npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml ADDED Viewed

@@ -0,0 +1,80 @@
+# CWE-780: RSA Without OAEP Padding (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - asymmetric crypto gaps
+rules:
+  - id: zm-android-rsa-no-oaep
+    severity: HIGH
+    message: |
+      Detected RSA cipher without OAEP padding. RSA with PKCS1Padding is vulnerable to
+      padding oracle attacks (Bleichenbacher / ROBOT attack), allowing an attacker to decrypt
+      ciphertexts by observing server error responses.
+      Remediation: Use "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" or "RSA/ECB/OAEPWithSHA-512AndMGF1Padding".
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("RSA/ECB/PKCS1Padding")
+          - pattern: Cipher.getInstance("RSA/ECB/PKCS1Padding", "$P")
+          - pattern: Cipher.getInstance("RSA")
+          - pattern: Cipher.getInstance("RSA", "$P")
+    metadata:
+      cwe: "CWE-780: Use of RSA Algorithm without OAEP"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/780.html
+        - https://developer.android.com/privacy-and-security/risks/crypto-deprecation
+  - id: zm-android-rsa-encrypt-pkcs1
+    severity: HIGH
+    message: |
+      Detected Cipher with RSA and "PKCS1Padding" used in ENCRYPT_MODE.
+      RSA PKCS1 v1.5 encryption is vulnerable to Bleichenbacher's chosen-ciphertext attack.
+      Remediation: Use OAEP padding (OAEPWithSHA-256AndMGF1Padding) for RSA encryption.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("RSA/ECB/PKCS1Padding")
+          - pattern: $CIPHER.init(Cipher.ENCRYPT_MODE, $KEY)
+    metadata:
+      cwe: "CWE-780: Use of RSA Algorithm without OAEP"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/780.html
+  - id: zm-android-rsa-nowrap-mode
+    severity: LOW
+    message: |
+      Detected RSA cipher used in NoPadding mode. While sometimes intentional (e.g., for custom protocols),
+      raw RSA without padding should be carefully reviewed to ensure it is not used for direct encryption.
+      Raw RSA operations without padding are mathematically deterministic and vulnerable to attack.
+      Remediation: Verify this usage is intentional and reviewed by a crypto expert.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: Cipher.getInstance("RSA/ECB/NoPadding")
+          - pattern: Cipher.getInstance("RSA/ECB/NoPadding", "$P")
+          - pattern: Cipher.getInstance("RSA/None/NoPadding")
+          - pattern: Cipher.getInstance("RSA/None/NoPadding", "$P")
+    metadata:
+      cwe: "CWE-780: Use of RSA Algorithm without OAEP"
+      owasp-mobile: "M5: Insufficient Cryptography"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/780.html

package/rules/android/mobile-cwe-79-webview-setdata.yaml ADDED Viewed

@@ -0,0 +1,78 @@
+# CWE-79 and CWE-749: WebView loadData / loadDataWithBaseURL Security (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - WebView data loading attacks
+rules:
+  - id: zm-android-loaddata-null-baseurl
+    severity: MEDIUM
+    message: |
+      Detected loadDataWithBaseURL() with null baseURL and untrusted content.
+      When baseURL is null, the WebView cannot resolve relative URLs and Same-Origin Policy is weakened.
+      This can be exploited to access file:// resources or bypass CORS restrictions.
+      Remediation: Always provide a valid, trusted baseURL (e.g., "https://trusted.example.com").
+      Use loadData() for simple HTML without external resources.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $WV.loadDataWithBaseURL(null, $DATA, $MIME, $ENC, null)
+          - pattern: $WV.loadDataWithBaseURL(null, $DATA, $MIME, $ENC, $HIST)
+    metadata:
+      cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/79.html
+        - https://developer.android.com/reference/android/webkit/WebView
+  - id: zm-android-loaddata-file-baseurl
+    severity: HIGH
+    message: |
+      Detected loadDataWithBaseURL() using "file://" as the base URL.
+      A file:// base URL allows loaded content to access local files on the device
+      via XMLHttpRequest or iframe, leading to local file disclosure.
+      Remediation: Use an https:// base URL from a trusted domain. Never use file:// as base URL.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $WV.loadDataWithBaseURL("file://", $DATA, $MIME, $ENC, $HIST)
+          - pattern: $WV.loadDataWithBaseURL("file:///", $DATA, $MIME, $ENC, $HIST)
+          - pattern: $WV.loadDataWithBaseURL("file:///android_asset/", $DATA, $MIME, $ENC, $HIST)
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html
+  - id: zm-android-loadurl-file-scheme
+    severity: HIGH
+    message: |
+      Detected WebView.loadUrl() with "file://" scheme, which can load local files into WebView.
+      If combined with untrusted content or JavaScript enabled, this can expose local app data.
+      Remediation: Disable file access with setAllowFileAccess(false) and use https:// URLs only.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $WV.loadUrl("file://" + $PATH)
+          - pattern: $WV.loadUrl("file:///" + $PATH)
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/749.html

