npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/common/zm-go-cwe327-weak-cipher.yaml ADDED Viewed

@@ -0,0 +1,152 @@
+# CWE-327: Go 弱密码模式检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: AES-CBC无认证、ECB模式、CTR无认证、Cipher裸用
+rules:
+# ZM-GO-WEAKCIPHER-001: AES-CBC 无认证加密
+- id: zm-go-weakcipher-001
+  severity: WARNING
+  message: |
+    检测到使用 cipher.NewCBCEncrypter / NewCBCDecrypter 进行CBC模式加密。
+    CBC模式仅提供机密性，不提供完整性/认证保护。攻击者可修改密文
+    并通过padding oracle攻击恢复明文（如Lucky13、POODLE攻击）。
+    CBC模式不满足现代AEAD（认证加密）安全要求。
+    修复方案:
+    1. 使用 AES-GCM: cipher.NewGCM() — 内置认证+加密
+       gcm, _ := cipher.NewGCM(block)
+       ciphertext := gcm.Seal(nil, nonce, plaintext, aad)
+    2. 或使用 golang.org/x/crypto/nacl/secretbox (XSalsa20-Poly1305)
+    3. 若必须使用CBC，必须配合HMAC-SHA256做 Encrypt-then-MAC:
+       ciphertext = iv + enc(plaintext)
+       mac = HMAC-SHA256(ciphertext)
+       最终输出: ciphertext + mac
+  languages:
+    - go
+  pattern-either:
+    - pattern: cipher.NewCBCEncrypter($BLOCK, $IV)
+    - pattern: cipher.NewCBCDecrypter($BLOCK, $IV)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://pkg.go.dev/crypto/cipher#NewGCM"
+      - "https://en.wikipedia.org/wiki/Padding_oracle_attack"
+# ZM-GO-WEAKCIPHER-002: ECB模式加密
+- id: zm-go-weakcipher-002
+  severity: WARNING
+  message: |
+    检测到使用 ECB（电子密码本）模式加密。Go标准库不提供ECB实现，
+    此检测匹配第三方库或自定义ECB实现。
+    ECB模式会产生确定性密文——相同明文块产生相同密文块，
+    无法隐藏数据模式，攻击者可从密文中直接识别重复数据。
+    修复方案:
+    1. 使用 AES-GCM (cipher.NewGCM) 替代任何ECB实现
+    2. AES-GCM 提供: 机密性 + 完整性 + 认证 + 随机IV
+    3. 绝对禁止在任何安全敏感场景使用ECB
+    4. 参考 NIST SP 800-38A 了解分组密码模式安全特性
+  languages:
+    - go
+  pattern-either:
+    - pattern: NewECBEncrypter($BLOCK)
+    - pattern: NewECBDecrypter($BLOCK)
+    - pattern: ecb.NewEncrypter($BLOCK)
+    - pattern: ecb.NewDecrypter($BLOCK)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#ECB"
+# ZM-GO-WEAKCIPHER-003: AES-CTR 无认证加密
+- id: zm-go-weakcipher-003
+  severity: WARNING
+  message: |
+    检测到使用 cipher.NewCTR() 进行CTR模式加密。
+    CTR模式本身仅提供机密性，不提供完整性保护。
+    攻击者可对密文进行比特翻转修改明文，且无MAC无法检测篡改。
+    修复方案:
+    1. 使用 AES-GCM 替代 CTR 模式
+    2. 或使用 Golang 支持的 AEAD 接口: cipher.NewGCM / chacha20poly1305
+    3. 若必须用CTR，配合 HMAC-SHA256 实现 Encrypt-then-MAC 认证
+  languages:
+    - go
+  pattern-either:
+    - pattern: cipher.NewCTR($BLOCK, $IV)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+# ZM-GO-WEAKCIPHER-004: Cipher 裸用(无模式加密)
+- id: zm-go-weakcipher-004
+  severity: WARNING
+  message: |
+    检测到 cipher.Block 接口的 Encrypt/Decrypt 方法直接调用，
+    未通过任何分组密码模式包装。裸 Block 仅加密单个16字节块，
+    无法处理任意长度数据，且无认证和IV。
+    修复方案:
+    1. 始终通过 cipher.NewGCM(block) 等模式包装后使用
+    2. 绝对禁止直接调用 block.Encrypt / block.Decrypt 处理业务数据
+    3. 正确模式: gcm, _ := cipher.NewGCM(block); gcm.Seal(...)
