npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/android/mobile-cwe-939-deeplink-validation.yaml ADDED Viewed

@@ -0,0 +1,76 @@
+# CWE-939: Deeplink Without Input Validation (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: V3 Audit Engine extension - deeplink injection patterns
+rules:
+  - id: zm-android-deeplink-no-validation
+    severity: HIGH
+    message: |
+      Detected Intent data retrieved via getIntent().getData() used directly without host/path validation.
+      Arbitrary deeplinks can trigger unintended actions, access internal screens, or inject malicious parameters.
+      Remediation: Validate the URI scheme, host, and path against a whitelist before processing deeplink data.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $DATA.getQueryParameter($PARAM)
+          - pattern: $DATA.getPath()
+          - pattern: $URI.getHost()
+    metadata:
+      cwe: "CWE-939: Improper Authorization in Handler for Custom URL Scheme"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-deeplink
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/939.html
+        - https://developer.android.com/privacy-and-security/risks/deeplinks
+  - id: zm-android-webview-loadurl-from-intent
+    severity: HIGH
+    message: |
+      Detected WebView.loadUrl() receiving a URL derived from Intent data (getIntent().getData() or getStringExtra()).
+      Without URL whitelist validation, an attacker can send a malicious deeplink to load a phishing page or
+      execute javascript: URLs in the WebView context.
+      Remediation: Validate the URL against a strict whitelist of allowed domains and schemes before loading.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $WV.loadUrl(getIntent().getData().toString())
+          - pattern: $WV.loadUrl(getIntent().getDataString())
+          - pattern: $WV.loadUrl(getIntent().getStringExtra($KEY))
+    metadata:
+      cwe: "CWE-939: Improper Authorization in Handler for Custom URL Scheme"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-deeplink
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/939.html
+  - id: zm-android-intent-data-no-scheme-check
+    severity: MEDIUM
+    message: |
+      Detected Intent.getData() used without scheme validation in an Activity or receiver.
+      Any app on the device can send an Intent with arbitrary data to this component.
+      Remediation: Add scheme validation (Uri.getScheme()) and verify against allowed schemes before processing.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: getIntent().getData()
+    metadata:
+      cwe: "CWE-939: Improper Authorization in Handler for Custom URL Scheme"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-deeplink
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/939.html

package/rules/android/mobile-sdk-google-firebase-open.yaml ADDED Viewed

@@ -0,0 +1,117 @@
+# Firebase / Firestore Security Misconfiguration (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - third-party SDK security
+rules:
+  - id: zm-android-firebase-firestore-open-rules
+    severity: HIGH
+    message: |
+      Detected Firebase Firestore or Realtime Database usage without explicit authentication check.
+      Firebase databases with default security rules allow unauthenticated read/write access,
+      which can lead to mass data exfiltration or data tampering from the client side.
+      Remediation: Set Firebase security rules to require authentication. Never use
+      allow read, write: if true; in production. Always enforce user-level access controls.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: FirebaseFirestore.getInstance()
+          - pattern: FirebaseDatabase.getInstance()
+          - pattern: $INSTANCE = FirebaseFirestore.getInstance()
+          - pattern: $INSTANCE = FirebaseDatabase.getInstance()
+          - pattern: com.google.firebase.firestore.FirebaseFirestore.getInstance()
+          - pattern: com.google.firebase.database.FirebaseDatabase.getInstance()
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/284.html
+        - https://firebase.google.com/docs/rules/basics
+  - id: zm-android-firebase-realtime-db-write
+    severity: MEDIUM
+    message: |
+      Detected Firebase Realtime Database getReference() with a write path.
+      Writing to Firebase Realtime Database from the client without server-side validation
+      allows an attacker to inject arbitrary data by modifying the client.
+      Remediation: Validate all write operations against Firebase Security Rules
+      with server-side validation (Firebase Functions or custom backend).
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $DB.getReference("$PATH").setValue($VAL)
+          - pattern: |
+              $DB.getReference("$PATH").updateChildren($MAP)
+          - pattern: |
+              $DB.getReference("$PATH").push().setValue($VAL)
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/284.html
+  - id: zm-android-firestore-add-without-auth
+    severity: MEDIUM
+    message: |
+      Detected Firestore add/set/update without visible authentication guard.
+      Client-side Firestore writes without Firebase Auth or custom auth can be called
+      by an unauthenticated attacker who extracts the Firebase config from the APK.
+      Remediation: Ensure Firebase Auth is enforced and all Firestore operations are
+      authenticated. Use Firestore Security Rules with request.auth != null.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $DB.collection("$COL").add($DATA)
+          - pattern: |
+              $DB.collection("$COL").document("$DOC").set($DATA)
+          - pattern: |
+              $DB.collection("$COL").document("$DOC").update($DATA)
+    metadata:
+      cwe: "CWE-284: Improper Access Control"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/284.html
+  - id: zm-android-firebase-analytics-no-restriction
+    severity: INFO
+    message: |
+      Detected Firebase Analytics initialization. While Analytics is generally safe,
+      ensure that PII (personally identifiable information) is not sent as event parameters
+      or user properties per Google's policy restrictions.
+      Remediation: Review Firebase Analytics event params for PII. Use setUserProperty()
+      only with non-PII values. Avoid logging emails, phone numbers, or full names.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: FirebaseAnalytics.getInstance($CTX)
+          - pattern: com.google.firebase.analytics.FirebaseAnalytics.getInstance($CTX)
+    metadata:
+      cwe: "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/359.html

