opensecurity 0.1.0 → 0.2.1

package/dist/native/taint.js

@@ -0,0 +1,225 @@
+function getNodeText(node, source) {
+    return source.slice(node.startIndex, node.endIndex);
+}
+function normalizeTraverseNode(node) {
+    return node;
+}
+function matchesCallee(name, matcher) {
+    if (matcher.callee) {
+        const match = matcher.callee;
+        if (Array.isArray(match) && match.includes(name))
+            return true;
+        if (match === name)
+            return true;
+    }
+    if (matcher.calleePrefix) {
+        const match = matcher.calleePrefix;
+        if (Array.isArray(match) && match.some((prefix) => name.startsWith(prefix)))
+            return true;
+        if (typeof match === "string" && name.startsWith(match))
+            return true;
+    }
+    if (matcher.calleePattern) {
+        const match = matcher.calleePattern;
+        const patterns = Array.isArray(match) ? match : [match];
+        return patterns.some((pattern) => matchGlob(name, pattern));
+    }
+    return false;
+}
+function matchGlob(value, pattern) {
+    if (pattern === value)
+        return true;
+    try {
+        const picomatch = require("picomatch");
+        const isMatch = picomatch(pattern, { nocase: false, dot: true });
+        return isMatch(value);
+    }
+    catch {
+        return false;
+    }
+}
+function getNodeName(node, lang, source) {
+    if (lang.identifierNodes.includes(node.type)) {
+        return getNodeText(node, source);
+    }
+    if (lang.memberNodes.includes(node.type)) {
+        const objectNode = pickField(node, lang.memberObjectFields);
+        const propNode = pickField(node, lang.memberPropertyFields);
+        const objectName = objectNode ? getNodeName(objectNode, lang, source) ?? getNodeText(objectNode, source) : null;
+        const propName = propNode ? getNodeName(propNode, lang, source) ?? getNodeText(propNode, source) : null;
+        if (objectName && propName)
+            return `${objectName}.${propName}`;
+        if (propName)
+            return propName;
+    }
+    return null;
+}
+function pickField(node, fields) {
+    for (const field of fields) {
+        const child = node.childForFieldName?.(field);
+        if (child)
+            return normalizeTraverseNode(child);
+    }
+    return null;
+}
+function getCallName(node, lang, source) {
+    const callee = pickField(node, lang.callCalleeFields) ??
+        (node.namedChildren?.[0] ? normalizeTraverseNode(node.namedChildren[0]) : null);
+    if (!callee)
+        return null;
+    return getNodeName(callee, lang, source) ?? getNodeText(callee, source);
+}
+function getCallArguments(node, lang) {
+    const argNode = pickField(node, lang.callArgumentFields);
+    if (argNode?.namedChildren?.length) {
+        return argNode.namedChildren.map(normalizeTraverseNode);
+    }
+    return [];
+}
+function getAssignmentSides(node, lang) {
+    const left = pickField(node, lang.assignmentLeftFields);
+    const right = pickField(node, lang.assignmentRightFields);
+    return { left: left ? normalizeTraverseNode(left) : null, right: right ? normalizeTraverseNode(right) : null };
+}
+function isStringNode(node, lang) {
+    return lang.stringNodes.includes(node.type);
+}
+function walk(node, fn) {
+    fn(node);
+    const children = node.namedChildren ?? [];
+    for (const child of children) {
+        walk(normalizeTraverseNode(child), fn);
+    }
+}
+function findIdentifiers(node, lang, source) {
+    const names = [];
+    walk(node, (n) => {
+        const name = getNodeName(n, lang, source);
+        if (name && lang.identifierNodes.includes(n.type))
+            names.push(name);
+    });
+    return names;
+}
+export function runNativeTaint(tree, source, lang, ruleSet, filePath) {
+    const root = normalizeTraverseNode(tree.rootNode ?? tree);
+    const findings = [];
+    const taintedVarsStack = [new Set()];
+    const taintedExpressions = new WeakSet();
+    const pushScope = () => taintedVarsStack.push(new Set());
+    const popScope = () => taintedVarsStack.pop();
+    const currentScope = () => taintedVarsStack[taintedVarsStack.length - 1];
+    const taint = (name) => currentScope()?.add(name);
+    const untaint = (name) => currentScope()?.delete(name);
+    const isTainted = (name) => currentScope()?.has(name) ?? false;
+    const valueIsTainted = (node, rule) => {
+        if (taintedExpressions.has(node))
+            return true;
+        const nodeName = getNodeName(node, lang, source);
