@zhuma4/cli 4.0.0-alpha.1

package/rules/android/mobile-cleartext-traffic.yaml

@@ -0,0 +1,46 @@
+rules:
+  - id: zm-android-cleartext-http
+    severity: HIGH
+    message: HTTP cleartext connection detected. Network traffic sent over HTTP is visible to anyone on the same network segment. Android 9+ blocks cleartext by default; explicit enabling here overrides that protection.
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-1"
+      category: android-network
+      precision: medium
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: new URL("http://...")
+          - pattern: |
+              $HTTP.url($URL).build()
+          - pattern: |
+              Request $R = new Request.Builder().url($URL).$METHOD();
+
+  - id: zm-android-cleartext-okhttp-url
+    severity: HIGH
+    message: OkHttp request to HTTP URL. Ensure all production API endpoints use HTTPS, not HTTP. Cleartext traffic exposes user sessions, tokens, and personal data in transit.
+    metadata:
+      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
+      owasp-mobile: "M3: Insecure Communication"
+      category: android-network
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $BUILDER.url("http://..." + $X)
+          - pattern: $BUILDER.url($B)
+  - id: zm-android-hsts-missing
+    severity: MEDIUM
+    message: No HSTS preloading or certificate pinning detected. Without certificate validation, the app is vulnerable to MitM attacks via rogue CAs or compromised certificates.
+    metadata:
+      cwe: "CWE-295: Improper Certificate Validation"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-NETWORK-3"
+      category: android-network
+      precision: medium
+    languages: [java]
+    patterns:
+      - pattern: $H.hostnameVerifier(HostnameVerifier.ALLOW_ALL_HOSTNAME_VERIFIER)

package/rules/android/mobile-component-security.yaml

@@ -0,0 +1,107 @@
+rules:
+  - id: zm-android-exported-component-no-permission
+    severity: HIGH
+    message: Exported Android component without permission protection. Any app on the device can launch this Activity/Service/Receiver, potentially bypassing authentication or reading sensitive Intent extras.
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-1"
+      category: android-components
+      precision: medium
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $A.setExported(true);
+      - pattern-not: |
+          $A.setPermission($PERM);
+
+  - id: zm-android-implicit-intent-sniffing
+    severity: MEDIUM
+    message: Implicit Intent without setting a specific package. Any app can intercept this Intent, enabling intent sniffing attacks where malicious apps steal sensitive data from the Intent extras.
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-2"
+      category: android-components
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new Intent($ACTION)
+          - pattern: |
+              Intent $I = new Intent($ACTION);
+      - pattern-not: |
+          $I.setPackage($PKG);
+      - pattern-not: |
+          $I.setComponent($COMP);
+
+  - id: zm-android-pending-intent-mutable
+    severity: HIGH
+    message: Mutable PendingIntent. A malicious app can intercept and modify the Intent embedded in this PendingIntent to redirect it to their own component or alter extras. Use FLAG_IMMUTABLE on Android 12+ (API 31+).
+    metadata:
+      cwe: "CWE-927: Use of Implicit Intent for Sensitive Communication"
+      owasp-mobile: "M1: Improper Platform Usage"
+      category: android-components
+      precision: high
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: PendingIntent.getActivity($CTX, $CODE, $INTENT, PendingIntent.FLAG_MUTABLE)
+          - pattern: PendingIntent.getBroadcast($CTX, $CODE, $INTENT, PendingIntent.FLAG_MUTABLE)
+          - pattern: PendingIntent.getService($CTX, $CODE, $INTENT, PendingIntent.FLAG_MUTABLE)
+          - pattern: PendingIntent.getActivity($CTX, $CODE, $INTENT, $FLAGS)
+      - pattern-not: |
+          PendingIntent.getActivity($CTX, $CODE, $INTENT, PendingIntent.FLAG_IMMUTABLE)
+      - pattern-not: |
+          PendingIntent.getBroadcast($CTX, $CODE, $INTENT, PendingIntent.FLAG_IMMUTABLE)
+
+  - id: zm-android-task-hijacking
+    severity: MEDIUM
+    message: Activity with taskAffinity set but no singleInstance launch mode. Enables StrandHogg-style task hijacking where a malicious app overlays a fake login UI on top of the legitimate Activity.
+    metadata:
+      cwe: "CWE-940: Improper Verification of Source of a Communication Channel"
+      owasp-mobile: "M1: Improper Platform Usage"
+      category: android-components
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern: |
+          $A.setTaskAffinity($AFF)
+      - pattern-not: |
+          $A.setLaunchMode("singleInstance")
+      - pattern-not: |
+          $A.setLaunchMode("singleTask")
+
+  - id: zm-android-debuggable-true
+    severity: HIGH
+    message: Application is debuggable. In a release build, android:debuggable="true" allows any attacker with USB access to run arbitrary code, dump memory, and extract encryption keys via adb.
+    metadata:
+      cwe: "CWE-489: Active Debug Code"
+      owasp-mobile: "M8: Security Misconfiguration"
+      masvs: "MASVS-CODE-5"
+      category: android-components
+      precision: high
+      confidence: very-high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $B.setDebuggable(true)
+
+  - id: zm-android-backup-enabled
+    severity: MEDIUM
+    message: Android backup enabled. With android:allowBackup="true", app data (including SharedPreferences and internal storage) can be extracted via adb backup without requiring root, exposing potentially sensitive data to anyone with physical or USB access.
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-components
+      precision: medium
+    languages: [java]
+    patterns:
+      - pattern: |
+          $A.setAllowBackup(true)