package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml ADDED Viewed

@@ -0,0 +1,131 @@
+# Push Notification SDK Credential Exposure (Tencent TPNS, Huawei Push, Xiaomi Push)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - third-party SDK credential management
+rules:
+  - id: zm-android-tpns-xg-push-credentials
+    severity: MEDIUM
+    message: |
+      Detected Tencent TPNS (Xinge Push) SDK initialization with hardcoded Access ID and Access Key.
+      These credentials grant push message sending capability. If extracted from the APK,
+      an attacker can send arbitrary push notifications to all app users.
+      Remediation: Store TPNS credentials on the server side and use server-side push APIs.
+      Never embed push service credentials in the client APK.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: XGPushConfig.setAccessId($CTX, $ID)
+          - pattern: XGPushConfig.setAccessKey($CTX, "$KEY")
+          - pattern: com.tencent.android.tpush.XGPushConfig.setAccessId($CTX, $ID)
+          - pattern: com.tencent.android.tpush.XGPushConfig.setAccessKey($CTX, "$KEY")
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: very-high
+      confidence: very-high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+        - https://cloud.tencent.com/document/product/548
+  - id: zm-android-huawei-push-credentials
+    severity: MEDIUM
+    message: |
+      Detected Huawei Push SDK initialization with hardcoded App ID / App Secret.
+      Huawei Push credentials allow sending push messages to all devices with the app installed.
+      Extracting these from the APK enables mass phishing push notifications.
+      Remediation: Store Huawei Push App Secret on the server. Only embed the App ID client-side.
+      Use server-side token generation for push message sending.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: HmsMessageService.$METHOD("$APP_ID", "$SECRET")
+          - pattern: com.huawei.hms.push.$METHOD("$APP_ID")
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+  - id: zm-android-xiaomi-mipush-regid
+    severity: LOW
+    message: |
+      Detected Xiaomi MiPush SDK registration pattern. MiPush App Secret should not be embedded
+      in the client APK but managed server-side. Client should only use App ID for registration.
+      Remediation: Verify the MiPush App Secret is not hardcoded in the APK.
+      Use server-side push delivery to avoid client credential exposure.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: MiPushClient.registerPush($CTX, "$APP_ID", "$APP_KEY")
+          - pattern: com.xiaomi.mipush.sdk.MiPushClient.registerPush($CTX, "$APP_ID", "$APP_KEY")
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+  - id: zm-android-jpush-credentials
+    severity: MEDIUM
+    message: |
+      Detected JPush (Aurora Push) SDK initialization. JPush AppKey is included in the client
+      and can be extracted. Combined with Master Secret (which should never be client-side),
+      attackers can send arbitrary push messages.
+      Remediation: Ensure JPush Master Secret is stored only on the server side.
+      Verify push message delivery is authenticated server-to-server, not client-triggered.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: JPushInterface.setDebugMode(true)
+          - pattern: JPushInterface.init($CTX)
+          - pattern: cn.jpush.android.api.JPushInterface.init($CTX)
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+  - id: zm-android-umeng-push-credentials
+    severity: LOW
+    message: |
+      Detected Umeng Push SDK initialization. The Umeng AppKey and Message Secret should be
+      carefully managed. If Umeng Message Secret is embedded client-side, it allows
+      unauthorized push message sending via the Umeng API.
+      Remediation: Verify Umeng push message sending is authorized server-side only.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: PushAgent.getInstance($CTX).register($PUSH_HANDLER)
+          - pattern: com.umeng.message.PushAgent.getInstance($CTX).register($PUSH_HANDLER)
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-AUTH-1"
+      category: android-sdk-config
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html