+        if (nodeName && rule.sources?.some((src) => matchesCallee(nodeName, src.matcher))) {
+            return true;
+        }
+        if (lang.identifierNodes.includes(node.type) && nodeName) {
+            return isTainted(nodeName);
+        }
+        if (lang.memberNodes.includes(node.type) && nodeName) {
+            return isTainted(nodeName);
+        }
+        if (lang.callNodes.includes(node.type)) {
+            const calleeName = getCallName(node, lang, source);
+            if (calleeName) {
+                if (rule.sanitizers?.some((san) => matchesCallee(calleeName, san.matcher)))
+                    return false;
+                if (rule.sources?.some((src) => matchesCallee(calleeName, src.matcher)))
+                    return true;
+            }
+        }
+        const children = node.namedChildren ?? [];
+        return children.some((child) => valueIsTainted(normalizeTraverseNode(child), rule));
+    };
+    const handleAssignment = (node, rule) => {
+        const { left, right } = getAssignmentSides(node, lang);
+        if (!left || !right)
+            return;
+        const targetNames = findIdentifiers(left, lang, source);
+        const tainted = valueIsTainted(right, rule);
+        for (const name of targetNames) {
+            if (tainted) {
+                taint(name);
+                taintedExpressions.add(right);
+            }
+            else {
+                untaint(name);
+            }
+        }
+    };
+    const reportFinding = (rule, node, message) => {
+        const loc = node.startPosition;
+        findings.push({
+            ruleId: rule.id,
+            ruleTitle: rule.title,
+            severity: rule.severity,
+            owasp: rule.owasp,
+            file: filePath,
+            line: loc ? loc.row + 1 : undefined,
+            column: loc ? loc.column + 1 : undefined,
+            message
+        });
+    };
+    const runRule = (rule) => {
+        if (rule.kind === "secret") {
+            const pattern = rule.literalPattern ? new RegExp(rule.literalPattern, "i") : null;
+            if (!pattern)
+                return;
+            walk(root, (node) => {
+                if (!isStringNode(node, lang))
+                    return;
+                const text = getNodeText(node, source);
+                if (pattern.test(text)) {
+                    reportFinding(rule, node, rule.title);
+                }
+            });
+            return;
+        }
+        if (rule.kind === "direct") {
+            const matcher = {
+                callee: rule.callee,
+                calleePrefix: rule.calleePrefix,
+                calleePattern: rule.calleePattern
+            };
+            walk(root, (node) => {
+                if (!lang.callNodes.includes(node.type))
+                    return;
+                const name = getCallName(node, lang, source);
+                if (name && matchesCallee(name, matcher)) {
+                    reportFinding(rule, node, rule.title);
+                }
+            });
+            return;
+        }
+        walk(root, (node) => {
+            if (lang.assignmentNodes.includes(node.type)) {
+                handleAssignment(node, rule);
+                return;
+            }
+            if (lang.callNodes.includes(node.type)) {
+                const calleeName = getCallName(node, lang, source);
+                if (!calleeName)
+                    return;
+                const sink = rule.sinks?.find((candidate) => matchesCallee(calleeName, candidate.matcher));
+                if (!sink)
+                    return;
+                const args = getCallArguments(node, lang);
+                const hasTainted = args.some((arg) => valueIsTainted(arg, rule));
+                if (hasTainted) {
+                    reportFinding(rule, node, `Tainted data reaches sink ${sink.name}`);
+                }
+            }
+        });
+    };
+    for (const rule of ruleSet.rules) {
+        taintedVarsStack.length = 0;
+        taintedVarsStack.push(new Set());
+        runRule(rule);
+    }
+    return findings;
+}

package/dist/scan.js

@@ -1,5 +1,6 @@
 import fs from "node:fs/promises";
 import path from "node:path";
+import { fileURLToPath } from "node:url";
 import traverseImport from "@babel/traverse";
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
@@ -10,8 +11,15 @@ import { walkFiles } from "./fileWalker.js";
 import { parseSource } from "./analysis/ast.js";
 import { runRuleEngine } from "./analysis/rules.js";
 import { runPatternDetectors } from "./analysis/patterns.js";
