npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 - Mend

@zhuma4/cli 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +42 -0
package/dist/commands/config.d.ts +3 -0
package/dist/commands/config.d.ts.map +1 -0
package/dist/commands/config.js +18 -0
package/dist/commands/config.js.map +1 -0
package/dist/commands/init.d.ts +3 -0
package/dist/commands/init.d.ts.map +1 -0
package/dist/commands/init.js +11 -0
package/dist/commands/init.js.map +1 -0
package/dist/commands/scan.d.ts +3 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +96 -0
package/dist/commands/scan.js.map +1 -0
package/dist/commands/scan_appid.d.ts +20 -0
package/dist/commands/scan_appid.d.ts.map +1 -0
package/dist/commands/scan_appid.js +301 -0
package/dist/commands/scan_appid.js.map +1 -0
package/dist/commands/scan_manifest.d.ts +13 -0
package/dist/commands/scan_manifest.d.ts.map +1 -0
package/dist/commands/scan_manifest.js +103 -0
package/dist/commands/scan_manifest.js.map +1 -0
package/dist/engine/api-submit.d.ts +16 -0
package/dist/engine/api-submit.d.ts.map +1 -0
package/dist/engine/api-submit.js +66 -0
package/dist/engine/api-submit.js.map +1 -0
package/dist/engine/batch_scan.d.ts +36 -0
package/dist/engine/batch_scan.d.ts.map +1 -0
package/dist/engine/batch_scan.js +192 -0
package/dist/engine/batch_scan.js.map +1 -0
package/dist/engine/config.d.ts +12 -0
package/dist/engine/config.d.ts.map +1 -0
package/dist/engine/config.js +27 -0
package/dist/engine/config.js.map +1 -0
package/dist/engine/errors.d.ts +36 -0
package/dist/engine/errors.d.ts.map +1 -0
package/dist/engine/errors.js +99 -0
package/dist/engine/errors.js.map +1 -0
package/dist/engine/filter.d.ts +13 -0
package/dist/engine/filter.d.ts.map +1 -0
package/dist/engine/filter.js +64 -0
package/dist/engine/filter.js.map +1 -0
package/dist/engine/finding_classifier.d.ts +108 -0
package/dist/engine/finding_classifier.d.ts.map +1 -0
package/dist/engine/finding_classifier.js +440 -0
package/dist/engine/finding_classifier.js.map +1 -0
package/dist/engine/incremental/engine.d.ts +25 -0
package/dist/engine/incremental/engine.d.ts.map +1 -0
package/dist/engine/incremental/engine.js +337 -0
package/dist/engine/incremental/engine.js.map +1 -0
package/dist/engine/incremental/git-diff.d.ts +19 -0
package/dist/engine/incremental/git-diff.d.ts.map +1 -0
package/dist/engine/incremental/git-diff.js +175 -0
package/dist/engine/incremental/git-diff.js.map +1 -0
package/dist/engine/incremental/types.d.ts +33 -0
package/dist/engine/incremental/types.d.ts.map +1 -0
package/dist/engine/incremental/types.js +11 -0
package/dist/engine/incremental/types.js.map +1 -0
package/dist/engine/manifest_scanner.d.ts +48 -0
package/dist/engine/manifest_scanner.d.ts.map +1 -0
package/dist/engine/manifest_scanner.js +599 -0
package/dist/engine/manifest_scanner.js.map +1 -0
package/dist/engine/project.d.ts +22 -0
package/dist/engine/project.d.ts.map +1 -0
package/dist/engine/project.js +279 -0
package/dist/engine/project.js.map +1 -0
package/dist/engine/sarif.d.ts +13 -0
package/dist/engine/sarif.d.ts.map +1 -0
package/dist/engine/sarif.js +44 -0
package/dist/engine/sarif.js.map +1 -0
package/dist/engine/sca-integration.d.ts +36 -0
package/dist/engine/sca-integration.d.ts.map +1 -0
package/dist/engine/sca-integration.js +91 -0
package/dist/engine/sca-integration.js.map +1 -0
package/dist/engine/scanner.d.ts +18 -0