package/rules/android/mobile-secrets-storage.yaml ADDED Viewed

@@ -0,0 +1,136 @@
+rules:
+  - id: zm-android-hardcoded-apikey
+    severity: CRITICAL
+    message: Hardcoded API key or token. API keys embedded in source code are exposed to anyone who can decompile the APK (jadx/apktool make this trivial). Place all secrets in a server-side proxy or use Android Keystore.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Security Misconfiguration"
+      category: android-secrets
+      precision: medium
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $TYPE $VAR = "$SECRET";
+              ...
+          - pattern: |
+              public static final String $KEY = "$VALUE";
+      - metavariable-regex:
+          metavariable: $VALUE
+          regex: '^(AKID|AKIA|LTAI|sk-[a-zA-Z0-9]{20,}|AIzaSy|ya29\.[a-zA-Z0-9_-]{50,}|pk\.[a-zA-Z0-9]{30,}|sk\.[a-zA-Z0-9]{30,}|ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|xox[bprs]-[a-zA-Z0-9-]{10,}|[a-zA-Z0-9+/]{40,})'
+    paths:
+      include:
+        - "*.java"
+  - id: zm-android-hardcoded-secret-keyword
+    severity: WARNING
+    message: Variable name suggests a secret is hardcoded. Keywords like 'password', 'secret', 'api_key', 'token' in string literals indicate credentials that should be in Android Keystore or server-side.
+    metadata:
+      cwe: "CWE-798: Use of Hard-coded Credentials"
+      owasp-mobile: "M8: Security Misconfiguration"
+      category: android-secrets
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              private static final String $PASS = "$VALUE";
+          - pattern: |
+              public static final String $PASS = "$VALUE";
+          - pattern: |
+              static final String $PASS = "$VALUE";
+      - metavariable-regex:
+          metavariable: $PASS
+          regex: '(?i)(password|passwd|secret|api_key|api_secret|apikey|app_secret|token|auth_key|access_key|private_key)'
+  - id: zm-android-insecure-shared-prefs
+    severity: HIGH
+    message: SharedPreferences with MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE. On API 17+ these are deprecated, but if used on older APIs or via reflection, they make stored data accessible to any app on the device.
+    metadata:
+      cwe: "CWE-276: Incorrect Default Permissions"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: high
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: $CTX.getSharedPreferences($NAME, Context.MODE_WORLD_READABLE)
+          - pattern: $CTX.getSharedPreferences($NAME, Context.MODE_WORLD_WRITEABLE)
+          - pattern: $CTX.getSharedPreferences($NAME, 1)
+          - pattern: $CTX.getSharedPreferences($NAME, 2)
+  - id: zm-android-insecure-file-permission
+    severity: HIGH
+    message: Files created with world-readable/writable permissions. Sensitive data written to globally accessible files can be read or modified by any app.
+    metadata:
+      cwe: "CWE-276: Incorrect Default Permissions"
+      owasp-mobile: "M2: Insecure Data Storage"
+      category: android-storage
+      precision: high
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: openFileOutput($NAME, Context.MODE_WORLD_READABLE)
+          - pattern: openFileOutput($NAME, Context.MODE_WORLD_WRITEABLE)
+          - pattern: openFileOutput($NAME, 1)
+          - pattern: openFileOutput($NAME, 2)
+  - id: zm-android-external-storage-sensitive
+    severity: MEDIUM
+    message: Sensitive data written to external storage. Files on external storage (/sdcard, getExternalFilesDir) are readable by any app with READ_EXTERNAL_STORAGE permission and physically accessible via USB.
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-1"
+      category: android-storage
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: Environment.getExternalStorageDirectory()
+          - pattern: $CTX.getExternalFilesDir($TYPE)
+  - id: zm-android-sqlite-raw-injection
+    severity: CRITICAL
+    message: Raw SQL query with string concatenation. Unsanitized user input in rawQuery or execSQL enables SQL injection, allowing attackers to read/write any row in the local SQLite database.
+    metadata:
+      cwe: "CWE-89: SQL Injection"
+      owasp-mobile: "M7: Client Code Quality"
+      category: android-data
+      precision: medium
+      confidence: medium
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: $DB.rawQuery("..." + $INPUT, ...)
+          - pattern: $DB.rawQuery($QUERY + $INPUT, ...)
+          - pattern: $DB.execSQL("..." + $INPUT)
+          - pattern: $DB.execSQL($QUERY + $INPUT)
+  - id: zm-android-log-sensitive
+    severity: MEDIUM
+    message: Sensitive data logged to Logcat. On Android, any app with READ_LOGS permission can read Logcat output. Use a logging library with automatic release-build stripping instead.
+    metadata:
+      cwe: "CWE-532: Insertion of Sensitive Information into Log File"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-3"
+      category: android-data
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Log.d($TAG, $MSG + $VAR)
+          - pattern: |
+              Log.e($TAG, $MSG + $VAR)
+          - pattern: |
+              Log.i($TAG, $MSG + $VAR)
+          - pattern: |
+              Log.v($TAG, $MSG + $VAR)
+          - pattern: |
+              Log.w($TAG, $MSG + $VAR)
+          - pattern: |
+              android.util.Log.d($TAG, $MSG + $VAR)