+  languages:
+    - go
+  pattern-either:
+    - pattern: $BLOCK.Encrypt($DST, $SRC)
+    - pattern: $BLOCK.Decrypt($DST, $SRC)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://pkg.go.dev/crypto/cipher#Block"
+# ZM-GO-WEAKCIPHER-005: CFB/OFB 无认证
+- id: zm-go-weakcipher-005
+  severity: WARNING
+  message: |
+    检测到使用 cipher.NewCFBEncrypter / NewOFB 流模式。
+    CFB/OFB仅提供机密性，不提供认证保护。不应在现代系统中单独使用。
+    OFB模式虽比特翻转影响有限，但仍缺少完整性校验。
+    修复方案:
+    1. 使用 cipher.NewGCM() — AEAD 是唯一推荐的新增代码加密模式
+    2. 若需流加密，使用 ChaCha20-Poly1305
+    3. 旧系统迁移计划加入HMAC认证
+  languages:
+    - go
+  pattern-either:
+    - pattern: cipher.NewCFBEncrypter($BLOCK, $IV)
+    - pattern: cipher.NewCFBDecrypter($BLOCK, $IV)
+    - pattern: cipher.NewOFB($BLOCK, $IV)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"

package/rules/common/zm-go-cwe384-session-fixation.yaml ADDED Viewed

@@ -0,0 +1,128 @@
+# CWE-384: Go/Gin 会话固定检测
+# 逐码 ZhuMa V4.1 Sprint — Go 规则库
+# 覆盖: Gin/gorilla session未regenerate、cookie未secure/httpOnly
+rules:
+# ZM-GO-SF-001: Gorilla Sessions 登录后未替换会话ID
+- id: zm-go-sf-001
+  severity: HIGH
+  message: |
+    检测到 gorilla/sessions 在登录/认证成功后未创建新会话或未调用 session.Save() 前
+    未设置新的 session ID。
+    攻击者可通过固定会话攻击(Session Fixation)劫持已验证用户会话。
+    修复方案:
+    1. 登录成功后创建全新会话:
+       session, _ := store.New(r, "session-name")
+       session.Values["user"] = user
+       session.Save(r, w)
+    2. 在 Save 之前清除旧会话: session.Options.MaxAge = -1
+    3. 为认证成功的会话生成新的 session ID(随机UUID)
+    4. 将 session ID 与用户身份强绑定
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $SESSION.Values[$KEY] = $USER
+    - pattern: |
+        $SESSION.Values[$KEY] = $VALUE
+    - pattern: |
+        session.Values[$KEY] = $VALUE
+  metadata:
+    cwe: "CWE-384: Session Fixation"
+    severity: HIGH
+    precision: low
+    category: session
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://github.com/gorilla/sessions"
+      - "https://owasp.org/www-community/attacks/Session_fixation"
+# ZM-GO-SF-002: Gorilla/Gin Session Cookie 安全属性缺失
+- id: zm-go-sf-002
+  severity: HIGH
+  message: |
+    检测到 Gorilla sessions 的 cookie 配置中安全属性不完整。
+    - Secure: false → Cookie可被中间人通过HTTP明文传输窃取
+    - HttpOnly: false → JavaScript可读取Cookie，XSS可窃取会话
+    - SameSite 未设 StrictMode → 跨站请求携带Cookie，易受CSRF
+    修复方案:
+    1. 生产环境 Secure: true (仅HTTPS)
+    2. HttpOnly: true
+    3. SameSite: http.SameSiteStrictMode
+    4. 设置合理的 MaxAge 和 Path 限制作用域
+    5. 使用 session.Options 统一配置:
+       session.Options = &sessions.Options{
+         Path:     "/",
+         MaxAge:   3600,
+         HttpOnly: true,
+         Secure:   true,
+         SameSite: http.SameSiteStrictMode,
+       }
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        $STORE.Options.HttpOnly = false
+    - pattern: |
+        $STORE.Options.Secure = false
+    - pattern: |
+        $OPTS.HttpOnly = false
+    - pattern: |
+        $OPTS.Secure = false
+    - pattern: |
+        $SESSION.Options.HttpOnly = false
+    - pattern: |
+        $SESSION.Options.Secure = false
+    - pattern: |
+        HttpOnly: false
+    - pattern: |
+        Secure: false
+  metadata:
+    cwe: "CWE-384: Session Fixation"
+    severity: HIGH
+    precision: very-high
+    category: session
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://github.com/gorilla/sessions"
