@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-java-cwe22-file-depth.yaml

@@ -0,0 +1,135 @@
+# CWE-22/434/73 文件操作深度覆盖: 路径遍历全量sink + 文件上传危险模式
+
+rules:
+
+# ZM-JAVA-FILE-READ-001: Files.read/readAllBytes/readString 路径由用户可控
+- id: zm-java-file-read-001
+  severity: HIGH
+  message: |
+    Files.readXXX / FileInputStream 使用用户可控路径——路径遍历/任意文件读取。
+    校验路径不以 ../ 开头，规范化后验证在允许的根目录内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.readAllBytes($PATH)
+    - pattern: Files.readString($PATH)
+    - pattern: Files.readAllLines($PATH)
+    - pattern: Files.newInputStream($PATH)
+    - pattern: new FileInputStream($PATH)
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-read, nio]
+
+# ZM-JAVA-FILE-WRITE-001: Files.write 路径可控
+- id: zm-java-file-write-001
+  severity: CRITICAL
+  message: |
+    Files.write/FileOutputStream 使用用户可控路径——任意文件写入，可getshell。
+    同路径遍历规则校验路径在允许范围内，且不要接受完整文件名。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.write($PATH, $CONTENT)
+    - pattern: Files.newOutputStream($PATH)
+    - pattern: new FileOutputStream($PATH)
+    - pattern: $FILE.createNewFile()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-write, rce]
+
+# ZM-JAVA-FILE-DELETE-001: Files.delete/deleteIfExists 路径可控
+- id: zm-java-file-delete-001
+  severity: MEDIUM
+  message: |
+    Files.delete/deleteIfExists 使用用户可控路径——可删除任意文件。
+    校验路径在白名单内，使用 UUID 文件名避免路径注入。
+  languages:
+    - java
+  pattern-either:
+    - pattern: Files.delete($PATH)
+    - pattern: Files.deleteIfExists($PATH)
+    - pattern: $FILE.delete()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [path-traversal, file-delete]
+
+# ZM-JAVA-UPLOAD-PATH-001: MultipartFile transferTo 使用用户可控路径
+- id: zm-java-upload-path-001
+  severity: CRITICAL
+  message: |
+    MultipartFile.transferTo() 目标路径使用原始文件名 + 用户可控目录——可覆盖任意文件。
+    使用 UUID 重命名上传文件，并确保上传目录在配置的 uploads/ 根内。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $FILE.transferTo(new File($PATH));
+    - pattern: $FILE.transferTo($DEST);
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: high
+    tags: [file-upload, path-traversal]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+
+# ZM-JAVA-UPLOAD-EXT-001: 文件上传缺少扩展名校验
+- id: zm-java-upload-ext-001
+  severity: HIGH
+  message: |
+    MultipartFile.getOriginalFilename() 直接用于存储——未校验扩展名/Content-Type。
+    限制允许的文件类型（白名单），校验 Magic Bytes，禁止 .jsp/.exe/.sh 等可执行后缀。
+  languages:
+    - java
+  pattern-either:
+    - pattern: $FILE.getOriginalFilename()
+    - pattern: $PART.getOriginalFilename()
+  metadata:
+    cwe: "CWE-434: Unrestricted Upload of File with Dangerous Type"
+    owasp: "A03:2021 - Injection"
+    precision: low
+    tags: [file-upload, extension-bypass]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+
+# ZM-JAVA-ZIP-SLIP-001: ZipEntry 解压前未校验路径
+- id: zm-java-zip-slip-001
+  severity: CRITICAL
+  message: |
+    ZipEntry.getName() 直接用于 new File(outputDir, entryName) —— 可触发 Zip Slip 路径穿越。
+    规范化后再校验：new File(outputDir, entryName).getCanonicalPath().startsWith(outputDir)
+  languages:
+    - java
+  pattern-either:
+    - pattern: new File($OUTDIR, $ENTRY.getName())
+    - pattern: |
+        $ENTRY = $ZIP.getNextEntry();
+        ...
+        new File($DIR, $ENTRY);
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+    tags: [zip-slip, path-traversal, rce]
+    references:
+      - https://snyk.io/research/zip-slip-vulnerability
+
+# ZM-JAVA-TEMP-FILE-001: 临时文件使用已弃用 API
+- id: zm-java-temp-file-001
+  severity: LOW
+  message: |
+    File.createTempFile 前缀/后缀固定且无 SecureRandom — 临时文件名可预测。
+    迁移到 Files.createTempFile() 并指定 SecureRandom 前缀。
+  languages:
+    - java
+  pattern: File.createTempFile($PREFIX, $SUFFIX)
+  metadata:
+    cwe: "CWE-377: Insecure Temporary File"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: high
+    tags: [temp-file, race-condition]