package/dist/engine/scanner.d.ts.map +1 -0
package/dist/engine/scanner.js +138 -0
package/dist/engine/scanner.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +41 -0
package/dist/index.js.map +1 -0
package/dist/report/render.d.ts +23 -0
package/dist/report/render.d.ts.map +1 -0
package/dist/report/render.js +335 -0
package/dist/report/render.js.map +1 -0
package/package.json +41 -0
package/rules/android/mobile-cleartext-traffic.yaml +46 -0
package/rules/android/mobile-component-security.yaml +107 -0
package/rules/android/mobile-crypto-weakness.yaml +139 -0
package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
package/rules/android/mobile-secrets-storage.yaml +136 -0
package/rules/android/mobile-webview-security.yaml +88 -0
package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
package/rules/common/cwe-22-path-traversal.yaml +47 -0
package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
package/rules/common/cwe-306-missing-authentication.yaml +44 -0
package/rules/common/cwe-326-weak-key-size.yaml +107 -0
package/rules/common/cwe-327-weak-crypto.yaml +177 -0
package/rules/common/cwe-328-weak-hash.yaml +96 -0
package/rules/common/cwe-329-cbc-mode.yaml +26 -0
package/rules/common/cwe-352-csrf.yaml +23 -0
package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
package/rules/common/cwe-601-url-redirect.yaml +110 -0
package/rules/common/cwe-611-xxe.yaml +70 -0
package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
package/rules/common/cwe-78-os-command-injection.yaml +43 -0
package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
package/rules/common/cwe-79-xss.yaml +51 -0
package/rules/common/cwe-862-missing-authorization.yaml +40 -0
package/rules/common/cwe-89-sqli.yaml +89 -0
package/rules/common/cwe-918-ssrf.yaml +45 -0
package/rules/common/cwe-94-code-injection.yaml +59 -0
package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
package/rules/common/zm-go-cwe79-xss.yaml +104 -0
package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
package/rules/common/zm-java-cwe639-idor.yaml +123 -0
package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
package/rules/common/zm-java-cwe94-spel.yaml +112 -0
package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
package/rules/common/zm-java-cwe942-cors.yaml +15 -0
package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
package/rules/common/zm-js-cwe639-idor.yaml +122 -0
package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
package/rules/common/zm-js-cwe78-exec.yaml +37 -0
package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
package/rules/common/zm-js-cwe942-cors.yaml +49 -0
package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
package/rules/common/zm-js-cwe95-eval.yaml +59 -0
package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
package/rules/common/zm-py-cwe79-xss.yaml +123 -0
package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
package/rules/iac/zm-docker-security.yaml +104 -0
package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
package/rules/iac/zm-k8s-security.yaml +79 -0
package/rules/rules_index.yaml.off +477 -0
package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
package/rules/semgrep-registry/el-injection.yaml +137 -0
package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
package/rules/semgrep-registry/index.txt +1 -0
package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
