Added Kotlin detector lib cases

kotlin/src/detectors/anonymous-ldap-bind/compliant.kt

@@ -0,0 +1,12 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=improper-authentication@v1.0 defects=0}
+// Compliant: Enforcing authentication for LDAP statements
+fun compliant(env: Environment): Void {
+    env.put(Context.SECURITY_AUTHENTICATION, "simple")
+    val ctx: DirContext = InitialDirContext(env)
+}
+// {/fact}

kotlin/src/detectors/anonymous-ldap-bind/non-compliant.kt

@@ -0,0 +1,12 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=improper-authentication@v1.0 defects=1}
+// Noncompliant: Permiting anonymous users to execute LDAP statements
+fun noncompliant(env: Environment): Void {
+    env.put(Context.SECURITY_AUTHENTICATION, "none")
+    val ctx: DirContext = InitialDirContext(env)
+}
+// {/fact}

kotlin/src/detectors/bad-hexa-conversion/compliant.kt

@@ -0,0 +1,19 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=incorrect-type-conversion@v1.0 defects=0}
+// Compliant: Using `String.format(\"%02X\",...)` which does not creates a weak hash
+fun compliant(password: String): String {
+    val md: MessageDigest = MessageDigest.getInstance("SHA-1")
+    val resultBytes: Array<Byte> = md.digest(password.getBytes("UTF-8"))
+
+    var stringBuilder: StringBuilder = StringBuilder()
+    for (b in resultBytes) {
+        stringBuilder.append(String.format("%02X", b))
+    }
+
+    return stringBuilder.toString()
+}
+// {/fact}

kotlin/src/detectors/bad-hexa-conversion/non-compliant.kt

@@ -0,0 +1,19 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=incorrect-type-conversion@v1.0 defects=1}
+// Noncompliant: Using `Integer.toHexString()` which creates a weak hash
+fun noncompliant(password: String): String {
+    val md: MessageDigest = MessageDigest.getInstance("SHA-1")
+    val resultBytes: Array<Byte> = md.digest(password.getBytes("UTF-8"))
+
+    var stringBuilder: StringBuilder = StringBuilder()
+    for (b in resultBytes) {
+        stringBuilder.append(Integer.toHexString(b and 0xFF))
+    }
+
+    return stringBuilder.toString()
+}
+// {/fact}

kotlin/src/detectors/clear-text-protocol/compliant.kt

@@ -0,0 +1,11 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=0}
+// Compliant: Using clear-text protocols such as `ftps` which is secure
+fun compliant() {
+    val ftpsClient = FTPSClient(true);
+}
+// {/fact}

kotlin/src/detectors/clear-text-protocol/non-compliant.kt

@@ -0,0 +1,11 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=1}
+// Noncompliant: Using clear-text protocols such as `ftp` which is insecure
+fun noncompliant() {
+    val ftpClient = FTPClient(); // Sensitive
+}
+// {/fact}

kotlin/src/detectors/command-injection/compliant.kt

@@ -0,0 +1,15 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=os-command-injection@v1.0 defects=0}
+// Compliant: Hardcoded value is being passed to `exec`
+fun compliant() {
+    val directory = "hardcoded_value"
+
+    val command = "ls -l " + directory
+    val r: Runtime = Runtime.getRuntime()
+    val process = r.exec(command)  
+}
+// {/fact}

kotlin/src/detectors/command-injection/non-compliant.kt

@@ -0,0 +1,15 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=os-command-injection@v1.0 defects=1}
+// Noncompliant: User input is being passed to `exec`
+fun noncompliant() {
+    print("Enter your input:")
+    val input = readLine()
+
+    val command = "echo Hello, $input"
+    val process = Runtime.getRuntime().exec(String.format("The value is: %s", command))
+}
+// {/fact}

kotlin/src/detectors/cookie-missing-httponly/compliant.kt

@@ -0,0 +1,14 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=sensitive-cookie-without-http-only-flag@v1.0 defects=0}
+// Compliant: The `httponly` attribute of cookies is set to `true`
+fun compliant(value: String, response: HttpServletResponse) {
+    val cookie: Cookie = Cookie("cookie", value)
+    cookie.setSecure(true)
+    cookie.setHttpOnly(true)
+    response.addCookie(cookie)
+}
+// {/fact}