package/rules/android/mobile-cwe-79-webview-xss.yaml ADDED Viewed

@@ -0,0 +1,65 @@
+# CWE-79: WebView 动态 URL + JS 启用 — XSS/URL 注入 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-WV-004
+rules:
+  - id: zm-android-webview-dynamic-url-js-enabled
+    severity: HIGH
+    message: |
+      检测到 WebView 使用来自 Intent/网络的数据构造 URL 且 JavaScript 已启用。
+      攻击者可通过 Deeplink 传入恶意 URL（如 javascript: 协议或恶意站点），
+      结合已启用的 JS 执行实现 XSS、Token 窃取甚至升级为 RCE。
+      修复:
+      1. 实施 URL 白名单（仅允许可信域名）
+      2. 仅允许 HTTPS 协议
+      3. 实施 Content Security Policy
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $WV.loadUrl($INTENT.getStringExtra($KEY))
+          - pattern: |
+              $WV.loadUrl($URI.toString())
+          - pattern: |
+              $WV.loadUrl($BUNDLE.getString($KEY))
+    metadata:
+      cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: medium
+      confidence: medium
+      likelihood: medium
+      impact: high
+      source: "V3 Audit Engine - VULN-WV-004"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/webview-cross-site-scripting
+  - id: zm-android-webview-shouldoverrideurlloading-bypass
+    severity: HIGH
+    message: |
+      检测到 shouldOverrideUrlLoading() 返回 false，未阻断可疑 URL 加载。
+      攻击者可通过 URL 重定向链绕过 HTTP-only 白名单:
+      https://safe.com → 302 → intent:// → Intent Scheme攻击 → 启动任意组件
+      https://safe.com → 302 → javascript: → XSS → Token 窃取
+      修复: 对所有非 HTTPS/non-whitelist URL 返回 true 阻断加载。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          public boolean shouldOverrideUrlLoading(WebView $WV, String $URL) {
+            ...
+            return false;
+            ...
+          }
+    metadata:
+      cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+      owasp-mobile: "M7: Client Code Quality"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-WV-009"
+      references:
+        - https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideUrlLoading(android.webkit.WebView,%20java.lang.String)