package/rules/semgrep-registry/ldap-injection.yaml +82 -0
package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
package/rules/semgrep-registry/object-deserialization.yaml +34 -0
package/rules/semgrep-registry/ognl-injection.yaml +839 -0
package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
package/rules/semgrep-registry/permissive-cors.yaml +77 -0
package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
package/rules/semgrep-registry/url-rewriting.yaml +82 -0
package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
package/rules/semgrep-registry/xml-decoder.yaml +53 -0
package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0

package/rules/rules_index.yaml.off ADDED Viewed

@@ -0,0 +1,477 @@
+# 逐码 ZhuMa V4.0 — 通用规则库清单
+# 自动生成 | 覆盖 CWE Top 25 (2024) Java 规则
+version: "4.0.0-alpha"
+total_rules: 54
+coverage:
+  cwe_top_25_p0: 14
+  cwe_top_25_p1: 10
+  cwe_crypto: 23
+  total_covered: 24
+rules:
+  # ============================================
+  # P0 — CWE Top 25 关键规则 (14条)
+  # ============================================
+  - id: zm-java-sqli-001
+    cwe: "CWE-89"
+    title: "JDBC Statement 字符串拼接 SQL 注入"
+    severity: CRITICAL
+    file: cwe-89-sqli.yaml
+    status: PASS
+  - id: zm-java-sqli-002
+    cwe: "CWE-89"
+    title: "MyBatis ${} 动态 SQL"
+    severity: CRITICAL
+    file: cwe-89-sqli.yaml
+    status: PASS
+  - id: zm-java-sqli-003
+    cwe: "CWE-89"
+    title: "JdbcTemplate 字符串拼接"
+    severity: HIGH
+    file: cwe-89-sqli.yaml
+    status: PASS
+  - id: zm-java-sqli-004
+    cwe: "CWE-89"
+    title: "String.format 构造 SQL"
+    severity: HIGH
+    file: cwe-89-sqli.yaml
+    status: PASS
+  - id: zm-java-xss-001
+    cwe: "CWE-79"
+    title: "response.getWriter 未转义输出 request.getParameter"
+    severity: HIGH
+    file: cwe-79-xss.yaml
+    status: PASS
+  - id: zm-java-xss-002
+    cwe: "CWE-79"
+    title: "request.getParameter 赋值后未转义直接输出"
+    severity: HIGH
+    file: cwe-79-xss.yaml
+    status: PASS
+  - id: zm-java-osci-001
+    cwe: "CWE-78"
+    title: "Runtime.exec 字符串拼接"
+    severity: CRITICAL
+    file: cwe-78-os-command-injection.yaml
+    status: PASS
+  - id: zm-java-osci-002
+    cwe: "CWE-78"
+    title: "ProcessBuilder 参数拼接"
+    severity: HIGH
+    file: cwe-78-os-command-injection.yaml
+    status: PASS
+  - id: zm-java-pt-001
+    cwe: "CWE-22"
+    title: "File/FileInputStream 拼接用户输入"
+    severity: HIGH
+    file: cwe-22-path-traversal.yaml
+    status: PASS
+  - id: zm-java-pt-002
+    cwe: "CWE-22"
+    title: "直接使用 request.getParameter 作为文件路径"
+    severity: MEDIUM
+    file: cwe-22-path-traversal.yaml
+    status: PASS
+  - id: zm-java-csrf-001
+    cwe: "CWE-352"
+    title: "Spring Security 显式禁用 CSRF"
+    severity: HIGH
+    file: cwe-352-csrf.yaml
+    status: PASS
+  - id: zm-java-xxe-001
+    cwe: "CWE-611"
+    title: "DocumentBuilderFactory 未禁用外部实体"
+    severity: HIGH
+    file: cwe-611-xxe.yaml
+    status: PASS
+  - id: zm-java-xxe-002
+    cwe: "CWE-611"
+    title: "SAXParserFactory 未禁用外部实体"
+    severity: HIGH
+    file: cwe-611-xxe.yaml
+    status: PASS
+  - id: zm-java-xxe-003
+    cwe: "CWE-611"
+    title: "XMLInputFactory 未禁用 DTD"
+    severity: HIGH
+    file: cwe-611-xxe.yaml
+    status: PASS
+  - id: zm-java-hc-001
+    cwe: "CWE-798"
+    title: "硬编码密码字面量"
+    severity: CRITICAL