package/rules/android/mobile-crypto-weakness.yaml

@@ -0,0 +1,139 @@
+rules:
+  - id: zm-android-weak-crypto-aes-ecb
+    severity: CRITICAL
+    message: AES in ECB mode. ECB mode encrypts identical plaintext blocks to identical ciphertext blocks, revealing data patterns. Use AES/GCM/NoPadding (preferred) or AES/CBC/PKCS5Padding with a random IV.
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: high
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Cipher.getInstance("AES/ECB/$PADDING")
+          - pattern: |
+              Cipher.getInstance("AES")
+          - pattern: |
+              Cipher.getInstance("DES")
+          - pattern: |
+              Cipher.getInstance("DES/ECB/$PADDING")
+
+  - id: zm-android-weak-crypto-no-padding
+    severity: HIGH
+    message: Cipher without authentication. AES/CBC without GCM or an HMAC allows bit-flipping and padding oracle attacks. Use AES/GCM/NoPadding which provides built-in authentication.
+    metadata:
+      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+      owasp-mobile: "M3: Insecure Communication"
+      category: android-crypto
+      precision: medium
+    languages: [java]
+    pattern: |
+      Cipher.getInstance("AES/CBC/PKCS5Padding")
+
+  - id: zm-android-weak-hash-sha1
+    severity: HIGH
+    message: SHA-1 used for cryptographic purposes. SHA-1 is collision-broken since 2017 (SHAttered). Use SHA-256 or SHA-3 family for any security-sensitive hashing.
+    metadata:
+      cwe: "CWE-328: Use of Weak Hash"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-CRYPTO-2"
+      category: android-crypto
+      precision: medium
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              MessageDigest.getInstance("SHA-1")
+          - pattern: |
+              MessageDigest.getInstance("SHA1")
+          - pattern: |
+              MessageDigest.getInstance("MD5")
+          - pattern: |
+              MessageDigest.getInstance("MD2")
+          - pattern: |
+              MessageDigest.getInstance("MD4")
+
+  - id: zm-android-insecure-random
+    severity: MEDIUM
+    message: Insecure PRNG used for cryptographic purposes. java.util.Random and Math.random() use a 48-bit linear congruential generator which is predictable. Use SecureRandom with a strong provider for any security-sensitive randomness (IV, key generation, nonces).
+    metadata:
+      cwe: "CWE-330: Use of Insufficiently Random Values"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new Random()
+          - pattern: |
+              Math.random()
+      - pattern-not: |
+          new SecureRandom()
+
+  - id: zm-android-static-iv
+    severity: CRITICAL
+    message: Static or hardcoded IV in cipher initialization. Using a fixed IV with CBC mode makes the cipher deterministic and exposes patterns in the ciphertext. Every encryption operation must use a unique, randomly generated IV.
+    metadata:
+      cwe: "CWE-329: Generation of Predictable IV with CBC Mode"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-CRYPTO-2"
+      category: android-crypto
+      precision: medium
+      confidence: high
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $CIPHER.init($MODE, $KEY, new IvParameterSpec($X))
+
+  - id: zm-android-crypto-key-hardcoded
+    severity: CRITICAL
+    message: Hardcoded cryptographic key. Encryption keys embedded in source code are extracted by anyone who decompiles the APK. Use Android Keystore (AndroidKeyStore provider) which stores keys in hardware-backed secure storage (TEE/Secure Element) and prevents extraction.
+    metadata:
+      cwe: "CWE-321: Use of Hard-coded Cryptographic Key"
+      owasp-mobile: "M3: Insecure Communication"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: medium
+      confidence: medium
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: new SecretKeySpec($BYTES, $ALG)
+          - pattern: |
+              $CIPHER.init($MODE, new SecretKeySpec("$K".getBytes(), $A))
+
+  - id: zm-android-unaligned-crypto-spec
+    severity: MEDIUM
+    message: AES key generation without explicit key size specification. KeyGenerator.init() without a key size may default to provider-dependent sizes. For AES, always specify 256 bits explicitly.
+    metadata:
+      cwe: "CWE-326: Inadequate Encryption Strength"
+      owasp-mobile: "M3: Insecure Communication"
+      category: android-crypto
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern: $KG.init($N)
+      - metavariable-pattern:
+          metavariable: $N
+          patterns:
+            - pattern-not: |
+                256
+
+  - id: zm-android-android-keystore-not-used
+    severity: WARNING
+    message: Cryptographic key generated without Android Keystore. Keys generated with standard Java providers can be extracted from the process memory or from backups. Use KeyGenParameterSpec with AndroidKeyStore provider for TEE-backed key storage.
+    metadata:
+      cwe: "CWE-922: Insecure Storage of Sensitive Information"
+      owasp-mobile: "M2: Insecure Data Storage"
+      masvs: "MASVS-CRYPTO-1"
+      category: android-crypto
+      precision: low
+    languages: [java]
+    patterns:
+      - pattern: new KeyGenParameterSpec.Builder($A, $PURPOSE)

