@zhuma4/cli 4.0.0-alpha.1

package/rules/common/cwe-328-weak-hash.yaml

@@ -0,0 +1,96 @@
+# CWE-328: 弱哈希函数检测规则 (Sprint 2.2 — 显式枚举+直接调用覆盖)
+# 修复: 显式枚举 MD2/MD4/MD5 常量名，排除 SHA-256/384/512
+# 覆盖: 变量赋值 + 直接调用(.digest链式) 两种写法
+
+rules:
+
+# ZM-JAVA-WEAKHASH-001: MD2/MD4/MD5 使用
+- id: zm-java-weakhash-001
+  severity: CRITICAL
+  message: |
+    使用弱哈希 MD2/MD4/MD5。NIST SP 800-131A 已禁止。
+    升级为 SHA-256 或更高强度算法。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $MD = MessageDigest.getInstance("MD5")
+    - pattern: MessageDigest.getInstance("MD5")
+    - pattern: $MD = MessageDigest.getInstance("MD2")
+    - pattern: MessageDigest.getInstance("MD2")
+    - pattern: $MD = MessageDigest.getInstance("MD4")
+    - pattern: MessageDigest.getInstance("MD4")
+    - pattern: MessageDigest.getInstance("MD5", $PROVIDER)
+    - pattern: MessageDigest.getInstance("MD2", $PROVIDER)
+    - pattern: MessageDigest.getInstance("MD4", $PROVIDER)
+  metadata:
+    cwe: "CWE-328: Use of Weak Hash"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: very-high
+    tags: [crypto, hash, weak-algorithm]
+    references:
+      - https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
+
+# ZM-JAVA-WEAKHASH-002: 密码存储使用弱 KDF
+- id: zm-java-weakhash-002
+  severity: CRITICAL
+  message: |
+    PBKDF2WithHmacSHA1 或 PBEKeySpec salt 为 null 的弱密码存储。
+    OWASP 推荐 PBKDF2 迭代 >= 310000 (HMAC-SHA256)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
+    - pattern: $F = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", $PROVIDER)
+    - pattern: new PBEKeySpec($PASSWORD, null, $ITER, $LEN)
+    - pattern: $SPEC = new PBEKeySpec($PASSWORD, null, $ITER, $LEN)
+    - pattern: new PBEKeySpec($PASSWORD)
+    - pattern: $SPEC = new PBEKeySpec($PASSWORD)
+  metadata:
+    cwe: "CWE-328: Use of Weak Hash"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: high
+    tags: [crypto, password-storage, pbkdf2]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+
+# ZM-JAVA-WEAKHASH-003: SHA-1 在安全场景使用
+- id: zm-java-weakhash-003
+  severity: HIGH
+  message: |
+    SHA-1 在安全场景下使用（SHAttered 2017 已实现碰撞攻击）。
+    升级为 SHA-256/384/512。
+  languages:
+    - java
+  pattern-either:
+    - pattern: MessageDigest.getInstance("SHA-1")
+    - pattern: MessageDigest.getInstance("SHA1")
+    - pattern: $MD = MessageDigest.getInstance("SHA-1")
+    - pattern: $MD = MessageDigest.getInstance("SHA1")
+  metadata:
+    cwe: "CWE-328: Use of Weak Hash"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: high
+    tags: [crypto, hash, sha1]
+    references:
+      - https://shattered.io/
+
+# ZM-JAVA-WEAKHASH-004: Spring Security 已废弃 Hashing API
+- id: zm-java-weakhash-004
+  severity: MEDIUM
+  message: |
+    Spring Security 已废弃 Hashing API (Hashing.sha256/sha1/md5)。
+    推荐迁移到 BCryptPasswordEncoder / Argon2PasswordEncoder。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Hashing.sha256()
+    - pattern: Hashing.sha1()
+    - pattern: Hashing.md5()
+    - pattern: new Hashing()
+  metadata:
+    cwe: "CWE-328: Use of Weak Hash"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: medium
+    tags: [crypto, password-storage, spring-security]
+    references:
+      - https://docs.spring.io/spring-security/reference/features/authentication/password-storage.html