+import { runUniversalPatterns } from "./analysis/universalPatterns.js";
+import { runInfraPatterns } from "./analysis/infraPatterns.js";
 import { loadRules } from "./rules/loadRules.js";
 import { scanDependenciesWithCves } from "./deps/engine.js";
+import { runExternalAdapters } from "./adapters/runner.js";
+import { getLanguageByExtension, getNativeLanguages } from "./native/languages.js";
+import { parseWithTreeSitter } from "./native/loader.js";
+import { loadNativeRules } from "./native/rules.js";
+import { runNativeTaint } from "./native/taint.js";
 export const SCHEMA_VERSION = "1.0.0";
 const DEFAULT_MAX_CHARS = 4000;
 const DEFAULT_CONCURRENCY = 2;
@@ -20,6 +28,8 @@ const DEFAULT_RETRY_DELAY_MS = 500;
 const MAX_ESTIMATED_TOKENS = 50000; // Guardrail: reject massive scans
 const CHARS_PER_TOKEN = 4; // Simple heuristic for estimation
 export async function scan(options = {}) {
+    const packageRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+    const outputFormat = options.format ?? "text";
     const resolvedRoot = options.targetPath
         ? path.resolve(options.cwd ?? process.cwd(), options.targetPath)
         : (options.cwd ?? process.cwd());
@@ -38,6 +48,13 @@ export async function scan(options = {}) {
     const concurrency = Math.max(1, options.concurrency ?? projectConfig.concurrency ?? DEFAULT_CONCURRENCY);
     const maxRetries = Math.max(0, options.maxRetries ?? DEFAULT_MAX_RETRIES);
     const retryDelayMs = Math.max(0, options.retryDelayMs ?? DEFAULT_RETRY_DELAY_MS);
+    const nativeTaintEnabled = options.nativeTaint ?? projectConfig.nativeTaint ?? true;
+    const nativeLangs = resolveNativeLanguages(options.nativeTaintLanguages ?? projectConfig.nativeTaintLanguages);
+    const nativeCacheEnabled = options.nativeTaintCache ?? projectConfig.nativeTaintCache ?? true;
+    const nativeCachePath = resolveNativeCachePath(cwd, options.nativeTaintCachePath ?? projectConfig.nativeTaintCachePath);
+    const nativeCache = nativeCacheEnabled
+        ? await loadNativeCache(nativeCachePath)
+        : { entries: new Map() };
     let files = await walkFiles(cwd, filters);
     if (options.diffOnly) {
         const changed = await getChangedFiles(cwd, options.diffBase ?? "HEAD");
@@ -128,6 +145,110 @@ export async function scan(options = {}) {
                     category: "code"
                 });
             }
+            const universalFindings = runUniversalPatterns(file.content, file.relPath);
+            for (const finding of universalFindings) {
+                findings.push({
+                    id: finding.id,
+                    severity: finding.severity,
+                    title: finding.title,
+                    description: `${finding.description} [${finding.owasp}]`,
+                    file: finding.file,
+                    line: finding.line,
+                    owasp: finding.owasp,
+                    category: "code"
+                });
+            }
+            if (isInfraFile(file.relPath)) {
+                const infraFindings = runInfraPatterns(file.content, file.relPath);
+                for (const finding of infraFindings) {
+                    findings.push({
+                        id: finding.id,
+                        severity: finding.severity,
+                        title: finding.title,
+                        description: `${finding.description} [${finding.owasp}]`,
+                        file: finding.file,
+                        line: finding.line,
+                        owasp: finding.owasp,
+                        category: "code"
+                    });
+                }
+            }
+        }
+        const adaptersEnabled = !(options.noAdapters ?? projectConfig.noAdapters ?? false);
+        if (adaptersEnabled) {
+            const adapterFiles = files.filter((filePath) => isLikelyTextFile(filePath));
+            const { findings: adapterFindings, warnings } = await runExternalAdapters({
+                cwd,
+                files: adapterFiles,
+                allowList: options.adapters ?? projectConfig.adapters
+            });
+            for (const warning of warnings) {
+                if (outputFormat !== "json" && outputFormat !== "sarif") {
+                    console.warn(warning);
+                }
+            }
+            findings.push(...adapterFindings);
+        }
+        if (nativeTaintEnabled) {
+            const nativeWarnings = new Set();
+            const ruleCache = new Map();