+# ZM-GO-SF-003: Gin contrib/sessions cookie配置安全检查
+- id: zm-go-sf-003
+  severity: HIGH
+  message: |
+    检测到 Gin contrib/sessions 或其他 session store 配置中 Secure/HttpOnly 设置可能不安全。
+    使用 CookieStore 和 FilesystemStore 时需显式设置 Secure 和 HttpOnly 选项。
+    修复方案:
+    store := cookie.NewStore([]byte("secret"))
+    store.Options(sessions.Options{
+      Path:     "/",
+      MaxAge:   86400 * 7,
+      HttpOnly: true,
+      Secure:   true,
+      SameSite: http.SameSiteStrictMode,
+    })
+  languages:
+    - go
+  pattern-either:
+    - pattern: cookie.NewStore($KEY)
+    - pattern: sessions.NewCookieStore($KEY)
+    - pattern: sessions.NewFilesystemStore($PATH, $KEY)
+  metadata:
+    cwe: "CWE-384: Session Fixation"
+    severity: HIGH
+    precision: low
+    category: session
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://github.com/gin-gonic/contrib/tree/master/sessions"

package/rules/common/zm-go-cwe502-deserialization.yaml ADDED Viewed

@@ -0,0 +1,120 @@
+# CWE-502: Go 不安全反序列化检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: gob.NewDecoder.Decode / json.Unmarshal到interface{} / xml.Decoder
+rules:
+# ZM-GO-DESER-001: gob 反序列化外部输入
+- id: zm-go-deser-001
+  severity: CRITICAL
+  message: |
+    检测到 encoding/gob 的 NewDecoder().Decode() 反序列化操作。
+    gob 是Go特有的二进制序列化格式，反序列化用户可控的 gob 数据
+    可能触发 panic 导致DoS，或在复杂类型场景下产生意外行为。
+    修复方案:
+    1. 仅反序列化可信来源的 gob 数据
+    2. 对不可信数据使用 JSON/Protobuf 等格式替代 gob
+    3. 使用 gob.Register() 注册允许的反序列化类型白名单
+    4. 对输入数据做完整性校验（HMAC签名）
+  languages:
+    - go
+  pattern-either:
+    - pattern: gob.NewDecoder($R).Decode($V)
+    - pattern: gob.NewDecoder($R).DecodeValue($V)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: CRITICAL
+    precision: high
+    category: deserialization
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://pkg.go.dev/encoding/gob"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html"
+# ZM-GO-DESER-002: json.Unmarshal 到 interface{}
+- id: zm-go-deser-002
+  severity: WARNING
+  message: |
+    检测到 json.Unmarshal / json.Decoder.Decode 将数据反序列化到
+    interface{} 类型或 map[string]interface{} 动态类型。
+    无类型约束的反序列化可能导致类型混淆、DoS（嵌套炸弹），
+    且无法利用编译器类型检查保证数据安全。
+    修复方案:
+    1. 定义具体的结构体类型接收JSON数据: json.Unmarshal(data, &myStruct)
+    2. 使用 json.Decoder 配合 DisallowUnknownFields() 拒绝未知字段
+    3. 若必须使用动态类型，使用 json.RawMessage 延迟解析
+    4. 对输入大小做限制（http.MaxBytesReader / io.LimitReader）
+  languages:
+    - go
+  pattern-either:
+    - pattern: json.Unmarshal($DATA, $V)
+    - pattern: $DEC.Decode($V)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: WARNING
+    precision: low
+    category: deserialization
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://pkg.go.dev/encoding/json"
+# ZM-GO-DESER-003: xml.Decoder 外部实体未禁用
+- id: zm-go-deser-003
+  severity: HIGH
+  message: |
+    检测到 encoding/xml 的 Decoder 反序列化XML数据。
+    Go的 xml.Decoder 默认禁用外部实体，但若显式设置
+    Decoder.Entity 字段，可能引入 XXE 攻击风险。
+    修复方案:
+    1. 使用默认的 xml.NewDecoder() 不做额外配置（Go 1.17+ 默认安全）
+    2. 若必须设置 Entity，确保映射仅包含安全值
+    3. 考虑使用更安全的XML解析库或切换到JSON
+  languages:
+    - go
+  pattern-either:
+    - pattern: xml.NewDecoder($R).Decode($V)
+    - pattern: xml.Unmarshal($DATA, $V)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: HIGH
+    precision: medium