package/rules/common/cwe-329-cbc-mode.yaml

@@ -0,0 +1,26 @@
+# CWE-329: CBC模式下的Padding Oracle风险 (Sprint 2.2)
+# 变更: 删除 ZM-JAVA-CBCMODE-002 (doFinal try-catch 检测)
+# 原因: pattern-not 只作用于匹配区域——doFinal在try内但Cipher.getInstance在try外
+#       Semgrep无数据流分析能力，无法区分CBC vs GCM的doFinal调用
+#       ZM-JAVA-CBCMODE-001 (直接匹配Cipher.getInstance CBC) 已覆盖高置信度场景
+
+rules:
+
+# ZM-JAVA-CBCMODE-001: AES/CBC/PKCS5Padding 使用
+- id: zm-java-cbcmode-001
+  severity: HIGH
+  message: |
+    AES/CBC/PKCS5Padding 易受 Padding Oracle 攻击。
+    迁移到 AES/GCM/NoPadding (AEAD模式)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding")
+    - pattern: $CIP = Cipher.getInstance("AES/CBC/PKCS5Padding")
+    - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding", $PROVIDER)
+    - pattern: $CIP = Cipher.getInstance("AES/CBC/PKCS5Padding", $PROVIDER)
+  metadata:
+    cwe: "CWE-329: Generation of Predictable IV with CBC Mode"
+    owasp: "A02:2021 - Cryptographic Failures"
+    precision: medium
+    tags: [crypto, cbc, padding-oracle]

package/rules/common/cwe-352-csrf.yaml

@@ -0,0 +1,23 @@
+# CWE-352: 跨站请求伪造 (CSRF) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-CSRF-001: Spring Security 显式禁用 CSRF 保护
+- id: zm-java-csrf-001
+  severity: HIGH
+  message: |
+    检测到 Spring Security 配置中显式禁用了 CSRF 保护 (csrf().disable())。
+    禁用 CSRF 保护会使应用容易受到跨站请求伪造攻击。
+    除非是纯 REST API 使用无状态 Token 认证，否则应启用或手动实现 CSRF 防护。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.csrf().disable();
+    - pattern: |
+        $HTTP.csrf().disable()
+  metadata:
+    cwe: "CWE-352: Cross-Site Request Forgery (CSRF)"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: very-high

package/rules/common/cwe-434-unrestricted-file-upload.yaml

@@ -0,0 +1,41 @@
+# CWE-434: 不受限文件上传检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-FU-001: MultipartFile 接收但未校验扩展名
+- id: zm-java-fu-001
+  severity: HIGH
+  message: |
+    检测到 MultipartFile 接收文件上传但未进行扩展名白名单校验。
+    攻击者可上传 JSP/EXE 等可执行文件获取服务器控制权。
+    必须校验文件扩展名 (白名单)、Content-Type、Magic Number。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FILE.transferTo(new File($PATH));
+    - pattern: |
+        $FILE.transferTo($PATH);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+
+# ZM-JAVA-FU-002: FileOutputStream 直接写入上传数据
+- id: zm-java-fu-002
+  severity: MEDIUM
+  message: |
+    检测到文件上传直接使用用户提供的文件名写入磁盘。
+    应生成随机文件名存储，使用 UUID 或 hash 值命名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        FileOutputStream $FOS = new FileOutputStream($FILENAME);
+        ...
+        $FOS.write($DATA);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: low

package/rules/common/cwe-502-insecure-deserialization.yaml

@@ -0,0 +1,44 @@
+# CWE-502: 不安全反序列化检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-DS-001: ObjectInputStream.readObject 无过滤
+- id: zm-java-ds-001
+  severity: CRITICAL
+  message: |
+    检测到 ObjectInputStream.readObject() 调用，未配置类型白名单过滤。
+    攻击者可通过构造恶意序列化对象执行任意代码。
+    应使用 ValidatingObjectInputStream (Apache Commons IO) 限制可反序列化类型，
+    或使用 JSON/Protobuf 等替代序列化方案。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ObjectInputStream($INPUT).readObject();
+    - pattern: |
+        $OIS = new ObjectInputStream($INPUT);
+        ...
+        $OIS.readObject();
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    precision: high
+
+# ZM-JAVA-DS-002: ObjectInputStream 未使用过滤包装
+- id: zm-java-ds-002
+  severity: MEDIUM
+  message: |
+    ObjectInputStream 直接使用，未通过 ValidatingObjectInputStream 或 resolveClass 过滤。
+    建议添加类型白名单验证。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $OIS = new ObjectInputStream(...);
+    - pattern: |
+        new ObjectInputStream(...);
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    precision: low