package/rules/android/mobile-webview-security.yaml ADDED Viewed

@@ -0,0 +1,88 @@
+rules:
+  - id: zm-android-webview-js-enabled
+    severity: WARNING
+    message: WebView JavaScript enabled without protection. Enabling JavaScript without disabling file access and implementing SSL error handling exposes the app to XSS, token theft, and MitM attacks.
+    metadata:
+      cwe: "CWE-749: Exposed Dangerous Method or Function"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-webview
+      precision: medium
+      confidence: medium
+      likelihood: high
+      impact: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: $WV.getSettings().setJavaScriptEnabled(true)
+          - pattern: $WV.getSettings().setJavaScriptEnabled($X)
+      - pattern-not-inside: |
+          ...
+          $WV.getSettings().setAllowFileAccess(false);
+          ...
+          $WV.getSettings().setJavaScriptEnabled(...);
+          ...
+  - id: zm-android-webview-file-access
+    severity: WARNING
+    message: WebView file access enabled. Combined with JavaScript, this allows an attacker to read local files via file:// URLs.
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp-mobile: "M1: Improper Platform Usage"
+      category: android-webview
+      precision: low
+    languages: [java]
+    pattern: $WV.getSettings().setAllowFileAccess(true)
+  - id: zm-android-webview-ssl-bypass
+    severity: CRITICAL
+    message: WebView SSL error handler accepts all certificates. This silently enables man-in-the-middle attacks on all HTTPS traffic loaded in this WebView.
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-webview
+      precision: high
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new WebViewClient() {
+                ...
+                public void onReceivedSslError(WebView $W, SslErrorHandler $H, SslError $E) {
+                  $H.proceed();
+                }
+                ...
+              }
+          - pattern: |
+              $WV.setWebViewClient(new WebViewClient() {
+                ...
+                public void onReceivedSslError(..., SslErrorHandler $H, ...) {
+                  $H.proceed();
+                }
+                ...
+              })
+  - id: zm-android-webview-allow-content-access
+    severity: HIGH
+    message: WebView content URL access enabled. Allows the WebView to access content:// URIs from other apps, enabling cross-app data leakage.
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp-mobile: "M1: Improper Platform Usage"
+      category: android-webview
+      precision: medium
+    languages: [java]
+    pattern: $WV.getSettings().setAllowContentAccess(true)
+  - id: zm-android-webview-allow-universal-access-from-file
+    severity: CRITICAL
+    message: Universal access from file URLs enabled. Allows JavaScript loaded from file:// URLs to access any origin via XMLHttpRequest, bypassing all same-origin protections.
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp-mobile: "M1: Improper Platform Usage"
+      category: android-webview
+      precision: high
+      confidence: high
+    languages: [java]
+    pattern: $WV.getSettings().setAllowUniversalAccessFromFileURLs(true)