+    category: deserialization
+    likelihood: LOW
+    impact: HIGH
+    owasp: "A08:2021 - Software and Data Integrity Failures"
+    references:
+      - "https://pkg.go.dev/encoding/xml"
+# ZM-GO-DESER-004: binary.Read 二进制反序列化
+- id: zm-go-deser-004
+  severity: WARNING
+  message: |
+    检测到 encoding/binary 的 Read() 从不可信输入读取二进制数据。
+    若输入攻击者可控，可能构造恶意二进制数据导致越界读取或内存损坏。
+    修复方案:
+    1. 仅从可信来源读取二进制数据
+    2. 使用 io.LimitReader 限制读取大小
+    3. 对二进制数据做完整性校验（CRC/MD5签名）
+    4. 考虑使用 Protobuf 等有类型信息的序列化格式
+  languages:
+    - go
+  pattern-either:
+    - pattern: binary.Read($R, binary.BigEndian, $V)
+    - pattern: binary.Read($R, binary.LittleEndian, $V)
+    - pattern: binary.Read($R, $ORDER, $V)
+  metadata:
+    cwe: "CWE-502: Deserialization of Untrusted Data"
+    severity: WARNING
+    precision: low
+    category: deserialization
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A08:2021 - Software and Data Integrity Failures"

package/rules/common/zm-go-cwe78-command-injection.yaml ADDED Viewed

@@ -0,0 +1,95 @@
+# CWE-78: Go OS 命令注入检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: os/exec.Command 启动Shell执行用户输入、syscall.Exec
+rules:
+# ZM-GO-OSCI-001: exec.Command 调用Shell执行变量参数
+- id: zm-go-osci-001
+  severity: CRITICAL
+  message: |
+    检测到 os/exec 的 Command() 使用 "sh"/"bash"/"cmd" 等Shell解释器
+    且参数中包含变量。攻击者可通过用户输入注入额外命令
+    （如 ; id、| nc、$(cat /etc/passwd) 等），实现远程代码执行。
+    修复方案:
+    1. 使用 exec.Command() 直接调用二进制文件，不通过Shell:
+       exec.Command("git", "log", "--oneline") 而非 exec.Command("sh", "-c", "git log")
+    2. 避免将用户输入拼入命令字符串或Shell参数
+    3. 对必须传入Shell的命令，使用 shell-quote 库转义用户输入
+    4. 优先使用 Go 标准库函数替代外部命令（如 os.ReadFile 代替 cat）
+  languages:
+    - go
+  pattern-either:
+    - pattern: exec.Command("sh", "-c", $INPUT)
+    - pattern: exec.Command("bash", "-c", $INPUT)
+    - pattern: exec.Command("zsh", "-c", $INPUT)
+    - pattern: exec.Command("/bin/sh", "-c", $INPUT)
+    - pattern: exec.Command("/bin/bash", "-c", $INPUT)
+    - pattern: exec.Command("cmd", "/C", $INPUT)
+    - pattern: exec.Command("cmd", "/c", $INPUT)
+    - pattern: exec.Command("cmd.exe", "/C", $INPUT)
+    - pattern: exec.Command("powershell", "-Command", $INPUT)
+    - pattern: exec.Command("pwsh", "-Command", $INPUT)
+    - pattern: exec.Command("powershell.exe", "-Command", $INPUT)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: CRITICAL
+    precision: high
+    category: command-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/os/exec"
+      - "https://owasp.org/www-community/attacks/Command_Injection"
+# ZM-GO-OSCI-002: syscall.Exec 执行用户可控路径
+- id: zm-go-osci-002
+  severity: CRITICAL
+  message: |
+    检测到 syscall.Exec() 使用变量作为可执行文件路径。
+    syscall.Exec 直接替换当前进程镜像，若路径可控将导致任意代码执行。
+    修复方案:
+    1. 校验可执行文件路径必须在白名单目录内
+    2. 使用绝对路径替代相对路径
+    3. 迁移至 os/exec 包（syscall 已弃用，Go 1.17+）
+  languages:
+    - go
+  pattern-either:
+    - pattern: syscall.Exec($PATH, $ARGS, $ENV)
+    - pattern: syscall.Exec($PATH, nil, nil)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: CRITICAL
+    precision: high
+    category: command-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+# ZM-GO-OSCI-003: exec.Command 命令名来自变量
+- id: zm-go-osci-003
+  severity: HIGH
+  message: |
+    检测到 os/exec 的 Command() 第一个参数（命令名）来自变量。