package/rules/android/mobile-cwe-1021-tapjacking.yaml

@@ -0,0 +1,81 @@
+# CWE-1021: Tapjacking / Touch Hijacking (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - UI redressing attacks
+
+rules:
+  - id: zm-android-view-no-filter-touches
+    severity: MEDIUM
+    message: |
+      Detected a View or ViewGroup that does not call setFilterTouchesWhenObscured(true).
+      Without this protection, a malicious app can overlay a transparent window on top of this View
+      and hijack touch events (tapjacking / touch redirection attack).
+      Remediation: Call setFilterTouchesWhenObscured(true) on all sensitive Views, or globally in the theme.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $VIEW.setOnClickListener($LISTENER);
+    metadata:
+      cwe: "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/1021.html
+        - https://developer.android.com/privacy-and-security/risks/tapjacking
+
+  - id: zm-android-layout-no-filter-touches
+    severity: MEDIUM
+    message: |
+      Detected an Activity or Fragment layout without android:filterTouchesWhenObscured="true".
+      This should be set on all layouts that handle sensitive user interactions (login, payment, PIN entry).
+      Remediation: Add android:filterTouchesWhenObscured="true" to the root layout element.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              public void onCreate(Bundle $B) {
+                super.onCreate($B);
+                setContentView($LAYOUT);
+                ...
+              }
+    metadata:
+      cwe: "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/1021.html
+
+  - id: zm-android-overlay-alert-no-filter
+    severity: LOW
+    message: |
+      Detected use of WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY without tapjacking protection.
+      Applications that use overlays without filterTouchesWhenObscured expose users to tapjacking.
+      Remediation: Ensure your own overlays do not obscure sensitive actions; implement touch filtering for incoming overlays.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $PARAMS.type = WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY
+          - pattern: |
+              $PARAMS.type = WindowManager.LayoutParams.$TYPE
+    metadata:
+      cwe: "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-PLATFORM-3"
+      category: android-ui
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/1021.html

package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml

@@ -0,0 +1,41 @@
+# CWE-114: 动态加载外部 DEX/JAR (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CE-004
+
+rules:
+  - id: zm-android-dynamic-dex-external-storage
+    severity: HIGH
+    message: |
+      检测到从外部存储或网络路径动态加载 DEX/JAR 文件。
+      如果加载的 DEX 文件来自不可信来源（如 sdcard/Downloads），
+      攻击者可推送恶意 DEX 触发热更新加载实现代码注入。
+      修复:
+      1. 动态加载的 DEX 必须做签名校验
+      2. 存储路径限定在 APP 私有目录 (data/data/<pkg>/)
+      3. 优先使用 Google Play Core 的 SplitCompat / Play Feature Delivery
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              new DexClassLoader($PATH, $CL, $OPT)
+          - pattern: |
+              new DexFile($PATH)
+          - pattern: |
+              new PathClassLoader($PATH, $CL, $OPT)
+      - metavariable-regex:
+          metavariable: $PATH
+          regex: '(?i)(sdcard|external|download|cache|http)'
+    metadata:
+      cwe: "CWE-114: Process Control"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-CODE-4"
+      category: android-code-execution
+      precision: medium
+      confidence: medium
+      likelihood: low
+      impact: high
+      source: "V3 Audit Engine - VULN-CE-004"
+      references:
+        - https://cwe.mitre.org/data/definitions/114.html
+        - https://developer.android.com/guide/playcore/feature-delivery