kotlin/src/detectors/cookie-missing-httponly/non-compliant.kt

@@ -0,0 +1,13 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=sensitive-cookie-without-http-only-flag@v1.0 defects=1}
+// Noncompliant: The `httponly` attribute of cookies is set to `false`
+fun noncompliant(value: String, response: HttpServletResponse) {
+    val cookie: Cookie = Cookie("cookie", value)
+    cookie.setHttpOnly(false)
+    response.addCookie(cookie)
+}
+// {/fact}

kotlin/src/detectors/cookie-missing-secure-flag/compliant.kt

@@ -0,0 +1,14 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cookie@v1.0 defects=0}
+// Compliant: The `setSecure` attribute of a cookie is set to `true`
+fun compliant(@RequestParam value: String, response: HttpServletResponse) {
+    var cookie: Cookie = Cookie("cookie", value)
+    cookie.setSecure(true)
+    cookie.setHttpOnly(true)
+    response.addCookie(cookie)
+}
+// {/fact}

kotlin/src/detectors/cookie-missing-secure-flag/non-compliant.kt

@@ -0,0 +1,14 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cookie@v1.0 defects=1}
+// Noncompliant:  The `setSecure` attribute of a cookie is set to `false`
+fun noncompliant() {
+    var cookie: Cookie = Cookie("cookie", value)
+    cookie.setSecure(false)
+    cookie.setHttpOnly(false)
+    response.addCookie(cookie)
+}
+// {/fact}

kotlin/src/detectors/cross-site-scripting/compliant.kt

@@ -0,0 +1,15 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cross-site-scripting@v1.0 defects=0}
+// Compliant: Not using any unsanitized external inputs
+fun compliant() {
+    print("Enter your name:")
+    val name = readLine()
+
+    val writer = PrintWriter(System.out)
+    writer.write("<p>Hello, name!</p>")
+}
+// {/fact}

kotlin/src/detectors/cross-site-scripting/non-compliant.kt

@@ -0,0 +1,15 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cross-site-scripting@v1.0 defects=1}
+// Noncompliant: Using unsanitized external inputs which leads to XSS
+fun noncompliant() {
+    print("Enter your name:")
+    val name = readLine()
+
+    val writer = PrintWriter(System.out)
+    writer.write("<p>Hello, $name!</p>")
+}
+// {/fact}

kotlin/src/detectors/csrf-protection/compliant.kt

@@ -0,0 +1,20 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cross-site-request-forgery@v1.0 defects=0}
+// Compliant: By default CSRF protection is enabled
+@Configuration
+@EnableWebSecurity
+class WebSecurityConfig : WebSecurityConfigurerAdapter() {
+
+    @Throws(Exception::class)
+    override fun configure(http: HttpSecurity) {
+        http {
+            csrf { }
+            // Other security configurations...
+        }
+    }
+}
+// {/fact}

kotlin/src/detectors/csrf-protection/non-compliant.kt

@@ -0,0 +1,19 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cross-site-request-forgery@v1.0 defects=1}
+// Noncompliant: CSRF protection disabled
+@Configuration
+@EnableWebSecurity
+class WebSecurityConfig : WebSecurityConfigurerAdapter() {
+    @Throws(Exception::class)
+    protected fun configure(http: HttpSecurity) {
+        http {
+            csrf().disable()
+            // Other security configurations...
+        }
+    }
+    }
+// {/fact}

kotlin/src/detectors/defaulthttpclient-deprecated/compliant.kt

@@ -0,0 +1,13 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cryptographic-key-generator@v1.0 defects=0}
+// Compliant: `DefaultHttpClient` is not used for setting up HTTP connection.
+fun compliant() {
+    val client: HttpClient = SystemDefaultHttpClient()
+    val request: HttpGet = HttpGet("http://google.com")
+    val response: HttpResponse= client.execute(request)
+}
+// {/fact}

