@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-go-cwe798-hardcoded-creds.yaml

@@ -0,0 +1,153 @@
+# CWE-798: Go 硬编码凭据检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: 常量/变量中硬编码密码、API密钥、Token、数据库连接串
+
+rules:
+
+# ZM-GO-HC-001: const 声明硬编码凭据
+- id: zm-go-hc-001
+  severity: ERROR
+  message: |
+    检测到 const 常量声明中硬编码了凭据（密码、API密钥、Token等）。
+    硬编码凭据会随代码提交到版本控制系统，一旦仓库公开或内部泄露，
+    攻击者可获取数据库、云服务等敏感系统的访问权限。
+
+    修复方案:
+    1. 使用环境变量: os.Getenv("DB_PASSWORD")
+    2. 使用密钥管理服务（Vault / AWS Secrets Manager / K8s Secrets）
+    3. 使用配置文件（.env）+ .gitignore 排除
+    4. 部署时由 CI/CD 注入凭据，禁止写入源码
+    5. 对已泄漏的硬编码凭据立即轮换
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        const $PASSWORD = "..."
+    - pattern: |
+        const $APIKEY = "..."
+    - pattern: |
+        const $SECRET = "..."
+    - pattern: |
+        const $TOKEN = "..."
+    - pattern: |
+        const $ACCESSKEY = "..."
+    - pattern: |
+        const $PRIVATEKEY = "..."
+    - pattern: |
+        const $DSN = "..."
+    - pattern: |
+        const $CONNSTR = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+    references:
+      - "https://cwe.mitre.org/data/definitions/798.html"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
+
+# ZM-GO-HC-002: var 声明硬编码凭据
+- id: zm-go-hc-002
+  severity: ERROR
+  message: |
+    检测到 var 变量声明中硬编码了凭据。
+    与 const 类似，var 声明的硬编码凭据同样会随代码提交暴露。
+    即使变量名使用了缩写（如 pwd、passwd、ak/sk），本质风险相同。
+
+    修复方案:
+    1. 使用环境变量或密钥管理服务
+    2. var password = os.Getenv("DB_PASSWORD")
+    3. 禁止在源码中留下任何形式的明文凭据
+  languages:
+    - go
+  pattern-either:
+    - pattern: |
+        var $PASSWORD = "..."
+    - pattern: |
+        var $APIKEY = "..."
+    - pattern: |
+        var $SECRET = "..."
+    - pattern: |
+        var $TOKEN = "..."
+    - pattern: |
+        var $ACCESSKEY = "..."
+    - pattern: |
+        var $PRIVATEKEY = "..."
+    - pattern: |
+        var $DSN = "..."
+    - pattern: |
+        var $CONNSTR = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-GO-HC-003: 短赋值硬编码凭据
+- id: zm-go-hc-003
+  severity: ERROR
+  message: |
+    检测到短变量声明（:=）中硬编码了凭据字符串。
+    常见场景: apiKey := "sk-xxx..." / password := "admin123" 等。
+    这些凭据会随Git历史永久留存。
+
+    修复方案:
+    1. 使用 os.Getenv() 从环境变量读取
+    2. 使用 viper/koanf 从配置文件读取并排除 .gitignore
+    3. 使用密钥管理服务（KMS）动态获取
+  languages:
+    - go
+  pattern-either:
+    - pattern: $PASSWORD := "..."
+    - pattern: $APIKEY := "..."
+    - pattern: $SECRET := "..."
+    - pattern: $TOKEN := "..."
+    - pattern: $ACCESSKEY := "..."
+    - pattern: $PRIVATEKEY := "..."
+    - pattern: $DSN := "..."
+    - pattern: $CONNSTR := "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: ERROR
+    precision: high
+    category: hardcoded-credentials
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"
+
+# ZM-GO-HC-004: 赋值语句硬编码凭据
+- id: zm-go-hc-004
+  severity: WARNING
+  message: |
+    检测到赋值语句中将字面量字符串赋给类凭据变量名。
+    包括 db.ConnString / client.Secret / config.Token 等间接凭据暴露。
+
+    修复方案:
+    1. 从外部配置中心/环境变量读取
+    2. 使用结构体标签 + viper 绑定配置项
+    3. 代码审查确认为测试 mock 数据则标记为误报
+  languages:
+    - go
+  pattern-either:
+    - pattern: $OBJ.Password = "..."
+    - pattern: $OBJ.ApiKey = "..."
+    - pattern: $OBJ.Secret = "..."
+    - pattern: $OBJ.Token = "..."
+    - pattern: $OBJ.AccessKey = "..."
+    - pattern: $OBJ.PrivateKey = "..."
+    - pattern: $OBJ.DSN = "..."
+    - pattern: $OBJ.ConnString = "..."
+  metadata:
+    cwe: "CWE-798: Use of Hard-coded Credentials"
+    severity: WARNING
+    precision: medium
+    category: hardcoded-credentials
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A07:2021 - Identification and Authentication Failures"