package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml

@@ -0,0 +1,66 @@
+# CWE-200: 剪贴板敏感数据泄露 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CLIP-001
+
+rules:
+  - id: zm-android-clipboard-sensitive-data-no-clear
+    severity: HIGH
+    message: |
+      检测到剪贴板写入操作 + 代码中存在敏感数据字段 (password/token/code)
+      但未检测到清除剪贴板的操作 (clearPrimaryClip)。
+      这可能导致 Token/密码/验证码通过剪贴板泄露给其他 APP。
+      修复: 敏感数据复制后立即调用 clipboardManager.clearPrimaryClip()；
+      或对输入框设置 FLAG_SECURE 防止截屏。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $CM.setPrimaryClip($CLIP)
+      - pattern-not: |
+          ...
+          $CM.setPrimaryClip($CLIP);
+          ...
+          $CM.clearPrimaryClip();
+          ...
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-data-exposure
+      precision: low
+      confidence: low
+      note: |
+        此规则仅检测剪贴板写入操作；确认"敏感数据"需要结合上下文人工审计。
+        V3 引擎 (VULN-CLIP-001) 通过检测 password/token/code 等关键词交叉验证。
+      source: "V3 Audit Engine - VULN-CLIP-001"
+      references:
+        - https://developer.android.com/reference/android/content/ClipboardManager
+
+  - id: zm-android-mediastore-no-is-pending
+    severity: WARNING
+    message: |
+      检测到 MediaStore 写入操作但未使用 IS_PENDING 标记。
+      Android 10+ 中，向 MediaStore 写入的临时文件在写入完成前可能被
+      其他 APP 读取。IS_PENDING 标记可锁定文件直到写入完成。
+      修复: put(MediaStore.MediaColumns.IS_PENDING, 1) 然后在写入完成后清除。
+    languages:
+      - java
+    patterns:
+      - pattern: |
+          $RESOLVER.insert(MediaStore.$TYPE.EXTERNAL_CONTENT_URI, $VALUES)
+      - pattern-not: |
+          ...
+          $VALUES.put(MediaStore.MediaColumns.IS_PENDING, ...);
+          ...
+          $RESOLVER.insert(...);
+          ...
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M1: Improper Platform Usage"
+      masvs: "MASVS-STORAGE-4"
+      category: android-data-exposure
+      precision: low
+      confidence: low
+      source: "V3 Audit Engine - VULN-CLIP-002"
+      references:
+        - https://developer.android.com/reference/android/provider/MediaStore.MediaColumns#IS_PENDING