package/rules/common/zm-java-cwe22-path-traversal-spring.yaml

@@ -0,0 +1,81 @@
+# CWE-22: Path Traversal — Spring-specific sinks
+# ZhuMa V4.1 — complement zm-java-cwe22-file-depth.yaml
+
+rules:
+
+# ZM-JAVA-PATH-SPRING-001: ClassPathResource with user-controlled path
+- id: zm-java-path-spring-001
+  severity: MEDIUM
+  message: |
+    Spring ClassPathResource constructed with user input — path traversal into classpath resources.
+    Attacker can read application.properties or other sensitive classpath files.
+    Fix: validate path against whitelist; use ResourcePatternResolver with allowed prefix.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new ClassPathResource($REQ.getParameter(...))
+    - pattern: |
+        new ClassPathResource($STR + $REQ.getParameter(...))
+    - pattern: |
+        new ClassPathResource($REQ.getParameter(...)).getInputStream()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: MEDIUM
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-PATH-SPRING-002: FileSystemResource with user-controlled path
+- id: zm-java-path-spring-002
+  severity: HIGH
+  message: |
+    Spring FileSystemResource constructed with user input — arbitrary file read/write on filesystem.
+    Attacker can traverse to read /etc/passwd or application config files.
+    Fix: normalize path and verify it stays within allowed directory root.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...))
+    - pattern: |
+        new FileSystemResource($DIR + $REQ.getParameter(...))
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...)).getFile()
+    - pattern: |
+        new FileSystemResource($REQ.getParameter(...)).getInputStream()
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-PATH-SPRING-003: ServletContext.getRealPath() with user input
+- id: zm-java-path-spring-003
+  severity: HIGH
+  message: |
+    ServletContext.getRealPath() with user-controlled virtual path — discloses server filesystem layout.
+    Attackers can map internal file structure; combined with file write leads to RCE.
+    Fix: never pass user input to getRealPath(); use fixed virtual paths or config-based resource mapping.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CTX.getRealPath($REQ.getParameter(...))
+    - pattern: |
+        $CTX.getRealPath($STR + $REQ.getParameter(...))
+    - pattern: |
+        $REQ.getServletContext().getRealPath($REQ.getParameter(...))
+  metadata:
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory"
+    severity: HIGH
+    precision: high
+    category: path-traversal
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"