package/rules/common/cwe-200-sensitive-data-exposure.yaml ADDED Viewed

@@ -0,0 +1,61 @@
+# CWE-200: 敏感数据暴露检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-SDE-001: 日志输出密码/Token 变量
+- id: zm-java-sde-001
+  severity: HIGH
+  message: |
+    检测到日志中可能输出敏感变量 (password / token / secret / apiKey)。
+    敏感数据不应出现在日志中，可能导致信息泄露。
+    应在日志中脱敏或移除敏感字段。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $LOGGER.info($PWD);
+    - pattern: |
+        $LOGGER.debug($PWD);
+    - pattern: |
+        $LOGGER.error($PWD);
+    - pattern: |
+        $LOGGER.warn($PWD);
+    - pattern: |
+        System.out.println($PWD);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-low
+# ZM-JAVA-SDE-002: toString 暴露敏感字段
+- id: zm-java-sde-002
+  severity: MEDIUM
+  message: |
+    toString() 方法中包含 password/token 等敏感字段输出。
+    应在 toString 中排除或脱敏敏感字段。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        return "..." + $PWD + "...";
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-low
+# ZM-JAVA-SDE-003: printStackTrace 泄漏堆栈
+- id: zm-java-sde-003
+  severity: LOW
+  message: |
+    检测到异常堆栈直接输出到标准输出/错误流。
+    生产环境应将异常记录到日志框架，避免向用户暴露内部实现细节。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $E.printStackTrace();
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+    owasp: "A04:2021 - Insecure Design"
+    precision: very-high

package/rules/common/cwe-22-path-traversal.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+# CWE-22: 路径遍历检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+rules:
+# ZM-JAVA-PT-001: File 构造含用户输入 + 无 validateFilename
+- id: zm-java-pt-001
+  severity: HIGH
+  message: |
+    检测到使用用户输入构造文件路径，但未校验路径 (未调用 getCanonicalPath 或 contains("..") 检查)。
+    攻击者可注入 ../ 进行路径遍历访问任意文件。
+    应使用 Path.normalize() + 检查路径前缀是否在允许目录内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new FileInputStream($BASE + $PARAM);
+    - pattern: |
+        new FileReader($BASE + $PARAM);
+    - pattern: |
+        new File($BASE + $PARAM);
+    - pattern: |
+        Files.readAllBytes(Paths.get($BASE + $PARAM));
+    - pattern: |
+        Files.newInputStream(Paths.get($BASE + $PARAM));
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+# ZM-JAVA-PT-002: 直接使用用户输入作为文件路径
+- id: zm-java-pt-002
+  severity: MEDIUM
+  message: |
+    直接使用用户输入作为文件路径参数，存在路径遍历风险。
+    应对输入进行白名单校验或规范化路径后验证前缀。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new FileInputStream($REQ.getParameter(...));
+    - pattern: |
+        new FileReader($REQ.getParameter(...));
+  metadata:
+    cwe: "CWE-22: Path Traversal"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high