package/rules/common/zm-go-cwe89-sqli.yaml

@@ -0,0 +1,89 @@
+# CWE-89: Go SQL 注入检测
+# 逐码 ZhuMa V4.1 — Go 通用规则库
+# 检测: database/sql Query/Exec/QueryRow 字符串拼接构造SQL
+
+rules:
+
+# ZM-GO-SQLI-001: db.Query() 字符串拼接SQL注入
+- id: zm-go-sqli-001
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 Query() 方法使用了字符串拼接构造SQL语句。
+    攻击者可通过用户输入注入恶意SQL（如 UNION SELECT、-- 注释符等），
+    绕过认证、窃取数据或破坏数据库。
+
+    修复方案:
+    1. 使用参数化查询: db.Query("SELECT * FROM users WHERE id = ?", userID)
+    2. 禁止使用字符串拼接构造SQL（+、fmt.Sprintf）
+    3. 对表名/列名等动态标识符使用白名单校验
+    4. 参考 OWASP SQL 注入防御指南
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Query($SQL + $VAR)
+    - pattern: $DB.Query($VAR + $SQL)
+    - pattern: $DB.Query(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://go.dev/doc/database/sql-injection"
+      - "https://owasp.org/www-community/attacks/SQL_Injection"
+
+# ZM-GO-SQLI-002: db.Exec() 字符串拼接SQL注入
+- id: zm-go-sqli-002
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 Exec() 方法使用了字符串拼接或 fmt.Sprintf
+    构造SQL语句。Exec 常用于 INSERT/UPDATE/DELETE，注入可能造成数据
+    被篡改或删除。
+
+    修复方案:
+    1. 使用参数化查询: db.Exec("UPDATE users SET name = ? WHERE id = ?", name, id)
+    2. 禁止将变量直接拼入SQL字符串
+    3. 使用 ORM 框架（GORM/Ent）的内置安全查询方法
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.Exec($SQL + $VAR)
+    - pattern: $DB.Exec($VAR + $SQL)
+    - pattern: $DB.Exec(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+# ZM-GO-SQLI-003: db.QueryRow() 字符串拼接SQL注入
+- id: zm-go-sqli-003
+  severity: CRITICAL
+  message: |
+    检测到 database/sql 的 QueryRow() 方法使用了字符串拼接构造SQL。
+    QueryRow 用于单行查询场景（如登录认证），注入可直接绕过认证。
+
+    修复方案:
+    1. db.QueryRow("SELECT * FROM users WHERE id = ?", userID)
+    2. 使用命名参数: sql.Named("id", userID)
+    3. 对动态排序/分组字段做白名单映射
+  languages:
+    - go
+  pattern-either:
+    - pattern: $DB.QueryRow($SQL + $VAR)
+    - pattern: $DB.QueryRow($VAR + $SQL)
+    - pattern: $DB.QueryRow(fmt.Sprintf(...))
+  metadata:
+    cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
+    severity: CRITICAL
+    precision: high
+    category: sql-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"