+    若该变量由用户输入控制，攻击者可指定任意可执行文件路径实现代码执行。
+    修复方案:
+    1. 命令名使用字面量字符串，参数通过后续参数传入
+    2. 对命令名做严格白名单校验
+    3. 避免从用户输入直接构造命令路径
+  languages:
+    - go
+  pattern-either:
+    - pattern: exec.Command($CMD, $ARGS)
+    - pattern: exec.CommandContext($CTX, $CMD, $ARGS)
+  metadata:
+    cwe: "CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)"
+    severity: HIGH
+    precision: medium
+    category: command-injection
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-go-cwe79-xss.yaml ADDED Viewed

@@ -0,0 +1,104 @@
+# CWE-79: Go XSS 检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: template.HTML 标记用户输入为安全 / 使用 text/template 渲染HTML
+rules:
+# ZM-GO-XSS-001: template.HTML() 转换用户可控字符串
+- id: zm-go-xss-001
+  severity: HIGH
+  message: |
+    检测到使用 html/template 的 template.HTML() 类型转换将字符串标记为
+    "安全HTML"直接输出。若该字符串包含用户输入，攻击者可注入
+    <script>、<img onerror=> 等XSS payload。
+    Go html/template 会自动转义所有字符串输出，但 template.HTML 类型
+    会绕过此保护，直接原样输出。这是Go XSS的第一大根因。
+    修复方案:
+    1. 删除 template.HTML() 转换，让 html/template 自动转义
+    2. 仅对可信的内部静态HTML片段使用 template.HTML()
+    3. 对用户输入使用 bluemonday 等HTML清洗库后再转换
+    4. 使用 template.JSStr() 替代 template.HTML() 输出到JS上下文
+  languages:
+    - go
+  pattern-either:
+    - pattern: template.HTML($INPUT)
+    - pattern: template.HTML($VAR)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: high
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/html/template#HTML"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
+# ZM-GO-XSS-002: template.JS / template.CSS / template.URL 注入
+- id: zm-go-xss-002
+  severity: HIGH
+  message: |
+    检测到 template.JS() / template.CSS() / template.URL() / template.HTMLAttr()
+    将用户输入标记为安全内容直接插入JS/CSS/URL/属性上下文。
+    各类转换绕过上下文特定的自动转义，可能导致XSS。
+    修复方案:
+    1. 使用 html/template 默认转义，不手动标记安全类型
+    2. 对JSON数据使用 template.JSStr() 替代 template.JS()
+    3. URL使用 url.QueryEscape() 编码
+    4. 绝对必要时对输入做严格的白名单校验
+  languages:
+    - go
+  pattern-either:
+    - pattern: template.JS($INPUT)
+    - pattern: template.JSStr($INPUT)
+    - pattern: template.CSS($INPUT)
+    - pattern: template.URL($INPUT)
+    - pattern: template.HTMLAttr($INPUT)
+    - pattern: template.Srcset($INPUT)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: high
+    category: xss
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/html/template"
+# ZM-GO-XSS-003: text/template 用于HTML渲染
+- id: zm-go-xss-003
+  severity: HIGH
+  message: |
+    检测到使用 text/template 进行模板渲染（Template.Execute / Must）。
+    text/template 不提供任何HTML自动转义，所有变量直接输出到页面。
+    若模板内容中包含用户输入且输出到HTML页面，将导致XSS漏洞。
+    修复方案:
+    1. 将 "text/template" 替换为 "html/template"
+    2. html/template 会基于上下文自动选择转义策略（HTML/JS/CSS/URL）
+    3. 两个包的API完全兼容，仅需修改import路径
+  languages:
+    - go
+  pattern-either:
+    - pattern: texttemplate.Execute($W, $DATA)
+    - pattern: texttemplate.ExecuteTemplate($W, $NAME, $DATA)
+    - pattern: template.Must(...)
+    - pattern: template.New($NAME)
+    - pattern: template.ParseFiles(...)
+    - pattern: template.ParseGlob(...)
+  metadata:
+    cwe: "CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)"
+    severity: HIGH
+    precision: medium
+    category: xss
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://pkg.go.dev/text/template"
+      - "https://pkg.go.dev/html/template"