getclass
+    severity: CRITICAL
+    message: |
+      Detected a class used with addJavascriptInterface() that has a method returning Class or Method objects.
+      JavaScript can traverse getClass() to access Runtime.getRuntime().exec(), achieving RCE in the app context.
+      This is the classic WebView RCE attack (CVE-2012-6636 and variants).
+      Remediation: Never expose objects with reflection-capable methods. Filter exposed methods carefully.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: addJavascriptInterface($OBJ, "$NAME")
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html
+        - https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/
+  - id: zm-android-javascriptinterface-annotation-check
+    severity: MEDIUM
+    message: |
+      Detected a class potentially exposed via addJavascriptInterface.
+      Review that all public methods accessible from JavaScript have @android.webkit.JavascriptInterface annotation
+      and do not expose dangerous functionality (file I/O, reflection, command execution).
+    languages:
+      - generic
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CLASS implements JavascriptInterface
+          - pattern: $CLASS extends JavascriptInterface
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html

package/rules/android/mobile-cwe-749-webview-jsbridge.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+# CWE-749: WebView JS Bridge 暴露危险方法 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-WV-002 / VULN-WV-003
+rules:
+  - id: zm-android-webview-jsbridge-with-addjavascriptinterface
+    severity: CRITICAL
+    message: |
+      检测到 WebView 使用 addJavascriptInterface() 暴露 Java 对象给 JavaScript。
+      如果暴露的对象包含危险方法（如 Runtime.exec、反射调用、文件操作），
+      攻击者可通过构造恶意 HTML 或 XSS 实现远程代码执行 (RCE)。
+      本规则检测到 JS Bridge 已启用 + 暴露类中包含危险方法签名。
+      修复: 移除 addJavascriptInterface() 中对敏感 API 的直接暴露；
+      使用 postMessage / evaluateJavascript 消息通道替代。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $WV.addJavascriptInterface($OBJ, $NAME);
+    metavariable-regex:
+      metavariable: $DANGEROUS
+      regex: '(?i)(Runtime\.exec|ProcessBuilder|Class\.forName|Method\.invoke|openOrCreateDatabase|getSharedPreferences|startActivity|sendTextMessage)'
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: medium
+      confidence: medium
+      likelihood: critical
+      impact: critical
+      source: "V3 Audit Engine - VULN-WV-002"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/webview-javascript-interface
+        - https://labs.mwrinfosecurity.com/blog/2014/02/12/webview-addjavascriptinterface-remote-code-execution/
+  - id: zm-android-webview-jsbridge-enabled
+    severity: WARNING
+    message: |
+      检测到 addJavascriptInterface() 调用。
+      需人工审计暴露给 JavaScript 的 Java 对象中是否包含危险方法（文件操作、命令执行、反射等）。
+      如果 JS Bridge 非业务必需，建议完全移除。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $WV.addJavascriptInterface($OBJ, $NAME)
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: very-high
+      confidence: low
+      source: "V3 Audit Engine - VULN-WV-003"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/webview-javascript-interface