+    file: cwe-798-hardcoded-credentials.yaml
+    status: PASS
+  - id: zm-java-hc-002
+    cwe: "CWE-798"
+    title: "password/passwd 变量赋字符串字面量"
+    severity: HIGH
+    file: cwe-798-hardcoded-credentials.yaml
+    status: PASS
+  - id: zm-java-hc-003
+    cwe: "CWE-798"
+    title: "JDBC 连接字符串硬编码密码"
+    severity: HIGH
+    file: cwe-798-hardcoded-credentials.yaml
+    status: PASS
+  - id: zm-java-ma-001
+    cwe: "CWE-306"
+    title: "@GetMapping/@PostMapping 无认证注解"
+    severity: MEDIUM
+    file: cwe-306-missing-authentication.yaml
+    status: PASS
+  - id: zm-java-ma-002
+    cwe: "CWE-306"
+    title: "Spring Security permitAll 无认证要求"
+    severity: MEDIUM
+    file: cwe-306-missing-authentication.yaml
+    status: PASS
+  - id: zm-java-ds-001
+    cwe: "CWE-502"
+    title: "ObjectInputStream.readObject 无过滤"
+    severity: CRITICAL
+    file: cwe-502-insecure-deserialization.yaml
+    status: PASS
+  - id: zm-java-ds-002
+    cwe: "CWE-502"
+    title: "ObjectInputStream 无类型过滤包装"
+    severity: MEDIUM
+    file: cwe-502-insecure-deserialization.yaml
+    status: PASS
+  - id: zm-java-sde-001
+    cwe: "CWE-200"
+    title: "日志输出敏感变量 (password/token/apiKey)"
+    severity: HIGH
+    file: cwe-200-sensitive-data-exposure.yaml
+    status: PASS
+  - id: zm-java-sde-002
+    cwe: "CWE-200"
+    title: "toString 暴露敏感字段"
+    severity: MEDIUM
+    file: cwe-200-sensitive-data-exposure.yaml
+    status: PASS
+  - id: zm-java-sde-003
+    cwe: "CWE-200"
+    title: "printStackTrace 泄漏堆栈信息"
+    severity: LOW
+    file: cwe-200-sensitive-data-exposure.yaml
+    status: PASS
+  - id: zm-java-ci-001
+    cwe: "CWE-94"
+    title: "ScriptEngine.eval 用户输入"
+    severity: CRITICAL
+    file: cwe-94-code-injection.yaml
+    status: PASS
+  - id: zm-java-ci-002
+    cwe: "CWE-94"
+    title: "GroovyShell 动态执行"
+    severity: CRITICAL
+    file: cwe-94-code-injection.yaml
+    status: PASS
+  - id: zm-java-ci-003
+    cwe: "CWE-94"
+    title: "Class.forName 动态加载"
+    severity: MEDIUM
+    file: cwe-94-code-injection.yaml
+    status: PASS
+  # ============================================
+  # P1 — CWE Top 25 扩展规则 (10条)
+  # ============================================
+  - id: zm-java-ssl-001
+    cwe: "CWE-295"
+    title: "X509TrustManager 信任所有证书"
+    severity: HIGH
+    file: cwe-295-ssl-verification-disabled.yaml
+    status: PASS
+  - id: zm-java-ssl-002
+    cwe: "CWE-295"
+    title: "HostnameVerifier 总是返回 true"
+    severity: HIGH
+    file: cwe-295-ssl-verification-disabled.yaml
+    status: PASS
+  - id: zm-java-ssl-003
+    cwe: "CWE-295"
+    title: "ALLOW_ALL_HOSTNAME_VERIFIER"
+    severity: HIGH
+    file: cwe-295-ssl-verification-disabled.yaml
+    status: PASS
+  - id: zm-java-ssrf-001
+    cwe: "CWE-918"
+    title: "HttpURLConnection URL 用户可控"
+    severity: HIGH
+    file: cwe-918-ssrf.yaml
+    status: PASS
+  - id: zm-java-ssrf-002
+    cwe: "CWE-918"
+    title: "RestTemplate URL 用户可控"
+    severity: MEDIUM
+    file: cwe-918-ssrf.yaml
+    status: PASS
+  - id: zm-java-fu-001
+    cwe: "CWE-434"
+    title: "MultipartFile.transferTo 无扩展名校验"
+    severity: HIGH
+    file: cwe-434-unrestricted-file-upload.yaml
+    status: PASS
+  - id: zm-java-fu-002
+    cwe: "CWE-434"
+    title: "FileOutputStream 直接用用户文件名"
+    severity: MEDIUM
+    file: cwe-434-unrestricted-file-upload.yaml
+    status: PASS
+  - id: zm-java-maz-001