package/rules/android/mobile-cwe-200-debug-builds.yaml

@@ -0,0 +1,111 @@
+# CWE-200: Debug Build Artifacts Leaking to Release (Android)
+# ZhuMa V4.0 - Android Rule Library
+# Source: ZhuMa V4.1 Rule Expansion - build configuration hardening
+
+rules:
+  - id: zm-android-debuggable-true
+    severity: HIGH
+    message: |
+      Detected android:debuggable="true" in code reference or BuildConfig check.
+      Apps with debuggable=true allow ADB debugging, heap dumps, and process inspection 
+      by anyone with USB access or on the same network (for wireless debugging).
+      This must never be true in production release builds.
+      Remediation: Ensure android:debuggable="false" in release manifest. 
+      Check build.gradle / build.gradle.kts for debuggable configuration.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: $S = "true"
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-build
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html
+        - https://developer.android.com/privacy-and-security/risks/debuggable
+
+  - id: zm-android-buildconfig-debug-missing-guard
+    severity: MEDIUM
+    message: |
+      Detected BuildConfig.DEBUG used as a conditional in a way that may not protect release builds.
+      While BuildConfig.DEBUG is the intended guard, check that ProGuard/R8 is not stripping 
+      this condition and that all debug code paths are properly removed.
+      Remediation: Ensure BuildConfig.DEBUG checks are not optimized away. Use debugImplementation 
+      for debug-only dependencies so they are physically absent from release builds.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: BuildConfig.DEBUG
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-build
+      precision: low
+      confidence: low
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html
+
+  - id: zm-android-test-only-debug-settings
+    severity: MEDIUM
+    message: |
+      Detected test/development configuration patterns (mock servers, test endpoints, debug flags).
+      These should never appear in production release builds as they may expose debug endpoints 
+      or bypass security controls.
+      Remediation: Remove all test configuration constants. Use BuildConfig fields or 
+      build variants to inject environment-specific values.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              private static final boolean $DEBUG = true;
+          - pattern: |
+              public static final boolean $DEBUG = true;
+          - pattern: |
+              private static final String $ENV = "debug";
+      - metavariable-regex:
+          metavariable: $DEBUG
+          regex: '(?i)(.*[Dd]ebug.*|.*[Tt]est[Mm]ode.*|.*[Mm]ock.*)'
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-build
+      precision: medium
+      confidence: medium
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html
+
+  - id: zm-android-webview-debugging-enabled-release
+    severity: HIGH
+    message: |
+      Detected WebView.setWebContentsDebuggingEnabled(true) without BuildConfig.DEBUG guard.
+      WebView debugging allows Chrome DevTools to inspect WebView content, JavaScript context, 
+      and network traffic. If enabled in release builds, anyone with ADB access can extract data.
+      Remediation: Always wrap setWebContentsDebuggingEnabled(true) in a BuildConfig.DEBUG check 
+      or remove it entirely from release builds.
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: setWebContentsDebuggingEnabled(true)
+          - pattern: WebView.setWebContentsDebuggingEnabled(true)
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-RESILIENCE-2"
+      category: android-build
+      precision: high
+      confidence: high
+      source: "ZhuMa V4.1 Rule Expansion"
+      references:
+        - https://cwe.mitre.org/data/definitions/200.html

package/rules/android/mobile-cwe-200-log-sensitive-data.yaml

@@ -0,0 +1,61 @@
+# CWE-200: 敏感数据日志泄露 (Android)
+# 逐码 ZhuMa V4.0 — Android 规则库
+# 来源: V3 审计引擎 VULN-CLIP-001 (剪贴板敏感数据)
+
+rules:
+  - id: zm-android-log-sensitive-data
+    severity: WARNING
+    message: |
+      检测到 Log.d/Log.e/Log.i 输出可能包含敏感数据。
+      如果日志参数包含 Token、密码、密钥等敏感信息，生产环境日志可能被
+      adb logcat、第三方 SDK 日志采集、或 crash report 泄露。
+      修复: 生产构建中移除所有敏感数据的日志输出；使用 ProGuard/R8 去除 Log 调用。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Log.$LEVEL($TAG, $TOKEN)
+          - pattern: |
+              android.util.Log.$LEVEL($TAG, $TOKEN)
+      - metavariable-regex:
+          metavariable: $TOKEN
+          regex: '(?i)(token|password|secret|key|auth|credential|ssn|credit_card)'
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-STORAGE-4"
+      category: android-data-exposure
+      precision: low
+      confidence: low
+      likelihood: high
+      impact: medium
+      source: "V3 Audit Engine - CLIP pattern"
+      references:
+        - https://developer.android.com/privacy-and-security/risks/logging-sensitive-data
+        - https://source.android.com/docs/core/architecture/security
+
+  - id: zm-android-log-exception-with-sensitivedata
+    severity: WARNING
+    message: |
+      检测到 Log.e 输出异常信息可能包含请求/响应体。
+      如果异常信息中包含 HTTP Response Body 或请求参数，可能泄露 Token、用户数据等。
+      修复: 仅记录异常类型名称，不记录异常 message（可能包含用户数据）。
+    languages:
+      - java
+    patterns:
+      - pattern-either:
+          - pattern: |
+              Log.e($TAG, $EX.getMessage())
+          - pattern: |
+              Log.e($TAG, $EX.toString())
+          - pattern: |
+              android.util.Log.e($TAG, $EX.getMessage())
+    metadata:
+      cwe: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+      owasp-mobile: "M8: Code Tampering"
+      masvs: "MASVS-STORAGE-4"
+      category: android-data-exposure
+      precision: medium
+      confidence: low
+      source: "V3 Audit Engine"