@zhuma4/cli 4.0.0-alpha.1

package/rules/semgrep-registry/java-reverse-shell.yaml

@@ -0,0 +1,43 @@
+rules:
+- id: java-reverse-shell
+  patterns:
+  - pattern-either:
+    - pattern: |
+        Socket $S=new Socket(...);
+        ...
+        InputStream $SI = $S.getInputStream();
+        ...
+        while(!$S.isClosed())
+        {
+          ...
+          while($SI.available()>0)$PO.write($SI.read());
+          ...
+          $SO.flush();
+          ...
+        }
+  - pattern-inside: |
+      Process $P=new ProcessBuilder(...).redirectErrorStream(true).start();
+      ...
+      $P.destroy();
+  message: Semgrep found potential reverse shell behavior
+  severity: WARNING
+  metadata:
+    cwe:
+    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    category: security
+    technology: [java]
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  languages:
+  - java

package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml

@@ -0,0 +1,120 @@
+rules:
+- id: jdbc-sql-formatted-string
+  metadata:
+    cwe:
+    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC
+    asvs:
+      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
+      control_id: 5.3.5 Injection
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
+      version: '4'
+    category: security
+    technology:
+    - jdbc
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  message: >-
+    Possible JDBC injection detected. Use the parameterized query
+    feature available in queryForObject instead of concatenating or formatting strings:
+    'jdbc.queryForObject("select * from table where name = ?", Integer.class, parameterName);'
+  patterns:
+  - pattern-inside: |
+      $JDBC = new JdbcTemplate(...);
+      ...
+  - pattern-either:
+          # Unsafe queryForObject
+    - pattern: $JDBC.queryForObject($STR + $VAR, ...);
+    - pattern: $JDBC.queryForObject(String.format(...), ...);
+    - pattern: |
+        String $Q = $STR + $VAR;
+        ...
+        $JDBC.queryForObject($Q, ...);
+    - pattern: |
+        String $Q = String.format(...);
+        ...
+        $JDBC.queryForObject($Q, ...);
+    - pattern: |
+        StringBuilder $Q = new StringBuilder(...);
+        ...
+        $Q.append($STR + $VAR);
+        ...
+        $JDBC.queryForObject($Q, ...);
+    - pattern: $JDBC.queryForList($STR + $VAR);
+    - pattern: $JDBC.queryForList(String.format(...));
+    - pattern: |
+        String $Q = $STR + $VAR;
+        ...
+        $JDBC.queryForList($Q);
+    - pattern: |
+        String $Q = String.format(...);
+        ...
+        $JDBC.queryForList($Q);
+    - pattern: |
+        StringBuilder $Q = new StringBuilder(...);
+        ...
+        $Q.append($STR + $VAR);
+        ...
+        $JDBC.queryForList($Q, ...);
+    - pattern: $JDBC.update($STR + $VAR);
+    - pattern: $JDBC.update(String.format(...));
+    - pattern: |
+        String $Q = $STR + $VAR;
+        ...
+        $JDBC.update($Q);
+    - pattern: |
+        String $Q = String.format(...);
+        ...
+        $JDBC.update($Q);
+    - pattern: |
+        StringBuilder $Q = new StringBuilder(...);
+        ...
+        $Q.append($STR + $VAR);
+        ...
+        $JDBC.update($Q, ...);
+    - pattern: $JDBC.execute($STR + $VAR);
+    - pattern: $JDBC.execute(String.format(...));
+    - pattern: |
+        String $Q = $STR + $VAR;
+        ...
+        $JDBC.execute($Q);
+    - pattern: |
+        String $Q = String.format(...);
+        ...
+        $JDBC.execute($Q);
+    - pattern: |
+        StringBuilder $Q = new StringBuilder(...);
+        ...
+        $Q.append($STR + $VAR);
+        ...
+        $JDBC.execute($Q, ...);
+    - pattern: $JDBC.insert($STR + $VAR);
+    - pattern: $JDBC.insert(String.format(...));
+    - pattern: |
+        String $Q = $STR + $VAR;
+        ...
+        $JDBC.insert($Q);
+    - pattern: |
+        String $Q = String.format(...);
+        ...
+        $JDBC.insert($Q);
+    - pattern: |
+        StringBuilder $Q = new StringBuilder(...);
+        ...
+        $Q.append($STR + $VAR);
+        ...
+        $JDBC.insert($Q, ...);
+  severity: WARNING
+  languages:
+  - java