package/rules/common/zm-go-cwe918-ssrf.yaml

@@ -0,0 +1,117 @@
+# CWE-918: Go SSRF 深度检测
+# 逐码 ZhuMa V4.1 Sprint — Go 规则库
+# 覆盖: http.Get(userInput)/http.Post/httputil.ReverseProxy/c.Param→http.Get
+
+rules:
+
+# ZM-GO-SSRF-001: net/http Get/Post/Head 用户输入URL
+- id: zm-go-ssrf-001
+  severity: ERROR
+  message: |
+    检测到 net/http 客户端函数(http.Get / http.Post / http.Head / http.NewRequest)的URL参数
+    由用户输入(HTTP请求参数)控制，存在SSRF(服务端请求伪造)风险。
+    攻击者可控制目标URL使服务器发起对内网服务的恶意请求，绕过防火墙访问内部资源
+    (如 http://169.254.169.254/latest/meta-data/ 获取云环境元数据)。
+
+    修复方案:
+    1. 对用户传入的URL做白名单校验，仅允许预设的外部域名
+    2. 使用 url.Parse() 解析后校验 hostname 白名单
+    3. 解析DNS后校验目标IP是否在内网地址段
+    4. 配置防火墙禁止服务器访问内网地址(169.254.0.0/16, 10.0.0.0/8, 127.0.0.0/8等)
+    5. 禁用不必要的HTTP重定向跟踪
+  languages:
+    - go
+  pattern-either:
+    - pattern: http.Get($PARAM)
+    - pattern: http.Post($PARAM, $CONTENT, $BODY)
+    - pattern: http.Head($PARAM)
+    - pattern: http.NewRequest($METHOD, $PARAM, $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, $PARAM, $BODY)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://pkg.go.dev/net/http"
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+
+# ZM-GO-SSRF-002: Gin c.Param / c.Query 直传HTTP客户端
+- id: zm-go-ssrf-002
+  severity: ERROR
+  message: |
+    检测到 Gin 框架的 c.Param / c.Query / c.PostForm 返回值直接作为HTTP客户端请求URL。
+    攻击者可通过控制URL参数发起SSRF攻击。
+
+    典型的危险模式:
+    func handler(c *gin.Context) {
+      url := c.Query("url")
+      resp, _ := http.Get(url)  // ← SSRF
+    }
+
+    修复方案:
+    1. 使用URL白名单映射替代用户直接输入URL
+    2. 解析URL后校验hostname白名单
+    3. 使用 http.NewRequest 后设置自定义 Dialer 过滤内网IP
+    4. 禁止用户控制完整URL，仅允许选择预定义的端点
+  languages:
+    - go
+  pattern-either:
+    - pattern: http.Get(c.Param($KEY))
+    - pattern: http.Get(c.Query($KEY))
+    - pattern: http.Post(c.Param($KEY), $TYPE, $BODY)
+    - pattern: http.Post(c.Query($KEY), $TYPE, $BODY)
+    - pattern: http.NewRequest($METHOD, c.Param($KEY), $BODY)
+    - pattern: http.NewRequest($METHOD, c.Query($KEY), $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, c.Param($KEY), $BODY)
+    - pattern: http.NewRequestWithContext($CTX, $METHOD, c.Query($KEY), $BODY)
+    - pattern: http.Head(c.Query($KEY))
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html"
+
+# ZM-GO-SSRF-003: httputil.ReverseProxy 用户可控目标
+- id: zm-go-ssrf-003
+  severity: ERROR
+  message: |
+    检测到 httputil.ReverseProxy 的 Director 函数中 URL 由用户输入控制。
+    攻击者可控制反向代理的目标地址，将请求转发到内网服务。
+
+    典型的危险模式:
+    func handler(c *gin.Context) {
+      target := c.Query("target")
+      url, _ := url.Parse(target)
+      proxy := httputil.NewSingleHostReverseProxy(url)
+      proxy.ServeHTTP(c.Writer, c.Request)
+    }
+
+    修复方案:
+    1. 使用固定的反向代理目标白名单
+    2. 禁止用户输入决定代理目标
+    3. 如需动态路由，使用预定义的 target 映射表(按 path 或 header)
+    4. 修改 Director 前校验目标 URL 的白名单
+  languages:
+    - go
+  pattern-either:
+    - pattern: httputil.NewSingleHostReverseProxy(url.Parse($INPUT))
+    - pattern: httputil.ReverseProxy{...}
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: ERROR
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - Server-Side Request Forgery (SSRF)"
+    references:
+      - "https://pkg.go.dev/net/http/httputil#ReverseProxy"