package/rules/common/cwe-601-url-redirect.yaml

@@ -0,0 +1,110 @@
+# CWE-601: URL 重定向 (Open Redirect) 检测规则 (Sprint 2 FPR优化版)
+# 变更: ZM-JAVA-REDIRECT-001 "redirect:" + $VAR 降精度 low→very-low
+# 原因: 任意变量拼接 "redirect:" 无法区分是否经过白名单校验, FPR=50%
+
+rules:
+
+# ZM-JAVA-REDIRECT-001: redirect: + req.getParameter() 用户可控 (高精度)
+- id: zm-java-redirect-001
+  severity: MEDIUM
+  message: |
+    Spring Controller 返回 "redirect:" 拼接 req.getParameter() —— 用户直接可控重定向目标。
+    攻击者可构造恶意 URL 实施钓鱼攻击。
+    修复: 白名单校验重定向目标 URL，仅允许相对路径或已知域名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $METHOD(...) {
+          ...
+          return "redirect:" + $REQ.getParameter(...);
+          ...
+        }
+    - pattern: |
+        $METHOD(...) {
+          ...
+          $STR = $REQ.getParameter(...);
+          ...
+          return "redirect:" + $STR;
+          ...
+        }
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+
+# ZM-JAVA-REDIRECT-005: redirect: + 任意变量 (低精度，需人工复核)
+- id: zm-java-redirect-005
+  severity: LOW
+  message: |
+    Spring Controller 返回 "redirect:" 拼接变量，可能是开放重定向风险。
+    需人工确认该变量是否经过 URL 白名单校验。如果已有白名单校验，忽略本规则。
+  languages:
+    - java
+  patterns:
+    - pattern: |
+        $METHOD(...) {
+          ...
+          return "redirect:" + $VAR;
+          ...
+        }
+    - pattern-not: |
+        $METHOD(...) {
+          ...
+          return "redirect:" + $REQ.getParameter(...);
+          ...
+        }
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: very-low
+
+# ZM-JAVA-REDIRECT-002: HttpServletResponse.sendRedirect 用户可控
+- id: zm-java-redirect-002
+  severity: MEDIUM
+  message: |
+    HttpServletResponse.sendRedirect() 使用用户可控 URL 可能导致钓鱼攻击。
+    修复: 白名单校验目标域名，使用 response.encodeRedirectURL() 编码。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $RESP.sendRedirect($REQ.getParameter(...));
+    - pattern: $RESP.sendRedirect($URL);
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+
+# ZM-JAVA-REDIRECT-003: ModelAndView 构造重定向 URL 用户可控
+- id: zm-java-redirect-003
+  severity: MEDIUM
+  message: |
+    ModelAndView 以 "redirect:" 前缀拼接用户输入可能导致开放重定向。
+    修复: 使用 FlashAttributes 传递参数，对目标做白名单校验。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new ModelAndView("redirect:" + $URL);
+    - pattern: ModelAndView $MV = new ModelAndView("redirect:" + $URL);
+        ...
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+
+# ZM-JAVA-REDIRECT-004: Spring RedirectView URL 用户可控
+- id: zm-java-redirect-004
+  severity: LOW
+  message: |
+    Spring RedirectView 使用用户可控 URL 可能导致开放重定向。
+    修复: RedirectView.setHosts() 限制域名 + setContextRelative(true) 仅允许相对路径。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new RedirectView($URL);
+    - pattern: RedirectView $RV = new RedirectView($URL);
+        ...
+  metadata:
+    cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium

