diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml
new file mode 100644
index 00000000..81d9c7f2
--- /dev/null
+++ b/rules/c/security/libxml2-audit-parser-c.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-c
+language: c
+severity: warning
+message: >-
+ The libxml2 library is used to parse XML. When auditing such code, make
+ sure that either the document being parsed is trusted or that the parsing
+ options are safe to consume untrusted documents. In such case make sure
+ DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity Reference.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+ - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+ - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml
new file mode 100644
index 00000000..bb024aa2
--- /dev/null
+++ b/rules/c/security/sizeof-this-c.yml
@@ -0,0 +1,13 @@
+id: sizeof-this-c
+language: c
+severity: warning
+message: >-
+ Do not use `sizeof(this)` to get the number of bytes of the object in
+ memory. It returns the size of the pointer, not the size of the object.
+note: >-
+ [CWE-467]: Use of sizeof() on a Pointer Type
+ [REFERENCES]
+ - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
+rule:
+ any:
+ - pattern: "sizeof(this)"
diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml
new file mode 100644
index 00000000..84ee43f9
--- /dev/null
+++ b/rules/cpp/security/libxml2-audit-parser-cpp.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-cpp
+language: Cpp
+severity: warning
+message: >-
+ The libxml2 library is used to parse XML. When auditing such code, make
+ sure that either the document being parsed is trusted or that the parsing
+ options are safe to consume untrusted documents. In such case make sure
+ DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity Reference.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+ - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+ - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml
new file mode 100644
index 00000000..f874ec84
--- /dev/null
+++ b/rules/csharp/security/httponly-false-csharp.yml
@@ -0,0 +1,25 @@
+id: httponly-false-csharp
+language: csharp
+severity: warning
+message: >-
+ "Detected a cookie where the `HttpOnly` flag is either missing or
+ disabled. The `HttpOnly` cookie flag instructs the browser to forbid
+ client-side JavaScript to read the cookie. If JavaScript interaction is
+ required, you can ignore this finding. However, set the `HttpOnly` flag to
+ `true` in all other cases. If this wasn't intentional, it's recommended to
+ set the HttpOnly flag to true so the cookie will not be accessible through
+ client-side scripts or to use the Cookie Policy Middleware to globally set
+ the HttpOnly flag. You can then use the CookieOptions class when
+ instantiating the cookie, which inherits these settings and will require
+ future developers to have to explicitly override them on a case-by-case
+ basis if needed. This approach ensures cookies are secure by default."
+note: >-
+ [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag"
+ [REFERENCES]
+ - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware
+ - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: $BUILDER.Cookie.HttpOnly = false;
+ - pattern: $COOKIE.HttpOnly = false;
diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml
new file mode 100644
index 00000000..0e0dbfb7
--- /dev/null
+++ b/rules/html/security/plaintext-http-link-html.yml
@@ -0,0 +1,14 @@
+id: plaintext-http-link-html
+language: html
+severity: warning
+message: >-
+ "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+note: >-
+ [CWE-319] Authentication Bypass by Primary Weakness
+ [REFERENCES]
+ - https://cwe.mitre.org/data/definitions/319.html
+rule:
+ pattern: $C
+constraints:
+ URL:
+ regex: ^['"`]?([Hh][Tt][Tt][Pp]://)
diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml
new file mode 100644
index 00000000..78f11cef
--- /dev/null
+++ b/rules/java/security/cbc-padding-oracle-java.yml
@@ -0,0 +1,17 @@
+id: cbc-padding-oracle-java
+severity: warning
+language: java
+message: >-
+ Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
+ malicious actor could discern the difference between plaintext with valid
+ or invalid padding. Further, CBC mode does not include any integrity
+ checks. Use 'AES/GCM/NoPadding' instead.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://capec.mitre.org/data/definitions/463.html
+rule:
+ pattern: Cipher.getInstance($MODE)
+constraints:
+ MODE:
+ regex: ".*/CBC/PKCS5Padding"
diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml
deleted file mode 100644
index 0cb62145..00000000
--- a/rules/java/security/cbc-padding-oracle.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-id: cbd-padding-oracle
-severity: warning
-language: java
-message: >-
- Using CBC with PKCS5Padding is susceptible to padding oracle attacks.
- Use a secure mode of operation like GCM or CCM instead.
-note: >-
- [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
- [OWASP A03:2017]: Sensitive Data Exposure
- [OWASP A02:2021]: Cryptographic Failures
- [REFERENCES]
- - https://capec.mitre.org/data/definitions/463.html
- - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes
- - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY
-rule:
- pattern: Cipher.getInstance("AES/CBC/PKCS5Padding")
\ No newline at end of file
diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml
new file mode 100644
index 00000000..8ce1895b
--- /dev/null
+++ b/rules/java/security/des-is-deprecated-java.yml
@@ -0,0 +1,16 @@
+id: des-is-deprecated-java
+severity: warning
+language: java
+message: >-
+ DES is considered deprecated. AES is the recommended cipher. Upgrade to
+ use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+ for more information.
+note: >-
+ [CWE-326] Inadequate Encryption Strength.