package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml ADDED Viewed

@@ -0,0 +1,108 @@
+# CWE-798: 硬编码凭据 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 all_in_one.js JS scan + audit_rules_v2.py scan_crypto_expanded
+rules:
+  - id: zm-android-hardcoded-api-key
+    severity: CRITICAL
+    message: |
+      检测到疑似硬编码 API Key / Token / Secret。
+      硬编码在客户端 APK 中的凭证可通过逆向直接提取，导致 API 认证体系完全失效。
+      修复:
+      1. 密钥从服务端动态下发 (不可写死在客户端)
+      2. 使用 Android Keystore System 存储
+      3. 对请求做签名 + HMAC 而非靠客户端持有密钥
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $TYPE $VAR = "$API_KEY";
+          - pattern: |
+              private static final String $VAR = "$API_KEY";
+          - pattern: |
+              public static final String $VAR = "$API_KEY";
+      - metavariable-regex:
+          metavariable: $VAR
+          regex: '(?i)(api[_]?key|app[_]?key|client[_]?secret|app[_]?secret|access[_]?key|secret[_]?key|auth[_]?token)'
+      - metavariable-regex:
+          metavariable: $API_KEY
+          regex: '.{8,100}'
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-credentials
+      precision: medium
+      confidence: medium
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - all_in_one.js credPatterns"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+        - https://developer.android.com/privacy-and-security/risks/hardcoded-credentials
+  - id: zm-android-hardcoded-jwt-secret
+    severity: CRITICAL
+    message: |
+      检测到疑似硬编码 JWT Secret / Signing Key。
+      JWT 签名密钥硬编码在客户端意味着任何逆向 APP 的用户都可伪造任意 JWT Token，
+      绕过认证、冒充任意用户。
+      修复: JWT 签名密钥必须由服务端持有，客户端应通过 OAuth 2.0 流程获取 Access Token。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Jwts.parser().setSigningKey("$KEY".getBytes())
+          - pattern: |
+              Jwts.builder().signWith(SignatureAlgorithm.HS256, "$KEY")
+          - pattern: |
+              Jwts.builder().signWith(SignatureAlgorithm.HS256, "$KEY".getBytes())
+      - metavariable-regex:
+          metavariable: $KEY
+          regex: '.{8,}'
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-credentials
+      precision: very-high
+      confidence: very-high
+      source: "V3 Audit Engine - crypto scan"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+        - https://jwt.io/introduction
+  - id: zm-android-hardcoded-password
+    severity: CRITICAL
+    message: |
+      检测到疑似硬编码密码字段。
+      密码硬编码在 APP 源码中可直接通过静态分析提取。
+      修复: 密码应通过用户输入获取或使用安全凭证存储机制。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              String $VAR = "$PWD";
+          - pattern: |
+              private static final String $VAR = "$PWD";
+          - pattern: |
+              public static final String $VAR = "$PWD";
+      - metavariable-regex:
+          metavariable: $VAR
+          regex: '(?i)(password|passwd|pwd|passcode|pin_code)'
+      - metavariable-regex:
+          metavariable: $PWD
+          regex: '.{6,}'
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-credentials
+      precision: low
+      confidence: low
+      source: "V3 Audit Engine - baseline scan"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html

package/rules/android/mobile-cwe-89-sql-injection.yaml ADDED Viewed

@@ -0,0 +1,100 @@
+# CWE-89: SQL 注入 (Android SQLite)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CP-002
+rules:
+  - id: zm-android-sqlite-rawquery
+    severity: HIGH
+    message: |
+      检测到 SQLiteDatabase.rawQuery() 使用字符串拼接或 String.format 构造 SQL 查询。
+      如果 where/selection 参数来自用户输入（Intent Extra、ContentProvider query 参数、网络数据），
+      存在 SQL 注入风险，可导致数据泄露或绕过认证。
+      Android 中 SQL 注入常发生在 ContentProvider.query() 实现中的 rawQuery 调用。
+      修复: 使用 query() + selectionArgs 参数化查询；绝对禁止字符串拼接 SQL。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $DB.rawQuery($SQL + $PARAM, ...)
+          - pattern: |
+              $DB.rawQuery(String.format($SQL, $PARAM), ...)
+          - pattern: |
+              $DB.execSQL($SQL + $PARAM)
+    metadata:
+      cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-STORAGE-2"
+      category: android-storage
+      precision: medium
+      confidence: medium
+      likelihood: medium
+      impact: high
+      source: "V3 Audit Engine - VULN-CP-002"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/sql-injection
+        - https://developer.android.com/training/data-storage/sqlite
+  - id: zm-android-content-provider-rawquery
+    severity: HIGH
+    message: |
+      检测到 ContentProvider 实现中使用 rawQuery() 且无 selectionArgs 参数。
+      ContentProvider 的 query() 方法接收来自任意 APP 的参数，
+      如果直接拼接到 rawQuery() 中则存在严重的 SQL 注入风险。
+      修复: 在 ContentProvider.query() 实现中使用 SQLiteDatabase.query() + selectionArgs。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          public Cursor query(Uri $URI, ...) {
+            ...
+            $DB.rawQuery($SQL, null);
+            ...
+          }
+    metadata:
+      cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-STORAGE-2"
+      category: android-storage
+      precision: high
+      confidence: high
+      source: "V3 Audit Engine - VULN-CP-002"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/sql-injection
+  - id: zm-android-content-provider-openfile-path-traversal
+    severity: CRITICAL
+    message: |
+      检测到 ContentProvider.openFile() 实现中使用 getPath() 获取路径但未调用 getCanonicalPath()。
+      攻击者可通过构造 content:// URI 注入路径遍历序列（如 ../../../../ ），
+      读取 APP 私有目录下的任意文件（databases、shared_prefs 等）。
+      著名案例: CVE-2021-0307 (Android SystemUI 路径遍历)
+      修复: 在 openFile() 中先调用 getCanonicalPath()，再校验路径是否在允许的目录前缀内。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          public ParcelFileDescriptor openFile(Uri $URI, String $MODE) {
+            ...
+            $PATH.getPath();
+            ...
+          }
+      - pattern-not: |
+          public ParcelFileDescriptor openFile(Uri $URI, String $MODE) {
+            ...
+            $PATH.getCanonicalPath();
+            ...
+          }
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: medium
+      confidence: medium
+      likelihood: high
+      impact: critical
+      source: "V3 Audit Engine - VULN-CP-001"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html
+        - https://nvd.nist.gov/vuln/detail/CVE-2021-0307