kotlin/src/detectors/defaulthttpclient-deprecated/non-compliant.kt

@@ -0,0 +1,13 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=cryptographic-key-generator@v1.0 defects=1}
+// Noncompliant: `DefaultHttpClient` is used for setting up HTTP connection.
+fun noncompliant() {
+    val client: HttpClient = DefaultHttpClient()
+    val request: HttpGet = HttpGet("http://google.com")
+    val response: HttpResponse= client.execute(request)
+}
+// {/fact}

kotlin/src/detectors/gcm-detection/compliant.kt

@@ -0,0 +1,22 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=reusing-nonce-key-in-encryption@v1.0 defects=0}
+// Compliant: GCM Cipher with new initialization vector is used
+fun compliant(clearText: String): String {
+    val cipher: Cipher = Cipher.getInstance("AES/CBC/PKCS5Padding")
+
+    val keySpec: SecretKeySpec= SecretKeySpec(theKey.getEncoded(), "AES")
+
+    private val theInnerIV: Array<Byte>
+    val gcmParameterSpec: GCMParameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, theInnerIV)
+    cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmParameterSpec)
+
+    val cipherText: Array<Byte> = cipher.doFinal(clearText.getBytes())
+
+    val encoded = base64.getEncoder().encodeToString(cipherText)
+    return encoded
+}
+// {/fact}

kotlin/src/detectors/gcm-detection/non-compliant.kt

@@ -0,0 +1,24 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=reusing-nonce-key-in-encryption@v1.0 defects=1}
+// Noncompliant: GCM Cipher with reused initialization vector `theInnerIV2` is detected.
+fun noncompliant(clearText: String): String {
+    val cipher1: Cipher = Cipher.getInstance("AES/GCM/NoPadding")
+    val cipher2: Cipher = Cipher.getInstance("AES/GCM/NoPadding")
+    val keySpec: SecretKeySpec = SecretKeySpec(theKey.getEncoded(), "AES")
+
+    private val theInnerIV2: Array<Byte>
+
+    val gcmParameterSpec: GCMParameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, theInnerIV2)
+    cipher1.init(Cipher.DECRYPT_MODE, keySpec, gcmParameterSpec)
+    val gcmParameterSpec: GCMParameterSpec = GCMParameterSpec(GCM_TAG_LENGTH * 8, theInnerIV2)
+    cipher2.init(Cipher.DECRYPT_MODE, keySpec, gcmParameterSpec)
+
+    val decoded: Array<Byte> = Base64.getDecoder().decode(cipherText)
+    val decryptedText: Array<Byte> = cipher.doFinal(decoded)
+    return String(decryptedText)
+}
+// {/fact}

kotlin/src/detectors/groovy-injection/compliant.kt

@@ -0,0 +1,13 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=code-injection@v1.0 defects=0}
+// Compliant: Pre-defined string gets executed as a code.
+fun compliant() {
+    val shell = GroovyShell()
+    val script: String = request.getParameter("script")
+    shell.evaluate("script")
+}
+// {/fact}

kotlin/src/detectors/groovy-injection/non-compliant.kt

@@ -0,0 +1,13 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=code-injection@v1.0 defects=1}
+// Noncompliant: User input gets executed as a code.
+fun noncompliant() {
+    val shell = GroovyShell()
+    val script: String = request.getParameter("script")
+    shell.evaluate(script)
+}
+// {/fact}

kotlin/src/detectors/hardcoded-credentials/compliant.kt

@@ -0,0 +1,14 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=hardcoded-credentials@v1.0 defects=0}
+// Compliant: Password is retrieved from environment variables.
+fun compliant() {
+    val username = System.getenv("SSH_USERNAME")
+    val password = System.getenv("SSH_PASSWORD")
+    val ssh = SSHClient()
+    ssh.authPassword(username, password)
+}
+// {/fact}

kotlin/src/detectors/hardcoded-credentials/non-compliant.kt

@@ -0,0 +1,14 @@
+/*
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=hardcoded-credentials@v1.0 defects=1}
+// Noncompliant: Password is hardcoded
+fun noncompliant() {
+    val username = "admin"
+    val password = "password123"
+    val ssh = SSHClient()
+    ssh.authPassword(username, password)
+}
+// {/fact}