package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml ADDED Viewed

@@ -0,0 +1,80 @@
+# CWE-749 and CWE-79: WebView Advanced Injection Attacks (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - WebView injection surface
+rules:
+  - id: zm-android-webview-loadurl-untrusted-input
+    severity: HIGH
+    message: |
+      Detected WebView.loadUrl() with a URL built from untrusted input (Intent extras, URI query params,
+      EditText content). This enables URL injection: an attacker can load javascript: URLs to execute
+      arbitrary code in the WebView context, or redirect to phishing pages.
+      Remediation: Validate URLs against a whitelist of allowed domains. Never pass user-controlled
+      strings directly to loadUrl(). Use a strict allowlist for schemes (https only) and hosts.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.loadUrl($INPUT)
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html
+        - https://developer.android.com/privacy-and-security/risks/webview-url-loading
+  - id: zm-android-webview-loadurl-getstringextra
+    severity: HIGH
+    message: |
+      Detected WebView.loadUrl() with untrusted input from Intent.getStringExtra().
+      This is a common deeplink-to-WebView injection path: an attacker sends an Intent with a malicious
+      URL, which the app loads directly into a WebView without validation.
+      Remediation: Validate the URL scheme (must be https://), host (against whitelist), and path.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.loadUrl(getIntent().getStringExtra("$KEY"))
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html
+  - id: zm-android-webview-loadurl-javascript-scheme
+    severity: CRITICAL
+    message: |
+      Detected WebView.loadUrl() with a "javascript:" scheme URL with dynamic content.
+      Javascript URLs can execute arbitrary code in the WebView context, including accessing
+      cookies, localStorage, and JavaScript interfaces. Combined with untrusted input, this enables XSS.
+      Remediation: Never use "javascript:" URLs in loadUrl(). Use evaluateJavascript() for controlled JS execution.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.loadUrl("javascript:" + $SCRIPT)
+          - pattern: |
+              $WV.loadUrl(String.format("javascript:%s", $SCRIPT))
+    metadata:
+      cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/79.html

package/rules/android/mobile-cwe-78-command-injection.yaml ADDED Viewed

@@ -0,0 +1,77 @@
+# CWE-78: 命令注入 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CE-001 / VULN-CE-002
+rules:
+  - id: zm-android-runtime-exec-variable-concat
+    severity: CRITICAL
+    message: |
+      检测到 Runtime.exec() 或 ProcessBuilder 使用变量拼接构造命令。
+      如果输入来自用户可控来源（Intent Extra、网络输入、Deeplink 参数），
+      攻击者可注入恶意命令实现远程代码执行 (RCE)。
+      Android 应用场景中常见于: 文件操作、视频处理、PDF 生成等 JNI/Shell 桥接代码。
+      修复: 绝不在 Android 中使用 Runtime.exec() 执行 Shell 命令；使用 Android API 替代；
+      如果必须使用 exec()，只能用 String[] 数组形式 + 硬编码参数，绝不拼接用户输入。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Runtime.getRuntime().exec($CMD + $PARAM)
+          - pattern: |
+              Runtime.getRuntime().exec($CMD + $PARAM + $PARAM2)
+          - pattern: |
+              new ProcessBuilder($CMD + $PARAM)
+          - pattern: |
+              $PB = new ProcessBuilder($CMD + $PARAM)
+      - pattern-either:
+          - pattern-regex: 'getString'
+          - pattern-regex: 'getIntent'
+          - pattern-regex: 'getData'
+          - pattern-regex: 'getQuery'
+          - pattern-regex: 'getParam'
+          - pattern-regex: 'getExtras'
+    metadata:
+      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-CODE-4"
+      category: android-code-execution
+      precision: medium
+      confidence: medium
+      likelihood: medium
+      impact: critical
+      source: "V3 Audit Engine - VULN-CE-001"
+      references:
+        - https://cwe.mitre.org/data/definitions/78.html
+        - https://developer.android.com/privacy-and-security/risks/process-execution
+  - id: zm-android-runtime-exec-present
+    severity: WARNING
+    message: |
+      检测到 Runtime.exec() 调用，需确认所有参数均为硬编码常量而非用户输入。
+      如果参数中任何部分来自 Intent Extra、网络数据、Deeplink 等不可信来源，
+      则存在命令注入风险。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Runtime.getRuntime().exec(...)
+          - pattern: |
+              new ProcessBuilder(...)
+      - pattern-not-inside: |
+          if (BuildConfig.DEBUG) {
+            ...
+            Runtime.getRuntime().exec(...);
+            ...
+          }
+    metadata:
+      cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-CODE-4"
+      category: android-code-execution
+      precision: very-high
+      confidence: low
+      source: "V3 Audit Engine - VULN-CE-002"
+      references:
+        - https://cwe.mitre.org/data/definitions/78.html