package/rules/common/zm-java-cwe284-missing-auth-spring.yaml

@@ -0,0 +1,131 @@
+# CWE-284/862: Missing Authorization — Spring Security deeper patterns
+# ZhuMa V4.1 — complement zm-java-cwe862-authz-depth.yaml and cwe200-actuator-exposure.yaml
+
+rules:
+
+# ZM-JAVA-AUTHZ-SPRING-001: WebSecurityConfig permitAll on sensitive paths
+- id: zm-java-authz-spring-001
+  severity: HIGH
+  message: |
+    Spring Security WebSecurityConfig uses requestMatchers(...).permitAll() on paths likely to be sensitive.
+    Check if these endpoints should be authenticated (e.g. /api/admin, /manage, /internal).
+    Fix: require authentication for sensitive paths; use hasRole/hasAuthority for admin endpoints.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $HTTP.requestMatchers("/api/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/admin/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/manage/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/internal/**").permitAll()
+    - pattern: |
+        $HTTP.requestMatchers("/graphql").permitAll()
+    - pattern: |
+        $HTTP.anyRequest().permitAll()
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: HIGH
+    precision: high
+    category: authorization
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+
+# ZM-JAVA-AUTHZ-SPRING-002: POST/PUT/DELETE endpoints without method security
+- id: zm-java-authz-spring-002
+  severity: HIGH
+  message: |
+    Spring MVC controller has state-changing endpoints (@PostMapping/@PutMapping/@DeleteMapping) without @PreAuthorize.
+    These write operations should be explicitly protected with role-based authorization.
+    Fix: add @PreAuthorize("hasRole('ADMIN')") or @Secured("ROLE_ADMIN") to write endpoints.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @PostMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @PutMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+    - pattern: |
+        @$CTRL
+        class $CLASS {
+          ...
+          @DeleteMapping($PATH)
+          $RET $METHOD(...) {
+            ...
+          }
+          ...
+        }
+  pattern-not: |
+    @$CTRL
+    class $CLASS {
+      ...
+      @PreAuthorize($X)
+    }
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    severity: HIGH
+    precision: medium
+    category: authorization
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A01:2021 - Broken Access Control"
+    references:
+      - "https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html"
+
+# ZM-JAVA-AUTHZ-SPRING-003: @EnableWebSecurity without @EnableMethodSecurity
+- id: zm-java-authz-spring-003
+  severity: MEDIUM
+  message: |
+    SecurityConfig annotated with @EnableWebSecurity but missing @EnableMethodSecurity.
+    Without method-level security, @PreAuthorize annotations on controllers have no effect.
+    Fix: add @EnableMethodSecurity (Spring Security 6+) or @EnableGlobalMethodSecurity(prePostEnabled = true).
+  languages:
+    - java
+  patterns:
+    - pattern: |
+        @Configuration
+        @EnableWebSecurity
+        class $CLASS {
+          ...
+        }
+    - pattern-not: |
+        @Configuration
+        @EnableWebSecurity
+        @EnableMethodSecurity
+        class $CLASS {
+          ...
+        }
+    - pattern-not: |
+        @Configuration
+        @EnableWebSecurity
+        @EnableGlobalMethodSecurity
+        class $CLASS {
+          ...
+        }
+  metadata:
+    cwe: "CWE-284: Improper Access Control"
+    severity: MEDIUM
+    precision: medium
+    category: authorization
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A05:2021 - Security Misconfiguration"