+            const langConfigs = getNativeLanguages();
+            const langById = new Map(langConfigs.map((lang) => [lang.id, lang]));
+            const nativeFiles = files.filter((filePath) => {
+                const lang = getLanguageByExtension(filePath);
+                return Boolean(lang && nativeLangs.has(lang.id) && isLikelyTextFile(filePath));
+            });
+            for (const filePath of nativeFiles) {
+                const lang = getLanguageByExtension(filePath);
+                if (!lang || !nativeLangs.has(lang.id))
+                    continue;
+                const relPath = path.relative(cwd, filePath);
+                const content = await fs.readFile(filePath, "utf8");
+                const cacheKey = computeNativeCacheKey(lang.id, content);
+                const cached = nativeCache.entries.get(relPath);
+                if (cached && cached.hash === cacheKey) {
+                    const cachedFindings = cached.findings.map((f) => ({ ...f }));
+                    for (const finding of cachedFindings)
+                        findings.push(finding);
+                    continue;
+                }
+                const parsed = await parseWithTreeSitter(content, lang, packageRoot);
+                if (!parsed) {
+                    nativeWarnings.add(`Native taint skipped: missing parser for ${lang.name}. Run npm run build-grammars or install tree-sitter language bindings.`);
+                    continue;
+                }
+                let rules = ruleCache.get(lang.id);
+                if (!rules) {
+                    rules = await loadNativeRules(packageRoot, lang.id);
+                    ruleCache.set(lang.id, rules);
+                }
+                if (!rules) {
+                    nativeWarnings.add(`Native taint skipped: no rules for ${lang.name}.`);
+                    continue;
+                }
+                const nativeFindings = runNativeTaint(parsed.tree, content, lang, rules, relPath);
+                const mapped = nativeFindings.map((finding) => ({
+                    id: finding.ruleId,
+                    severity: finding.severity,
+                    title: finding.ruleTitle,
+                    description: `${finding.message} [${finding.owasp}]`,
+                    file: finding.file,
+                    line: finding.line,
+                    column: finding.column,
+                    owasp: finding.owasp,
+                    category: "code"
+                }));
+                for (const finding of mapped)
+                    findings.push(finding);
+                if (nativeCacheEnabled) {
+                    nativeCache.entries.set(relPath, { hash: cacheKey, findings: mapped });
+                }
+            }
+            if (nativeWarnings.size && outputFormat !== "json" && outputFormat !== "sarif") {
+                for (const warning of nativeWarnings) {
+                    console.warn(warning);
+                }
+            }
         }
         if ((apiKey || useCodexCli) && !options.noAi) {
             if (options.aiMultiAgent) {
@@ -258,6 +379,34 @@ export async function scan(options = {}) {
                     for (const filePath of nonJsFiles) {
                         const relPath = path.relative(cwd, filePath);
                         const content = await fs.readFile(filePath, "utf8");
+                        const universalFindings = runUniversalPatterns(content, relPath);
+                        for (const finding of universalFindings) {
+                            findings.push({
+                                id: finding.id,
+                                severity: finding.severity,
+                                title: finding.title,
+                                description: `${finding.description} [${finding.owasp}]`,
+                                file: finding.file,
+                                line: finding.line,
+                                owasp: finding.owasp,
+                                category: "code"
+                            });
+                        }
+                        if (isInfraFile(relPath)) {
+                            const infraFindings = runInfraPatterns(content, relPath);
+                            for (const finding of infraFindings) {
+                                findings.push({
+                                    id: finding.id,
+                                    severity: finding.severity,
+                                    title: finding.title,