+    cwe: "CWE-862"
+    title: "敏感操作无授权检查"
+    severity: HIGH
+    file: cwe-862-missing-authorization.yaml
+    status: PASS
+  - id: zm-java-re-001
+    cwe: "CWE-770"
+    title: "while(true) 无超时退出条件"
+    severity: MEDIUM
+    file: cwe-770-resource-exhaustion.yaml
+    status: PASS
+  - id: zm-java-re-002
+    cwe: "CWE-770"
+    title: "无限制读取输入流"
+    severity: LOW
+    file: cwe-770-resource-exhaustion.yaml
+    status: PASS
+  - id: zm-java-oob-001
+    cwe: "CWE-787"
+    title: "数组索引无边界检查"
+    severity: MEDIUM
+    file: cwe-787-out-of-bounds-write.yaml
+    status: PASS
+  - id: zm-java-oob-002
+    cwe: "CWE-787"
+    title: "ByteBuffer put 无 capacity 检查"
+    severity: LOW
+    file: cwe-787-out-of-bounds-write.yaml
+    status: PASS
+  - id: zm-java-ip-001
+    cwe: "CWE-732"
+    title: "setWritable/readable/executable 过宽权限"
+    severity: MEDIUM
+    file: cwe-732-incorrect-permission.yaml
+    status: PASS
+  - id: zm-java-ip-002
+    cwe: "CWE-732"
+    title: "Runtime.exec chmod 777"
+    severity: HIGH
+    file: cwe-732-incorrect-permission.yaml
+    status: PASS
+  # ============================================
+  # P2 — 密码学规则 (CWE-327/326/328/329/295/798, 23条)
+  # ============================================
+  # CWE-327: 弱加密算法 (6条)
+  - id: zm-java-weakcrypto-001
+    cwe: "CWE-327"
+    title: "DES/3DES 加密算法"
+    severity: CRITICAL
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  - id: zm-java-weakcrypto-002
+    cwe: "CWE-327"
+    title: "RC2/RC4/Blowfish 弱算法"
+    severity: CRITICAL
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  - id: zm-java-weakcrypto-003
+    cwe: "CWE-327"
+    title: "ECB 模式 (无认证加密)"
+    severity: HIGH
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  - id: zm-java-weakcrypto-004
+    cwe: "CWE-327"
+    title: "RSA 无OAEP填充或弱填充"
+    severity: HIGH
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  - id: zm-java-weakcrypto-005
+    cwe: "CWE-327"
+    title: "JWT Algorithm=none"
+    severity: CRITICAL
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  - id: zm-java-weakcrypto-006
+    cwe: "CWE-327"
+    title: "固定IV/Hardcoded IV"
+    severity: HIGH
+    file: cwe-327-weak-crypto.yaml
+    status: PASS
+  # CWE-326: 密钥强度不足 (3条)
+  - id: zm-java-weakkey-001
+    cwe: "CWE-326"
+    title: "AES 密钥长度 <128 位"
+    severity: CRITICAL
+    file: cwe-326-weak-key-size.yaml
+    status: PASS
+  - id: zm-java-weakkey-002
+    cwe: "CWE-326"
+    title: "RSA 密钥 <2048 位"
+    severity: CRITICAL
+    file: cwe-326-weak-key-size.yaml
+    status: PASS
+  - id: zm-java-weakkey-003
+    cwe: "CWE-326"
+    title: "EC 密钥 <256 位"
+    severity: HIGH
+    file: cwe-326-weak-key-size.yaml
+    status: PASS
+  # CWE-328: 弱哈希函数 (4条)
+  - id: zm-java-weakhash-001
+    cwe: "CWE-328"
+    title: "MD2/MD4/MD5 哈希算法"
+    severity: CRITICAL
+    file: cwe-328-weak-hash.yaml
+    status: PASS
+  - id: zm-java-weakhash-002
+    cwe: "CWE-328"
+    title: "PBKDF2 迭代次数不足"
+    severity: CRITICAL
+    file: cwe-328-weak-hash.yaml
+    status: PASS
+  - id: zm-java-weakhash-003
+    cwe: "CWE-328"
+    title: "SHA-1 在安全场景使用"
+    severity: HIGH
+    file: cwe-328-weak-hash.yaml
+    status: PASS
+  - id: zm-java-weakhash-004
+    cwe: "CWE-328"
+    title: "无盐哈希存储"
+    severity: MEDIUM
+    file: cwe-328-weak-hash.yaml
+    status: PASS