package/rules/common/cwe-611-xxe.yaml

@@ -0,0 +1,70 @@
+# CWE-611: XML 外部实体注入 (XXE) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-XXE-001: DocumentBuilderFactory 未禁用外部实体
+- id: zm-java-xxe-001
+  severity: HIGH
+  message: |
+    检测到 DocumentBuilderFactory 未禁用 DTD 和外部实体解析。
+    攻击者可构造恶意 XML 触发 XXE 攻击读取任意文件、内网探测或 DoS。
+    必须设置 setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+    或 setFeature("http://xml.org/sax/features/external-general-entities", false)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        DocumentBuilderFactory $DBF = DocumentBuilderFactory.newInstance();
+        ...
+        $DBF.newDocumentBuilder().parse(...);
+    - pattern: |
+        DocumentBuilderFactory $DBF = DocumentBuilderFactory.newInstance();
+        ...
+        $PARSER = $DBF.newDocumentBuilder();
+        ...
+        $PARSER.parse(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+
+# ZM-JAVA-XXE-002: SAXParserFactory 未禁用外部实体
+- id: zm-java-xxe-002
+  severity: HIGH
+  message: |
+    SAXParserFactory 未禁用外部实体解析，存在 XXE 攻击风险。
+    必须设置 setFeature("http://xml.org/sax/features/external-general-entities", false)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SAXParserFactory $SPF = SAXParserFactory.newInstance();
+        ...
+        $SPF.newSAXParser().parse(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+
+# ZM-JAVA-XXE-003: XMLInputFactory 未禁用外部实体
+- id: zm-java-xxe-003
+  severity: HIGH
+  message: |
+    XMLInputFactory 未禁用外部实体和 DTD 处理，存在 XXE 攻击风险。
+    应设置 XMLInputFactory.SUPPORT_DTD 为 false。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        XMLInputFactory $XIF = XMLInputFactory.newInstance();
+        ...
+        $XIF.createXMLEventReader(...);
+    - pattern: |
+        XMLInputFactory $XIF = XMLInputFactory.newInstance();
+        ...
+        $XIF.createXMLStreamReader(...);
+  metadata:
+    cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium

package/rules/common/cwe-732-incorrect-permission.yaml

@@ -0,0 +1,49 @@
+# CWE-732: 不正确的权限分配检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-IP-001: setWritable 设置过宽权限
+- id: zm-java-ip-001
+  severity: MEDIUM
+  message: |
+    检测到 setWritable/readable/executable 设置过宽的权限 (true, false 即全局可写)。
+    可能导致敏感文件被非授权用户修改。
+    生产环境应限制文件权限为所有者读写 (600)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FILE.setWritable(true, false);
+    - pattern: |
+        $FILE.setReadable(true, false);
+    - pattern: |
+        $FILE.setExecutable(true, false);
+    - pattern: |
+        $FILE.setWritable(true);
+    - pattern: |
+        $FILE.setReadable(true);
+    - pattern: |
+        $FILE.setExecutable(true);
+  metadata:
+    cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+
+# ZM-JAVA-IP-002: chmod 777
+- id: zm-java-ip-002
+  severity: HIGH
+  message: |
+    检测到 Runtime.exec 执行 chmod 777 命令，授予所有用户完全读写执行权限。
+    严重违反最小权限原则，可能导致任意用户篡改文件。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Runtime.getRuntime().exec("chmod 777 ...");
+    - pattern: |
+        Runtime.getRuntime().exec("chmod -R 777 ...");
+  metadata:
+    cwe: "CWE-732: Incorrect Permission Assignment for Critical Resource"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: very-high

package/rules/common/cwe-770-resource-exhaustion.yaml

@@ -0,0 +1,44 @@
+# CWE-770: 资源耗尽 (DoS) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-RE-001: 无限循环无超时/退出条件
+- id: zm-java-re-001
+  severity: MEDIUM
+  message: |
+    检测到 while(true) 循环未设置超时或退出条件。
+    可能导致 CPU 资源耗尽造成拒绝服务。
+    应添加最大迭代次数限制或超时退出机制。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        while (true) {
+          ...
+        }
+    - pattern: |
+        while (1 == 1) {
+          ...
+        }
+  metadata:
+    cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: low
+
+# ZM-JAVA-RE-002: 无限制读取输入流
+- id: zm-java-re-002
+  severity: LOW
+  message: |
+    检测到未限制大小的输入流读取，可能导致内存溢出 DoS。
+    应限制读取字节数或使用缓冲区分块处理。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        byte[] $BUF = new byte[$INPUT.available()];
+        $INPUT.read($BUF);
+  metadata:
+    cwe: "CWE-770: Allocation of Resources Without Limits or Throttling"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium

package/rules/common/cwe-78-os-command-injection.yaml

@@ -0,0 +1,43 @@
+# CWE-78: OS 命令注入检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-OSCI-001: Runtime.exec 字符串拼接或用户输入
+- id: zm-java-osci-001
+  severity: CRITICAL
+  message: |
+    检测到 Runtime.getRuntime().exec() 使用字符串拼接构造系统命令。
+    攻击者可注入额外命令 (如 ; rm -rf /) 导致任意代码执行。
+    应使用 ProcessBuilder + 参数数组，避免 Shell 解析。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        String $CMD = ... + $PARAM;
+        ...
+        Runtime.getRuntime().exec($CMD);
+    - pattern: |
+        Runtime.getRuntime().exec($CMD + $PARAM);
+    - pattern: |
+        Runtime.getRuntime().exec($VAR);
+  metadata:
+    cwe: "CWE-78: OS Command Injection"
+    owasp: "A03:2021 - Injection"
+    precision: medium
+
+# ZM-JAVA-OSCI-002: ProcessBuilder 参数拼接
+- id: zm-java-osci-002
+  severity: HIGH
+  message: |
+    ProcessBuilder 使用了字符串拼接构造命令参数。
+    应使用参数数组传入独立参数，避免命令注入。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ProcessBuilder($CMD + $PARAM);
+  metadata:
+    cwe: "CWE-78: OS Command Injection"
+    owasp: "A03:2021 - Injection"
+    precision: medium