package/rules/common/zm-java-cwe295-webview-ssl.yaml

@@ -0,0 +1,123 @@
+# CWE-295: Java SSL/TLS 不安全配置检测 (WebView / 自定义TrustManager)
+# 逐码 ZhuMa V4.1 Sprint — Java 规则库
+# 覆盖: AllowAllHostnameVerifier/TrustAllX509TrustManager实现
+
+rules:
+
+# ZM-JAVA-SSL-001: TrustAll / AllowAll X509TrustManager 实现
+- id: zm-java-ssl-001
+  severity: ERROR
+  message: |
+    检测到自定义 X509TrustManager 实现中绕过所有证书校验
+    (checkClientTrusted / checkServerTrusted 为空方法体)。
+    这等效于禁用SSL/TLS证书验证，允许中间人攻击(MITM)。
+
+    攻击者可通过伪造证书拦截加密通信，窃取敏感数据。
+
+    修复:
+    1. 删除自定义的空 TrustManager 实现
+    2. 使用系统默认的 TrustManagerFactory
+    3. 如确需自定义信任，仅添加特定证书(用 KeyStore 加载)
+    4. Android: 使用 network_security_config.xml 配置证书固定
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkClientTrusted(...) {}
+          ...
+          public void checkServerTrusted(...) {}
+          ...
+        }
+    - pattern: |
+        new X509TrustManager() {
+          ...
+          public void checkClientTrusted(...) { }
+          ...
+          public void checkServerTrusted(...) { }
+          ...
+        }
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    severity: ERROR
+    precision: very-high
+    category: ssl
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://developer.android.com/training/articles/security-config"
+      - "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning"
+
+# ZM-JAVA-SSL-002: HostnameVerifier 绕过 ALLOW_ALL
+- id: zm-java-ssl-002
+  severity: ERROR
+  message: |
+    检测到使用 ALLOW_ALL_HOSTNAME_VERIFIER 或 hostnameVerifier 始终返回 true。
+    这绕过了SSL/TLS的主机名验证，允许攻击者使用任意证书冒充合法服务。
+
+    涉及的API:
+    - SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
+    - HttpsURLConnection.setDefaultHostnameVerifier
+    - OkHttpClient.Builder.hostnameVerifier
+    - Apache SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER
+
+    修复:
+    1. 移除 ALLOW_ALL_HOSTNAME_VERIFIER 使用默认验证器
+    2. 使用 OkHostnameVerifier / DefaultHostnameVerifier
+    3. Android: 使用 network_security_config.xml
+  languages:
+    - java
+  pattern-either:
+    - pattern: ALLOW_ALL_HOSTNAME_VERIFIER
+    - pattern: new HostnameVerifier() { ... return true; ... }
+    - pattern: $BUILDER.hostnameVerifier($HV)
+    - pattern: $CONN.setHostnameVerifier($HV)
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    severity: ERROR
+    precision: very-high
+    category: ssl
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://developer.android.com/training/articles/security-ssl"
+
+# ZM-JAVA-SSL-003: Android WebView 不安全SSL配置
+- id: zm-java-ssl-003
+  severity: ERROR
+  message: |
+    检测到 Android WebView 中 onReceivedSslError handler 调用 handler.proceed()，
+    忽略 SSL 证书错误继续加载页面。攻击者可利用中间人攻击窃取 WebView 中的敏感数据。
+
+    修复:
+    1. 删除 handler.proceed() 调用，使用 handler.cancel()
+    2. 使用 Android Network Security Config 配置证书固定:
+       <network-security-config>
+         <domain-config>
+           <domain includeSubdomains="true">example.com</domain>
+           <pin-set>
+             <pin digest="SHA-256">...</pin>
+           </pin-set>
+         </domain-config>
+       </network-security-config>
+    3. 仅在 debug 构建中使用 proceed()
+  languages:
+    - java
+  pattern-either:
+    - pattern: $HANDLER.proceed()
+    - pattern: handler.proceed()
+    - pattern: $SV.proceed()
+  metadata:
+    cwe: "CWE-295: Improper Certificate Validation"
+    severity: ERROR
+    precision: very-high
+    category: ssl
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://developer.android.com/training/articles/security-ssl"
+      - "https://developer.android.com/training/articles/security-config"