+  # CWE-329: CBC Padding Oracle (2条)
+  - id: zm-java-cbcmode-001
+    cwe: "CWE-329"
+    title: "AES/CBC/PKCS5Padding (Padding Oracle风险)"
+    severity: HIGH
+    file: cwe-329-cbc-mode.yaml
+    status: PASS
+  - id: zm-java-cbcmode-002
+    cwe: "CWE-329"
+    title: "Cipher.doFinal() 未检查 BadPaddingException"
+    severity: MEDIUM
+    file: cwe-329-cbc-mode.yaml
+    status: PASS
+  # CWE-295: SSL/TLS 证书绕过 (4条扩展)
+  - id: zm-java-sslverify-001
+    cwe: "CWE-295"
+    title: "X509TrustManager 空校验 (checkServerTrusted)"
+    severity: CRITICAL
+    file: cwe-295-ssl-bypass.yaml
+    status: PASS
+  - id: zm-java-sslverify-002
+    cwe: "CWE-295"
+    title: "HostnameVerifier 全部接受 (return true)"
+    severity: HIGH
+    file: cwe-295-ssl-bypass.yaml
+    status: PASS
+  - id: zm-java-sslverify-003
+    cwe: "CWE-295"
+    title: "allowAllHostnames() 调用"
+    severity: HIGH
+    file: cwe-295-ssl-bypass.yaml
+    status: PASS
+  - id: zm-java-sslverify-004
+    cwe: "CWE-295"
+    title: "SSLContext.init 空 TrustManager"
+    severity: CRITICAL
+    file: cwe-295-ssl-bypass.yaml
+    status: PASS
+  # CWE-798: 硬编码凭证扩展 (4条)
+  - id: zm-java-hardcoded-003
+    cwe: "CWE-798"
+    title: "OAuth Client Secret 硬编码"
+    severity: CRITICAL
+    file: cwe-798-hardcoded-creds.yaml
+    status: PASS
+  - id: zm-java-hardcoded-004
+    cwe: "CWE-798"
+    title: "SMTP/Email 密码硬编码"
+    severity: HIGH
+    file: cwe-798-hardcoded-creds.yaml
+    status: PASS
+  - id: zm-java-hardcoded-005
+    cwe: "CWE-798"
+    title: "数据库密码在 JDBC URL 中"
+    severity: CRITICAL
+    file: cwe-798-hardcoded-creds.yaml
+    status: PASS
+  - id: zm-java-hardcoded-006
+    cwe: "CWE-798"
+    title: "云 AK/SK 硬编码 (AWS/阿里云/腾讯云)"
+    severity: CRITICAL
+    file: cwe-798-hardcoded-creds.yaml
+    status: PASS

package/rules/semgrep-registry/anonymous-ldap-bind.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+rules:
+- id: anonymous-ldap-bind
+  metadata:
+    cwe:
+    - 'CWE-287: Improper Authentication'
+    owasp:
+    - A02:2017 - Broken Authentication
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  message: >-
+    Detected anonymous LDAP bind.
+    This permits anonymous users to execute LDAP statements. Consider enforcing
+    authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html
+    for more information.
+  severity: WARNING
+  pattern: |
+    $ENV.put($CTX.SECURITY_AUTHENTICATION, "none");
+    ...
+    $DCTX = new InitialDirContext($ENV, ...);
+  languages:
+  - java

package/rules/semgrep-registry/bad-hexa-conversion.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+rules:
+- id: bad-hexa-conversion
+  metadata:
+    cwe:
+    - 'CWE-704: Incorrect Type Conversion or Cast'
+    owasp: 'A03:2017 - Sensitive Data Exposure'
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION
+    category: security
+    technology:
+    - java
+    references:
+    - https://cwe.mitre.org/data/definitions/704.html
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  message: >-
+    'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte.
+    This mistake weakens the hash value computed since it introduces more collisions.
+    Use 'String.format("%02X", ...)' instead.
+  severity: WARNING
+  languages: [java]
+  pattern: |-
+    $X $METHOD(...) {
+      ...
+      MessageDigest $MD = ...;
+      ...
+      $MD.digest(...);
+      ...