package/rules/android/mobile-cwe-927-implicit-intent.yaml ADDED Viewed

@@ -0,0 +1,121 @@
+# CWE-927: 隐式 Intent / 导出组件无权限保护 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-INT-001 / VULN-INT-002 / VULN-PI-001 / VULN-PI-002
+rules:
+  - id: zm-android-pendingintent-no-immutable
+    severity: CRITICAL
+    message: |
+      检测到 PendingIntent 未设置 FLAG_IMMUTABLE。
+      Android 12+ (API 31) 强制要求 PendingIntent 显式声明 FLAG_IMMUTABLE 或 FLAG_MUTABLE。
+      缺失此标记的 PendingIntent 可被恶意 APP 篡改 Intent Extras，
+      实现越权操作（如劫持通知栏操作、篡改桌面小部件点击行为）。
+      修复: PendingIntent.getActivity(ctx, 0, intent, PendingIntent.FLAG_IMMUTABLE);
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              PendingIntent.getActivity($CTX, $RQ, $INTENT, 0)
+          - pattern: |
+              PendingIntent.getBroadcast($CTX, $RQ, $INTENT, 0)
+          - pattern: |
+              PendingIntent.getService($CTX, $RQ, $INTENT, 0)
+          - pattern: |
+              PendingIntent.getForegroundService($CTX, $RQ, $INTENT, 0)
+          - pattern: |
+              PendingIntent.getActivity($CTX, $RQ, $INTENT, PendingIntent.FLAG_UPDATE_CURRENT)
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-intent
+      precision: high
+      confidence: high
+      likelihood: high
+      impact: high
+      source: "V3 Audit Engine - VULN-PI-001"
+      references:
+        - https://developer.android.com/guide/components/intents-filters#PendingIntentMutability
+        - https://developer.android.com/about/versions/12/behavior-changes-12#pending-intent-mutability
+  - id: zm-android-implicit-pendingintent
+    severity: HIGH
+    message: |
+      检测到使用隐式 Intent 创建 PendingIntent（未指定 setComponent/setClass）。
+      隐式 PendingIntent 可被任意注册了匹配 IntentFilter 的 APP 劫持，
+      导致用户点击后被重定向到恶意 Activity/Service。
+      修复: 在 Intent 上调用 setComponent() 或 setClass() 指定目标组件。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $PENDINGINTENT.get$TYPE($CTX, $RQ, new Intent($ACTION), ...)
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-intent
+      precision: medium
+      confidence: medium
+      source: "V3 Audit Engine - VULN-PI-002"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/unsafe-intent-resolution
+  - id: zm-android-exported-component-no-permission
+    severity: WARNING
+    message: |
+      检测到 Android 组件 (Activity/Service/Receiver/Provider) 导出为 true 但无权限保护。
+      这需要结合 AndroidManifest.xml 分析。Semgrep 在 Java 层检测到组件类可以提醒审计人员检查 Manifest 配置。
+      如果Manifest中 export=true 且无 permission，任何APP都可启动/访问该组件。
+    languages:
+      - java
+    pattern: |
+      class $CLASS extends $COMPONENT {
+        ...
+      }
+    paths:
+      include:
+        - "**/AndroidManifest.xml"
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-intent
+      precision: low
+      confidence: low
+      note: |
+        此规则为资讯类提醒。实际判断组件导出需要解析 AndroidManifest.xml 中的
+        android:exported 和 android:permission 属性。
+        V3 引擎 (VULN-INT-001) 通过正则匹配 Manifest 实现精确检测。
+        建议配合 Android Lint 或专用 Manifest 扫描工具使用。
+      source: "V3 Audit Engine - VULN-INT-001"
+  - id: zm-android-non-https-deeplink
+    severity: WARNING
+    message: |
+      检测到 Java 代码中使用了自定义 URL scheme。
+      如果此 scheme 在 Manifest 中被配置为 Deep Link 且非 HTTPS，
+      可被第三方 APP 伪造 Deeplink 触发，实现 Intent 劫持。
+      这需要结合 AndroidManifest.xml 分析 —— 检查 <data android:scheme="xxx"/> 。
+      修复: 使用 HTTPS scheme + Android App Links (.well-known/assetlinks.json 验证)。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Uri.parse("$SCHEME://...")
+          - pattern: |
+              new Intent(Intent.ACTION_VIEW, Uri.parse("$SCHEME://..."))
+      - metavariable-regex:
+          metavariable: $SCHEME
+          regex: '(?!https?|content|file|data|blob|mailto|tel|sms|geo|market)(^[a-z][a-z0-9+.-]*$)'
+    metadata:
+      cwe: "CWE-939: Improper Authorization in Handler for Custom URL Scheme"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-intent
+      precision: low
+      confidence: low
+      note: "此规则检测 Java 源代码中使用的 scheme，Manifest 中的深层链接配置需通过 XML 解析确认。"
+      source: "V3 Audit Engine - VULN-INT-003"