package/rules/common/zm-java-cwe327-weakcrypto.yaml

@@ -0,0 +1,197 @@
+# CWE-327: 弱加密算法深度检测
+# 逐码 ZhuMa V4.1 — 通用规则库
+# 检测: Cipher.getInstance("DES"/"RC4"/"Blowfish") 及不安全的密钥派生/密码学误用
+
+rules:
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-001: Cipher.getInstance 弱算法 (增强版)
+- id: zm-java-weakcrypto-deep-001
+  severity: WARNING
+  message: |
+    检测到 Cipher.getInstance() 使用了已淘汰或存在已知缺陷的加密算法。
+    包括: DES (56位密钥,可暴力破解)、RC2 (64位块,已淘汰)、RC4 (密钥流偏向性)、
+    Blowfish (64位块,Sweet32攻击)、ARCFOUR (RC4别名)。
+    这些算法不符合现代安全标准，应迁移至 AES-256-GCM 或 ChaCha20-Poly1305。
+    修复方案:
+    1. 对称加密: Cipher.getInstance("AES/GCM/NoPadding")
+    2. 使用 256 位密钥 + 12 字节随机 IV
+    3. 参考 NIST SP 800-131A Rev.2 算法生命周期
+  languages:
+    - java
+  pattern-either:
+    - pattern: Cipher.getInstance("DES")
+    - pattern: Cipher.getInstance("DES/")
+    - pattern: Cipher.getInstance("RC2")
+    - pattern: Cipher.getInstance("RC4")
+    - pattern: Cipher.getInstance("Blowfish")
+    - pattern: Cipher.getInstance("ARCFOUR")
+    - pattern: Cipher.getInstance("DESede")
+    - pattern: Cipher.getInstance("DESede/")
+    - pattern: Cipher.getInstance("3DES")
+    - pattern: Cipher.getInstance("3DES/")
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
+      - "https://sweet32.info/"
+      - "https://cwe.mitre.org/data/definitions/327.html"
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-002: KeyGenerator 弱算法
+- id: zm-java-weakcrypto-deep-002
+  severity: WARNING
+  message: |
+    检测到 KeyGenerator.getInstance() 使用了弱加密算法。
+    DES/RC2/Blowfish 密钥生成器意味着意图使用弱加密算法。
+    应迁移至 KeyGenerator.getInstance("AES") 配合 256 位密钥。
+  languages:
+    - java
+  pattern-either:
+    - pattern: KeyGenerator.getInstance("DES")
+    - pattern: KeyGenerator.getInstance("RC2")
+    - pattern: KeyGenerator.getInstance("Blowfish")
+    - pattern: KeyGenerator.getInstance("DESede")
+    - pattern: KeyGenerator.getInstance("RC4")
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-003: 自定义/非标准加密实现
+- id: zm-java-weakcrypto-deep-003
+  severity: WARNING
+  message: |
+    检测到自定义或非标准加密类调用（非 javax.crypto.Cipher）。
+    自定义加密实现通常存在严重的密码学缺陷（弱密钥派生、错误模式、旁信道）。
+    除非经过专业密码学审计，否则应使用标准库 Cipher/AES-GCM。
+    修复方案:
+    1. 使用 javax.crypto.Cipher 标准 API
+    2. 使用经过认证的加密库（如 Google Tink, Bouncy Castle）
+    3. 禁止自研加密算法
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new $CUSTOMCIPHER(...).encrypt(...)
+    - pattern: |
+        new $CUSTOMCIPHER(...).decrypt(...)
+    - pattern: |
+        $CIPHER.encrypt(...)
+    - pattern: |
+        $CIPHER.decrypt(...)
+  paths:
+    include:
+      - "**/*.java"
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: low
+    category: crypto
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-004: 弱密码哈希 (MD5/SHA-1)
+- id: zm-java-weakcrypto-deep-004
+  severity: WARNING
+  message: |
+    检测到使用 MessageDigest.getInstance("MD5") 或 ("SHA-1") 进行密码哈希。
+    MD5 和 SHA-1 已可被碰撞攻击，不应用于安全场景（密码存储、数字签名）。
+    应使用 bcrypt、scrypt、Argon2 (密码哈希) 或 SHA-256/SHA-3 (完整性校验)。
+    修复方案:
+    1. 密码存储: BCryptPasswordEncoder / Argon2PasswordEncoder
+    2. 完整性校验: MessageDigest.getInstance("SHA-256") 或 "SHA-512"
+    3. 数字签名: Signature.getInstance("SHA256withRSA")
+  languages:
+    - java
+  pattern-either:
+    - pattern: MessageDigest.getInstance("MD5")
+    - pattern: MessageDigest.getInstance("SHA-1")
+    - pattern: MessageDigest.getInstance("SHA1")
+    - pattern: DigestUtils.md5Hex(...)
+    - pattern: DigestUtils.sha1Hex(...)
+    - pattern: new DigestUtils("MD5")
+    - pattern: new DigestUtils("SHA-1")
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: very-high
+    category: crypto
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A02:2021 - Cryptographic Failures"
+    references:
+      - "https://shattered.io/"
+      - "https://cwe.mitre.org/data/definitions/328.html"
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-005: SecureRandom 不安全种子
+- id: zm-java-weakcrypto-deep-005
+  severity: WARNING
+  message: |
+    检测到 SecureRandom 使用了固定或可预测的种子 (setSeed)。
+    固定种子会导致"随机"数可被完全预测，破坏加密安全性。
+    SecureRandom 默认使用操作系统熵源，无需手动设置种子。
+    修复方案:
+    1. 移除手动 setSeed() 调用，使用默认构造的 SecureRandom
+    2. 若必须设置种子，使用 System.nanoTime() + 硬件熵源混合
+    3. 确保在 Linux 上 /dev/urandom 可用
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SecureRandom($BYTES).setSeed(...)
+    - pattern: |
+        $SR = new SecureRandom();
+        ...
+        $SR.setSeed($SEED);
+        ...
+    - pattern: |
+        new SecureRandom(0)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: medium
+    category: crypto
+    likelihood: MEDIUM
+    impact: MEDIUM
+    owasp: "A02:2021 - Cryptographic Failures"
+
+# ZM-JAVA-WEAKCRYPTO-DEEP-006: 硬编码 AES/DES 密钥
+- id: zm-java-weakcrypto-deep-006
+  severity: WARNING
+  message: |
+    检测到 SecretKeySpec 使用了字面量字符串作为密钥材料，属于硬编码密钥。
+    硬编码密钥一旦泄露（如代码仓库公开），攻击者可解密所有受保护数据。
+    修复方案:
+    1. 密钥从环境变量或密钥管理服务 (KMS) 获取
+    2. 使用 KeyStore / Vault 等安全密钥存储
+    3. 密钥应在部署时自动生成，每个环境独立
+    4. 参考 NIST SP 800-57 密钥管理最佳实践
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        new SecretKeySpec("...".getBytes(), $ALG)
+    - pattern: |
+        new SecretKeySpec($KEY_STR.getBytes(), "AES")
+    - pattern: |
+        new SecretKeySpec($KEY_STR.getBytes(), "DES")
+    - pattern: |
+        new SecretKeySpec("...".getBytes("..."), $ALG)
+  metadata:
+    cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+    severity: WARNING
+    precision: medium
+    category: crypto
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A02:2021 - Cryptographic Failures"