package/rules/semgrep-registry/ldap-entry-poisoning.yaml

@@ -0,0 +1,41 @@
+rules:
+- id: ldap-entry-poisoning
+  metadata:
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    cwe:
+    - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING
+    asvs:
+      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
+      control_id: 5.3.7 Injection
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
+      version: '4'
+    references:
+    - https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
+    - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
+    category: security
+    technology:
+    - java
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  message: >-
+    An object-returning LDAP search will allow attackers to control the LDAP response.
+    This could
+    lead to Remote Code Execution.
+  severity: WARNING
+  pattern-either:
+      # SearchControls(int scope, long countlim, int timelim, String[] attrs, boolean retobj, boolean deref)
+  - pattern: |
+      new SearchControls($S, $CL, $TL, $AT, true, $DEREF)
+  - pattern: |
+      SearchControls $VAR = new SearchControls();
+      ...
+      $VAR.setReturningObjFlag(true);
+  languages:
+  - java

package/rules/semgrep-registry/ldap-injection.yaml

@@ -0,0 +1,82 @@
+rules:
+- id: ldap-injection
+  message: >-
+    Detected non-constant data passed into an LDAP query. If this data can be
+    controlled by an external user, this is an LDAP injection.
+    Ensure data passed to an LDAP query is not controllable; or properly sanitize
+    the data.
+  metadata:
+    cwe:
+    - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION
+    asvs:
+      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
+      control_id: 5.3.7 Injection
+      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
+      version: '4'
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  severity: WARNING
+  languages: [java]
+  patterns:
+  - pattern-either:
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          InitialDirContext $CTX = ...;
+          ...
+        }
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          DirContext $CTX = ...;
+          ...
+        }
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          InitialLdapContext $CTX = ...;
+          ...
+        }
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          LdapContext $CTX = ...;
+          ...
+        }
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          LdapCtx $CTX = ...;
+          ...
+        }
+    - pattern-inside: |
+        $X $METHOD(...) {
+          ...
+          EventDirContext $CTX = ...;
+          ...
+        }
+  - pattern: |
+      $X $METHOD(...) {
+        ...
+        $CTX.search($Y,$INPUT,...);
+        ...
+      }
+  - pattern-not: |
+      $X $METHOD(...) {
+        ...
+        $CTX.search($Y,"...",...);
+        ...
+      }

package/rules/semgrep-registry/md5-used-as-password.yaml

@@ -0,0 +1,44 @@
+rules:
+- id: md5-used-as-password
+  languages: [java]
+  severity: WARNING
+  message: >-
+    It looks like MD5 is used as a password hash. MD5 is not considered a
+    secure password hash because it can be cracked by an attacker in a short
+    amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt.
+    You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")`
+    or, if using Spring, `org.springframework.security.crypto.bcrypt`.
+  metadata:
+    category: security
+    technology:
+    - java
+    - md5
+    references:
+    - https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html
+    - https://github.com/returntocorp/semgrep-rules/issues/1609
+    - https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory
+    - https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html
+    owasp:
+    - A03:2017 - Sensitive Data Exposure
+    - A02:2021 - Cryptographic Failures
+    - A04:2025 - Cryptographic Failures
+    cwe:
+    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: MEDIUM
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-inside: |
+        $TYPE $MD = MessageDigest.getInstance("MD5");
+        ...
+    - pattern: $MD.digest(...);
+  pattern-sinks:
+  - patterns:
+    - pattern: $MODEL.$METHOD(...);
+    - metavariable-regex:
+        metavariable: $METHOD
+        regex: (?i)(.*password.*)

package/rules/semgrep-registry/object-deserialization.yaml

@@ -0,0 +1,34 @@
+rules:
+- id: object-deserialization
+  metadata:
+    cwe:
+    - 'CWE-502: Deserialization of Untrusted Data'
+    owasp:
+    - A08:2017 - Insecure Deserialization
+    - A08:2021 - Software and Data Integrity Failures
+    - A08:2025 - Software or Data Integrity Failures
+    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION
+    references:
+    - https://www.owasp.org/index.php/Deserialization_of_untrusted_data
+    - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8
+    category: security
+    technology:
+    - java
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: HIGH
+    confidence: LOW
+  message: >-
+    Found object deserialization using ObjectInputStream. Deserializing entire
+    Java objects is dangerous because malicious actors can create Java object
+    streams with unintended consequences. Ensure that the objects being deserialized
+    are not user-controlled. If this must be done, consider using HMACs to sign
+    the data stream to make sure it is not tampered with, or consider only
+    transmitting object fields and populating a new object.
+  severity: WARNING
+  languages:
+  - java
+  pattern: new ObjectInputStream(...);