package/rules/common/zm-java-cwe117-log-injection.yaml

@@ -0,0 +1,83 @@
+# CWE-117: Log Injection — deeper patterns beyond basic log-forging
+# ZhuMa V4.1 — complement zm-java-cwe117-logforging.yaml
+
+rules:
+
+# ZM-JAVA-LOG-DEEP-001: MDC.put() with user input (log tampering)
+- id: zm-java-log-deep-001
+  severity: WARNING
+  message: |
+    MDC.put() receives raw HTTP parameter — attacker injects CRLF into structured log context.
+    This pollutes all subsequent log entries in the thread with attacker-controlled values.
+    Fix: sanitize user input before MDC.put(): strip \r \n and limit value length.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        MDC.put($KEY, $REQ.getParameter(...))
+    - pattern: |
+        MDC.put($KEY, $REQ.getHeader(...))
+    - pattern: |
+        org.slf4j.MDC.put($KEY, $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: high
+    category: log-injection
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+
+# ZM-JAVA-LOG-DEEP-002: User input concatenated inside log message string
+- id: zm-java-log-deep-002
+  severity: WARNING
+  message: |
+    String concatenation with user input inside log method argument — CRLF log injection.
+    Even if not directly at log call, the concatenated string with \r\n can forge log entries.
+    Fix: use parameterized logging: log.info("user={}", request.getParameter("user")).
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        log.info($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+    - pattern: |
+        log.warn($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+    - pattern: |
+        log.error($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+    - pattern: |
+        LOGGER.info($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+    - pattern: |
+        LOGGER.warn($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+    - pattern: |
+        LOGGER.error($PREFIX + $REQ.getParameter(...) + $SUFFIX)
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: medium
+    category: log-injection
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+
+# ZM-JAVA-LOG-DEEP-003: Log4j2 MessageFactory/StructuredDataMessage with user input
+- id: zm-java-log-deep-003
+  severity: WARNING
+  message: |
+    Log4j2 structured logging message contains user-supplied data without sanitization.
+    Attackers may inject forged log levels, timestamps, or structured fields via CRLF in user input.
+    Fix: sanitize user input to remove \r \n \t before inclusion in structured log messages.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        logger.printf($LEVEL, $FMT, $REQ.getParameter(...))
+    - pattern: |
+        logger.log($LEVEL, $REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: medium
+    category: log-injection
+    likelihood: MEDIUM
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"