package/rules/android/mobile-cwe-927-ipc-file-provider.yaml ADDED Viewed

@@ -0,0 +1,102 @@
+# CWE-927 and CWE-22: IPC FileProvider and Content Provider Path Traversal (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - IPC security hardening
+rules:
+  - id: zm-android-fileprovider-path-too-broad
+    severity: HIGH
+    message: |
+      Detected FileProvider path configuration with an overly broad root-path or empty path.
+      A FileProvider with path="" or path="/" exposes the entire filesystem subtree to the requesting app,
+      allowing arbitrary file access beyond what is intended.
+      Remediation: Restrict FileProvider paths to specific subdirectories using path="specific/subdir/" with exact paths.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $STR.equals("")
+          - pattern: $STR.equals("/")
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/927.html
+        - https://developer.android.com/reference/androidx/core/content/FileProvider
+  - id: zm-android-contentprovider-openfile-no-canonical
+    severity: HIGH
+    message: |
+      Detected ContentProvider.openFile() without canonical path validation.
+      Without resolving the path to its canonical form and verifying it stays within the allowed directory,
+      a path traversal attack (../../etc/hosts) can access arbitrary files on the device.
+      Remediation: Use File.getCanonicalPath() and verify the result starts with the allowed base directory.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: ParcelFileDescriptor.open($FILE, $FLAGS)
+    metadata:
+      cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html
+        - https://developer.android.com/privacy-and-security/risks/path-traversal
+  - id: zm-android-contentprovider-call-no-permission
+    severity: MEDIUM
+    message: |
+      Detected ContentProvider.call() method exposed without permission check.
+      The call() method is a generic IPC channel that can execute arbitrary provider-defined methods.
+      Without permission enforcement, any app can invoke internal methods.
+      Remediation: Add permission check via checkCallingPermission() at the start of call().
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              public Bundle call(String $METHOD, String $ARG, Bundle $EXTRAS) {
+                ...
+              }
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/927.html
+  - id: zm-android-fileprovider-exported-true
+    severity: MEDIUM
+    message: |
+      Detected FileProvider with android:exported="true" (or no explicit exported declaration).
+      An exported FileProvider can serve files to any app on the device, potentially exposing private data.
+      Remediation: Set android:exported="false" unless external apps legitimately need file access.
+      If exported is required, restrict with android:grantUriPermissions and signature-level permission.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $PROVIDER.setExported(true)
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-ipc
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/927.html