+                                    description: `${finding.description} [${finding.owasp}]`,
+                                    file: finding.file,
+                                    line: finding.line,
+                                    owasp: finding.owasp,
+                                    category: "code"
+                                });
+                            }
+                        }
                         const chunks = chunkText(content, maxChars);
                         for (let i = 0; i < chunks.length; i += 1) {
                             const prompt = buildPrompt(relPath, chunks[i], i + 1, chunks.length);
@@ -355,6 +504,9 @@ export async function scan(options = {}) {
         }
         await saveAiCache(cachePath, aiCache);
     }
+    if (nativeCacheEnabled) {
+        await saveNativeCache(nativeCachePath, nativeCache);
+    }
     return { findings: dedupeFindings(findings) };
 }
 export async function listMatchedFiles(options = {}) {
@@ -956,6 +1108,19 @@ function isLikelyTextFile(filePath) {
     ]);
     return !blocked.has(ext);
 }
+function isInfraFile(filePath) {
+    const normalized = filePath.split(path.sep).join("/");
+    const base = path.basename(normalized).toLowerCase();
+    if (base === "dockerfile" || base.endsWith(".dockerfile"))
+        return true;
+    if (base.endsWith(".tf") || base.endsWith(".tfvars"))
+        return true;
+    if (base.endsWith(".yaml") || base.endsWith(".yml"))
+        return true;
+    if (normalized.includes("/k8s/") || normalized.includes("/kubernetes/") || normalized.includes("/helm/"))
+        return true;
+    return false;
+}
 export function groupFilesByModule(relPaths, depth) {
     const groups = new Map();
     for (const relPath of relPaths) {
@@ -998,6 +1163,12 @@ function resolveCachePath(cwd, override) {
     }
     return path.join(cwd, ".opensecurity", "ai-cache.json");
 }
+function resolveNativeCachePath(cwd, override) {
+    if (override && override.trim()) {
+        return path.isAbsolute(override) ? override : path.join(cwd, override);
+    }
+    return path.join(cwd, ".opensecurity", "native-taint-cache.json");
+}
 async function loadAiCache(cachePath) {
     try {
         const raw = await fs.readFile(cachePath, "utf8");
@@ -1019,6 +1190,27 @@ async function saveAiCache(cachePath, cache) {
     await fs.mkdir(path.dirname(cachePath), { recursive: true });
     await fs.writeFile(cachePath, JSON.stringify(obj, null, 2), "utf8");
 }
+async function loadNativeCache(cachePath) {
+    try {
+        const raw = await fs.readFile(cachePath, "utf8");
+        const parsed = JSON.parse(raw);
+        const entries = new Map(Object.entries(parsed ?? {}));
+        return { entries };
+    }
+    catch (err) {
+        if (err?.code === "ENOENT")
+            return { entries: new Map() };
+        return { entries: new Map() };
+    }
+}
+async function saveNativeCache(cachePath, cache) {
+    const obj = {};
+    for (const [key, value] of cache.entries.entries()) {
+        obj[key] = value;
+    }
+    await fs.mkdir(path.dirname(cachePath), { recursive: true });
+    await fs.writeFile(cachePath, JSON.stringify(obj, null, 2), "utf8");
+}
 function computeCacheKey(provider, model, content) {
     return crypto
         .createHash("sha256")
@@ -1029,6 +1221,21 @@ function computeCacheKey(provider, model, content) {
         .update(content)
         .digest("hex");
 }
+function computeNativeCacheKey(language, content) {
+    return crypto
+        .createHash("sha256")
+        .update(language)
+        .update("|")
+        .update(content)
+        .digest("hex");
+}
+function resolveNativeLanguages(list) {
+    const all = getNativeLanguages().map((lang) => lang.id);
+    if (!list || list.length === 0)
+        return new Set(all);
+    const normalized = new Set(list.map((item) => item.trim().toLowerCase()).filter(Boolean));
+    return new Set(all.filter((lang) => normalized.has(lang)));
+}
 async function safeStat(target) {
     try {
         return await fs.stat(target);

package/package.json

@@ -1,8 +1,33 @@
 {
   "name": "opensecurity",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "private": false,
+  "description": "Open-source CLI for scanning repositories for security risks across code, infra, and dependencies.",
+  "license": "MIT",
   "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/eliophan/opensecurity.git"
+  },
+  "homepage": "https://github.com/eliophan/opensecurity",
+  "bugs": {