package/rules/common/zm-java-cwe117-logforging.yaml

@@ -0,0 +1,153 @@
+# CWE-117: 日志注入 (Log Forging) 检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: log.info/warn/error() 参数含 request.getParameter() 未经 sanitize
+
+rules:
+
+# ZM-JAVA-LF-001: Log4j/SLF4J 日志直接输出用户输入
+- id: zm-java-lf-001
+  severity: WARNING
+  message: |
+    检测到日志方法（log.info/warn/error/debug）直接输出 HTTP 请求参数，未经任何清洗处理。
+    攻击者可构造包含换行符 (CRLF: %0d%0a) 的输入，注入伪造的日志条目或污染日志分析系统。
+    日志注入攻击可导致:
+    - 伪造日志记录，干扰攻击溯源
+    - 注入恶意日志条目误导安全监控
+    - 在 Log4j2 中触发 JNDI 查找（Log4Shell, CVE-2021-44228）
+    修复方案:
+    1. 对用户输入进行换行符过滤: input.replaceAll("[\\r\\n]", "_")
+    2. 使用日志框架的参数化占位符（如 log.info("user={}", sanitizedInput)）
+    3. 实现自定义日志 Appender 过滤 CRLF 字符
+    4. 限制日志字段长度，防止日志膨胀
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        log.info($REQ.getParameter(...))
+    - pattern: |
+        log.warn($REQ.getParameter(...))
+    - pattern: |
+        log.error($REQ.getParameter(...))
+    - pattern: |
+        log.debug($REQ.getParameter(...))
+    - pattern: |
+        LOG.info($REQ.getParameter(...))
+    - pattern: |
+        LOG.warn($REQ.getParameter(...))
+    - pattern: |
+        LOG.error($REQ.getParameter(...))
+    - pattern: |
+        LOG.debug($REQ.getParameter(...))
+    - pattern: |
+        logger.info($REQ.getParameter(...))
+    - pattern: |
+        logger.warn($REQ.getParameter(...))
+    - pattern: |
+        logger.error($REQ.getParameter(...))
+    - pattern: |
+        logger.debug($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.info($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.warn($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.error($REQ.getParameter(...))
+    - pattern: |
+        LOGGER.debug($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: high
+    category: data-exposure
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    references:
+      - "https://cwe.mitre.org/data/definitions/117.html"
+      - "https://owasp.org/www-community/attacks/Log_Injection"
+
+# ZM-JAVA-LF-002: 日志拼接用户输入 (CRLF 注入)
+- id: zm-java-lf-002
+  severity: WARNING
+  message: |
+    检测到日志方法参数中拼接了 HTTP 请求参数。攻击者可在参数值中注入换行符 (%0d%0a)
+    来伪造日志条目，污染日志完整性。
+    修复方案:
+    1. 使用参数化日志: log.info("user input: {}", request.getParameter("name"))
+    2. 或先对输入做 CRLF 过滤: input.replace("\r", "").replace("\n", "")
+    3. 在日志 Appender 层统一过滤特殊字符
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        log.info(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.warn(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.error(... + $REQ.getParameter(...) + ...)
+    - pattern: |
+        log.debug(... + $REQ.getParameter(...) + ...)
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: medium
+    category: data-exposure
+    likelihood: HIGH
+    impact: MEDIUM
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+
+# ZM-JAVA-LF-003: System.out/err 直接输出用户输入
+- id: zm-java-lf-003
+  severity: WARNING
+  message: |
+    检测到 System.out.println() 或 System.err.println() 直接输出 HTTP 请求参数。
+    虽然控制台输出不一定构成日志注入，但若输出被重定向到日志文件，可被利用进行日志伪造。
+    修复方案:
+    1. 避免在生产环境使用 System.out.println()
+    2. 使用规范的日志框架（SLF4J/Log4j2）
+    3. 对输出内容进行 sanitize
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        System.out.println($REQ.getParameter(...))
+    - pattern: |
+        System.err.println($REQ.getParameter(...))
+    - pattern: |
+        System.out.print($REQ.getParameter(...))
+    - pattern: |
+        System.err.print($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: high
+    category: data-exposure
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+
+# ZM-JAVA-LF-004: e.printStackTrace() 泄露敏感信息
+- id: zm-java-lf-004
+  severity: WARNING
+  message: |
+    检测到 e.printStackTrace() 调用。printStackTrace() 会将完整堆栈（含敏感类路径、方法名、
+    内部逻辑）输出到 stderr，若未妥善处理可能泄露到客户端或日志，被攻击者利用。
+    修复方案:
+    1. 使用 log.error("error message", e) 替代 printStackTrace()
+    2. 确保日志系统不将堆栈信息返回给客户端
+    3. 在生产环境使用统一的异常处理机制（@ControllerAdvice）
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $E.printStackTrace()
+    - pattern: |
+        $E.printStackTrace(...);
+  metadata:
+    cwe: "CWE-117: Improper Output Neutralization for Logs"
+    severity: WARNING
+    precision: very-high
+    category: data-exposure
+    likelihood: HIGH
+    impact: LOW
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"