package/rules/common/cwe-787-out-of-bounds-write.yaml

@@ -0,0 +1,37 @@
+# CWE-787: 越界写入检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-OOB-001: 数组索引无边界检查
+- id: zm-java-oob-001
+  severity: MEDIUM
+  message: |
+    检测到数组访问使用变量索引但未进行边界检查。
+    可能导致 ArrayIndexOutOfBoundsException，在 native 代码中可能被利用为越界写入。
+    应检查 index >= 0 && index < array.length。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $ARR[$INDEX] = $VAL;
+  metadata:
+    cwe: "CWE-787: Out-of-bounds Write"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    precision: very-low
+
+# ZM-JAVA-OOB-002: ByteBuffer put 无 position 检查
+- id: zm-java-oob-002
+  severity: LOW
+  message: |
+    检测到 ByteBuffer.put() 写入字节数组但未检查 remaining() 容量。
+    可能导致 BufferOverflowException，降低服务可用性。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $BUF.put($DATA);
+  metadata:
+    cwe: "CWE-787: Out-of-bounds Write"
+    owasp: "A06:2021 - Vulnerable and Outdated Components"
+    precision: very-low

package/rules/common/cwe-79-xss.yaml

@@ -0,0 +1,51 @@
+# CWE-79: 跨站脚本攻击 (XSS) 检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-XSS-001: response.getWriter 未转义输出 request parameter
+- id: zm-java-xss-001
+  severity: HIGH
+  message: |
+    检测到 HttpServletResponse.getWriter().print/write 直接输出用户可控变量。
+    攻击者可能注入恶意脚本导致 XSS 攻击。
+    应对输出进行 HTML 实体编码 (OWASP Java Encoder / ESAPI)。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RESP.getWriter().print($REQ.getParameter(...));
+    - pattern: |
+        $RESP.getWriter().write($REQ.getParameter(...));
+    - pattern: |
+        $RESP.getWriter().println($REQ.getParameter(...));
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high
+
+# ZM-JAVA-XSS-002: request.getParameter 赋值后未转义直接输出
+- id: zm-java-xss-002
+  severity: HIGH
+  message: |
+    检测到从 HttpServletRequest 获取的参数直接输出到 response，未经 HTML 转义。
+    建议对输出进行编码：Encode.forHtml(param)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().print($VAR);
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().write($VAR);
+    - pattern: |
+        String $VAR = $REQ.getParameter(...);
+        ...
+        $RESP.getWriter().println($VAR);
+  metadata:
+    cwe: "CWE-79: Cross-site Scripting (XSS)"
+    owasp: "A03:2021 - Injection"
+    precision: high

package/rules/common/cwe-862-missing-authorization.yaml

@@ -0,0 +1,40 @@
+# CWE-862: 缺少授权检查检测规则
+# 逐码 ZhuMa V4.0 Alpha — 通用规则库
+
+rules:
+
+# ZM-JAVA-MAZ-001: 敏感操作无授权检查
+- id: zm-java-maz-001
+  severity: HIGH
+  message: |
+    检测到敏感操作 (删除) 端点可能缺少授权检查。
+    即使通过认证，也应校验用户是否有权限执行该操作 (如是否为数据所有者)。
+    建议添加 @PreAuthorize + 数据级权限校验。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @DeleteMapping(...)
+        public $RET $METHOD(...) {
+          ...
+          $DAO.deleteById(...);
+          ...
+        }
+    - pattern: |
+        @PutMapping(...)
+        public $RET $METHOD(...) {
+          ...
+          $OBJ.update(...);
+          ...
+        }
+    - pattern: |
+        @RequestMapping(...)
+        public void $METHOD(...) {
+          ...
+          $DAO.deleteById(...);
+          ...
+        }
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: low