+    "url": "https://github.com/eliophan/opensecurity/issues"
+  },
+  "keywords": [
+    "security",
+    "sast",
+    "static-analysis",
+    "taint",
+    "vulnerability",
+    "scanner",
+    "devsecops",
+    "cli",
+    "dependency",
+    "ai"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
   "bin": {
     "opensecurity": "dist/cli.js",
     "openSecurity": "dist/cli.js"
@@ -11,6 +36,7 @@
     "dev": "tsx src/cli.ts",
     "proxy": "tsx src/proxy.ts",
     "build": "tsc",
+    "build-grammars": "tsx scripts/build-grammars.ts",
     "prepack": "npm run build",
     "package": "npm run build && npm pack",
     "test": "vitest run",
@@ -18,6 +44,8 @@
   },
   "files": [
     "dist",
+    "assets",
+    "rules",
     "README.md",
     "LICENSE"
   ],
@@ -27,7 +55,11 @@
     "@babel/types": "^7.26.9",
     "commander": "^12.0.0",
     "picomatch": "^4.0.2",
-    "semver": "^7.6.3"
+    "semver": "^7.6.3",
+    "web-tree-sitter": "^0.21.0"
+  },
+  "optionalDependencies": {
+    "tree-sitter": "^0.21.1"
   },
   "devDependencies": {
     "@types/babel__traverse": "^7.20.7",
@@ -37,6 +69,18 @@
     "@typescript-eslint/eslint-plugin": "^8.57.0",
     "@typescript-eslint/parser": "^8.57.0",
     "eslint": "^9.39.4",
+    "tree-sitter-cli": "^0.21.0",
+    "tree-sitter-c": "^0.21.4",
+    "tree-sitter-c-sharp": "^0.23.1",
+    "tree-sitter-cpp": "^0.22.3",
+    "tree-sitter-go": "^0.21.2",
+    "tree-sitter-java": "^0.21.0",
+    "tree-sitter-kotlin": "^0.3.8",
+    "tree-sitter-php": "^0.22.8",
+    "tree-sitter-python": "^0.21.0",
+    "tree-sitter-ruby": "^0.21.0",
+    "tree-sitter-rust": "^0.24.0",
+    "tree-sitter-swift": "^0.7.1",
     "tsx": "^4.19.0",
     "typescript": "^5.7.3",
     "vitest": "^2.1.8"

package/rules/taint/c.json

@@ -0,0 +1,47 @@
+{
+  "language": "c",
+  "rules": [
+    {
+      "id": "c-cmd",
+      "title": "Command Injection",
+      "severity": "high",
+      "owasp": "A03:2021 Injection",
+      "kind": "taint",
+      "sources": [
+        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+      ],
+      "sinks": [
+        { "id": "system", "name": "system", "matcher": { "callee": ["system", "popen"] } }
+      ]
+    },
+    {
+      "id": "c-path",
+      "title": "Path Traversal",
+      "severity": "high",
+      "owasp": "A01:2021 Broken Access Control",
+      "kind": "taint",
+      "sources": [
+        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+      ],
+      "sinks": [
+        { "id": "fopen", "name": "fopen", "matcher": { "callee": ["fopen", "open", "read"] } }
+      ]
+    },
+    {
+      "id": "c-weak-crypto",
+      "title": "Weak Crypto",
+      "severity": "medium",
+      "owasp": "A02:2021 Cryptographic Failures",
+      "kind": "direct",
+      "calleePattern": ["*MD5*", "*SHA1*", "MD5", "SHA1"]
+    },
+    {
+      "id": "c-hardcoded-secret",
+      "title": "Hardcoded Secret",
+      "severity": "medium",
+      "owasp": "A02:2021 Cryptographic Failures",
+      "kind": "secret",
+      "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
+    }
+  ]
+}

package/rules/taint/cpp.json

@@ -0,0 +1,47 @@
+{
+  "language": "cpp",
+  "rules": [
+    {
+      "id": "cpp-cmd",
+      "title": "Command Injection",
+      "severity": "high",
+      "owasp": "A03:2021 Injection",
+      "kind": "taint",
+      "sources": [
+        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+      ],
+      "sinks": [
+        { "id": "system", "name": "system", "matcher": { "callee": ["system", "popen"] } }
+      ]
+    },
+    {
+      "id": "cpp-path",
+      "title": "Path Traversal",
+      "severity": "high",
+      "owasp": "A01:2021 Broken Access Control",
+      "kind": "taint",
+      "sources": [
+        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+      ],
+      "sinks": [
+        { "id": "fstream", "name": "fstream", "matcher": { "calleePattern": ["std::fstream", "std::ifstream", "std::ofstream", "fopen", "open"] } }
+      ]
+    },
+    {
+      "id": "cpp-weak-crypto",
+      "title": "Weak Crypto",
+      "severity": "medium",
+      "owasp": "A02:2021 Cryptographic Failures",
+      "kind": "direct",
+      "calleePattern": ["*MD5*", "*SHA1*", "MD5", "SHA1"]
+    },
+    {
+      "id": "cpp-hardcoded-secret",
+      "title": "Hardcoded Secret",
+      "severity": "medium",
+      "owasp": "A02:2021 Cryptographic Failures",
+      "kind": "secret",
+      "literalPattern": "(api|secret|token|password|passwd|pwd|key)[^\\n\\r]{0,20}[\"'][A-Za-z0-9_\\-]{8,}[\"']"
+    }
+  ]
+}