+      Integer.toHexString(...);
+    }

package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml ADDED Viewed

@@ -0,0 +1,39 @@
+rules:
+- id: blowfish-insufficient-key-size
+  metadata:
+    cwe:
+    - 'CWE-326: Inadequate Encryption Strength'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE
+    asvs:
+      section: V6 Stored Cryptography Verification Requirements
+      control_id: 6.2.5 Insecure Algorithm
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
+      version: '4'
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+    subcategory:
+    - audit
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+  message: >-
+    Using less than 128 bits for Blowfish is considered insecure. Use 128 bits
+    or more, or switch to use AES instead.
+  severity: WARNING
+  languages:
+  - java
+  patterns:
+  - pattern: |
+      $KEYGEN = KeyGenerator.getInstance("Blowfish");
+      ...
+      $KEYGEN.init($SIZE);
+  - metavariable-comparison:
+      metavariable: $SIZE
+      comparison: $SIZE < 128

package/rules/semgrep-registry/cbc-padding-oracle.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+rules:
+- id: cbc-padding-oracle
+  message: >-
+    Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious
+    actor
+    could discern the difference between plaintext with valid or invalid padding.
+    Further,
+    CBC mode does not include any integrity checks.
+    Use 'AES/GCM/NoPadding' instead.
+  metadata:
+    cwe:
+    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE
+    references:
+    - https://capec.mitre.org/data/definitions/463.html
+    - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes
+    - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY
+    category: security
+    technology:
+    - java
+    subcategory:
+    - audit
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+  severity: WARNING
+  fix: |
+    "AES/GCM/NoPadding"
+  languages:
+  - java
+  patterns:
+  - pattern-inside: Cipher.getInstance("=~/.*\/CBC\/PKCS5Padding/")
+  - pattern: |
+      "=~/.*\/CBC\/PKCS5Padding/"

package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml ADDED Viewed

@@ -0,0 +1,90 @@
+rules:
+- id: command-injection-formatted-runtime-call
+  patterns:
+  - metavariable-pattern:
+      metavariable: $RUNTIME
+      patterns:
+      - pattern-either:
+        - pattern: (java.lang.Runtime $R)
+        - pattern: java.lang.Runtime.getRuntime(...)
+  - pattern-either:
+    - pattern: $RUNTIME.exec($X + $Y);
+    - pattern: $RUNTIME.exec(String.format(...));
+    - pattern: $RUNTIME.loadLibrary($X + $Y);
+    - pattern: $RUNTIME.loadLibrary(String.format(...));
+    - patterns:
+      - pattern-either:
+        - pattern: |
+            $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $ARG,...)
+        - pattern: |
+            $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...)
+        - pattern: |
+            $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...)
+        - patterns:
+          - pattern-either:
+            - pattern: |
+                $RUNTIME.exec($CMD,"-c",$ARG,...)
+            - pattern: |
+                $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...)
+            - pattern: |
+                $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...)
+          - pattern-inside: |
+              $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/";
+              ...
+        - patterns:
+          - pattern-either:
+            - pattern: |
+                $RUNTIME.exec($CMD, $EXECUTE, $ARG, ...)
+          - pattern-inside: |
+              $CMD = new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/", ...};
+              ...
+        - patterns:
+            - pattern-either:
+                - pattern: |
+                    $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", $BASH, $ARG,...)
+                - pattern: |
+                    $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...),...)
+                - pattern: |
+                    $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...},...)
+            - pattern-inside: |
+                $BASH = new String[]{"=~/(-c)/", ...};
+                ...
+      - pattern-not-inside: |
+          $ARG = "...";
+          ...
+      - pattern-not: |
+          $RUNTIME.exec("...","...","...",...)
+      - pattern-not: |
+          $RUNTIME.exec(new String[]{"...","...","...",...},...)
+      - pattern-not: |
+          $RUNTIME.exec(Arrays.asList("...","...","...",...),...)
+  message: >-
+    A formatted or concatenated string was detected as input to a java.lang.Runtime
+    call.
+    This is dangerous if a variable is controlled by user input and could result in
+    a
+    command injection. Ensure your variables are not controlled by users or sufficiently
+    sanitized.
+  metadata:
+    cwe:
+    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  severity: ERROR
+  languages:
+  - java