package/rules/common/zm-java-cwe347-jwt.yaml

@@ -0,0 +1,30 @@
+# CWE-347: JWT 安全配置缺陷
+rules:
+- id: zm-java-jwt-01
+  severity: WARNING
+  message: JWT Parser 未调用 requireIssuer/requireAudience，可能接受任意发行者的令牌。
+  languages: [java]
+  pattern-either:
+    - pattern: Jwts.parser().setSigningKey($KEY).parseClaimsJws($TOKEN)
+    - pattern: Jwts.parserBuilder().setSigningKey($KEY).build().parseClaimsJws($TOKEN)
+  metadata: { cwe: "CWE-347", precision: medium, category: auth, owasp: "A02:2021 - Cryptographic Failures" }
+
+- id: zm-java-jwt-02
+  severity: ERROR
+  message: JWT 签名密钥硬编码为字符串，可被攻击者伪造令牌。
+  languages: [java]
+  pattern-either:
+    - pattern: Keys.hmacShaKeyFor("$KEY".getBytes())
+    - pattern: Keys.hmacShaKeyFor($STR.getBytes())
+    - pattern: Keys.secretKeyFor(SignatureAlgorithm.$ALG)
+  metadata: { cwe: "CWE-347", precision: medium, category: crypto, owasp: "A02:2021" }
+
+- id: zm-java-jwt-03
+  severity: WARNING
+  message: JWT 解析中接受过期令牌 acceptExpiredAt() / 允许宽松时间窗口。
+  languages: [java]
+  pattern-either:
+    - pattern: $PARSER.setAllowedClockSkewSeconds($N)
+    - pattern: $PARSER.setSigningKey($KEY).parseClaimsJws($TOKEN)
+    - pattern: Jwts.parserBuilder().setAllowedClockSkewSeconds($N).build()
+  metadata: { cwe: "CWE-347", precision: low, category: auth, owasp: "A02:2021" }