package/rules/common/zm-java-cwe200-actuator-exposure.yaml

@@ -0,0 +1,8 @@
+# CWE-200: Spring Boot Actuator 敏感端点暴露
+rules:
+- id: zm-java-act-02
+  severity: WARNING
+  message: SecurityConfig permits all Actuator endpoints - /actuator/env /actuator/heapdump externally accessible.
+  languages: [java]
+  pattern: EndpointRequest.toAnyEndpoint().permitAll()
+  metadata: { cwe: "CWE-200", precision: very-high, category: config, owasp: "A05:2021" }

package/rules/common/zm-java-cwe200-info-disclosure.yaml

@@ -0,0 +1,91 @@
+# CWE-200 信息泄露深度覆盖 (v2): 敏感配置、调试端点、Stacktrace暴露
+
+rules:
+
+# ZM-JAVA-STACKTRACE-001: 未捕获异常直接输出到HTTP响应
+- id: zm-java-stacktrace-001
+  severity: MEDIUM
+  message: |
+    e.printStackTrace() 输出到 System.err，而 Spring Boot 默认将 stderr 路由到 HTTP 响应体。
+    替换为结构化日志（SLF4J）并只返回通用错误消息。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $E.printStackTrace();
+    - pattern: $E.printStackTrace($WRITER);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information Through Stack Trace"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: high
+    tags: [info-disclosure, stacktrace, error-handling]
+
+# ZM-JAVA-CONSOLE-001: System.out/System.err 直接输出敏感变量
+- id: zm-java-console-001
+  severity: LOW
+  message: |
+    System.out/err 在控制器中使用——通常用于调试（密码/令牌/token 关键词）。
+    生产环境应使用 SLF4J/Logback 的级别过滤。
+  languages:
+    - java
+  pattern-either:
+    - pattern: System.out.println($X);
+    - pattern: System.err.println($X);
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A09:2021 - Security Logging and Monitoring Failures"
+    precision: low
+    tags: [info-disclosure, console, debug]
+
+# ZM-JAVA-SPRING-DEVTOOLS-001: Spring DevTools 远程调试在生产环境启用
+- id: zm-java-devtools-001
+  severity: HIGH
+  message: |
+    spring-boot-devtools 在生产 classpath 中——Remote Restart 可被利用执行任意代码。
+    移除生产环境的 devtools 依赖或设置 `spring.devtools.remote.enabled=false`。
+  languages:
+    - java
+  pattern: |
+    import org.springframework.boot.devtools.$X;
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: very-high
+    tags: [info-disclosure, devtools, rce]
+
+# ZM-JAVA-ERROR-PAGE-001: 自定义错误页面中泄露内部路径/类名
+- id: zm-java-error-page-001
+  severity: LOW
+  message: |
+    ResponseEntity 构造中可能包含 `e.getMessage()` — 泄露内部类名/路径。
+    生产环境返回通用错误消息 `"Internal Server Error"` 而非异常消息。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        return ResponseEntity.status(500).body($E.getMessage());
+    - pattern: |
+        ResponseEntity.status($CODE).body($E.getMessage())
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: medium
+    tags: [info-disclosure, error-page, spring-boot]
+
+# ZM-JAVA-CORS-WILDCARD: CORS Access-Control-Allow-Origin 为 * + credentials
+- id: zm-java-cors-wildcard-001
+  severity: MEDIUM
+  message: |
+    CORS origin 为 "*" 且 allowCredentials=true——违反 W3C CORS 规范，
+    浏览器将拒绝该响应，配置无效。改为显式列出受信任 origin。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @CrossOrigin(origins = "*")
+    - pattern: |
+        @CrossOrigin(origins = {"*"})
+  metadata:
+    cwe: "CWE-200: Exposure of Sensitive Information"
+    owasp: "A05:2021 - Security Misconfiguration"
+    precision: very-high
+    tags: [cors, misconfiguration]