+ [REFERENCES]
+ - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+rule:
+ pattern: $CIPHER.getInstance($SAS)
+constraints:
+ SAS:
+ regex: "DES"
diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml
new file mode 100644
index 00000000..6db7b4c9
--- /dev/null
+++ b/rules/java/security/desede-is-deprecated-java.yml
@@ -0,0 +1,16 @@
+id: desede-is-deprecated-java
+language: java
+severity: warning
+message: >-
+ Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+ - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml
new file mode 100644
index 00000000..1ab3a112
--- /dev/null
+++ b/rules/java/security/ecb-cipher-java.yml
@@ -0,0 +1,17 @@
+id: ecb-cipher-java
+severity: warning
+language: java
+message: >-
+ Cipher in ECB mode is detected. ECB mode produces the same output for
+ the same input each time which allows an attacker to intercept and replay
+ the data. Further, ECB mode does not provide any integrity checking. See
+ https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
+constraints:
+ MODE:
+ regex: .*ECB.*
diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml
new file mode 100644
index 00000000..b5eee11a
--- /dev/null
+++ b/rules/java/security/no-null-cipher-java.yml
@@ -0,0 +1,17 @@
+id: no-null-cipher-java
+severity: warning
+language: java
+message: >-
+ NullCipher was detected. This will not encrypt anything; the cipher
+ text will be the same as the plain text. Use a valid, secure cipher:
+ Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+ https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+ for more information.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: new NullCipher($$$)
+ - pattern: new javax.crypto.NullCipher($$$)
diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml
new file mode 100644
index 00000000..c9466216
--- /dev/null
+++ b/rules/java/security/rsa-no-padding-java.yml
@@ -0,0 +1,14 @@
+id: rsa-no-padding-java
+severity: warning
+language: java
+message: >-
+ Using RSA without OAEP mode weakens the encryption.
+note: >-
+ [CWE-326] Inadequate Encryption Strength
+ [REFERENCES]
+ - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
+rule:
+ pattern: $YST.getInstance($MODE)
+constraints:
+ MODE:
+ regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding"
diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml
new file mode 100644
index 00000000..537a16a3
--- /dev/null
+++ b/rules/java/security/system-setproperty-hardcoded-secret-java.yml
@@ -0,0 +1,22 @@
+id: system-setproperty-hardcoded-secret-java
+language: java
+severity: warning
+message: >-
+ A secret is hard-coded in the application. Secrets stored in source
+ code, such as credentials, identifiers, and other types of sensitive data,
+ can be leaked and used by internal or external malicious actors. Use
+ environment variables to securely provide credentials and other secrets or
+ retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+ [CWE-798]: Use of Hard-coded Credentials
+ [OWASP A07:2021]: Identification and Authentication Failures
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+rule:
+ all:
+ - any:
+ - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD);
+ - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD);
+constraints:
+ PWD:
+ regex: '^"'
diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml
new file mode 100644
index 00000000..2b8540a5
--- /dev/null
+++ b/rules/java/security/unencrypted-socket-java.yml
@@ -0,0 +1,16 @@
+id: unencrypted-socket-java
+language: java
+severity: info
+message: >-
+ "Detected use of a Java socket that is not encrypted. As a result, the
+ traffic could be read by an attacker intercepting the network traffic. Use
+ an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+ instead."
+note: >-
+ [CWE-319] Cleartext Transmission of Sensitive Information
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: new ServerSocket($$$)
+ - pattern: new Socket($$$)
diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml
new file mode 100644
index 00000000..9e28e0b2
--- /dev/null
+++ b/rules/java/security/use-of-aes-ecb-java.yml
@@ -0,0 +1,22 @@
+id: use-of-aes-ecb-java
+language: java
+severity: warning
+message: >-
+ Use of AES with ECB mode detected. ECB doesn't provide message
+ confidentiality and is not semantically secure so should not be used.
+ Instead, use a strong, secure cipher:
+ Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
+ https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+ for more information.
+note: >-
+ [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+ pattern: $CIPHER.getInstance($MATCHES)
+constraints:
+ MATCHES:
+ regex: ".*AES/ECB/.*"
diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml
new file mode 100644
index 00000000..512745a2
--- /dev/null
+++ b/rules/java/security/use-of-blowfish-java.yml
@@ -0,0 +1,17 @@
+id: use-of-blowfish-java
+language: java
+severity: info
+message: >-
+ Use of Blowfish was detected. Blowfish uses a 64-bit block size
+ that makes it vulnerable to birthday attacks, and is therefore considered
+ non-compliant. Instead, use a strong, secure cipher:
+ Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+ https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+ for more information.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+ pattern: $CIPHER.getInstance("Blowfish")
diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml
new file mode 100644
index 00000000..77778a46
--- /dev/null
+++ b/rules/java/security/use-of-md5-digest-utils-java.yml
@@ -0,0 +1,13 @@
+id: use-of-md5-digest-utils-java
+language: java
+severity: warning
+message: >-
+ 'Detected MD5 hash algorithm which is considered insecure. MD5 is not
+ collision resistant and is therefore not suitable as a cryptographic
+ signature. Use HMAC instead.'
+note: >-
+ [CWE-328] Use of Weak Hash
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ pattern: DigestUtils.getMd5Digest($$$).digest($$$)
diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml
new file mode 100644
index 00000000..a7835c21
--- /dev/null
+++ b/rules/java/security/use-of-md5-java.yml
@@ -0,0 +1,20 @@
+id: use-of-md5-java
+severity: warning
+language: java
+message: >-
+ Detected MD5 hash algorithm which is considered insecure. MD5 is not
+ collision resistant and is therefore not suitable as a cryptographic
+ signature. Use HMAC instead.
+note: >-
+ [CWE-328] Use of Weak Hash.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: java.security.MessageDigest.getInstance($ALGO)
+ - pattern: java.security.MessageDigest.getInstance($ALGO, $$$)
+ - pattern: MessageDigest.getInstance($ALGO)
+ - pattern: MessageDigest.getInstance($ALGO, $$$)
+constraints:
+ ALGO:
+ regex: "MD5"
diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml
new file mode 100644
index 00000000..2356d208
--- /dev/null
+++ b/rules/java/security/use-of-rc4-java.yml
@@ -0,0 +1,16 @@
+id: use-of-rc4-java
+language: java
+severity: warning
+message: >-
+ 'Use of RC4 was detected. RC4 is vulnerable to several attacks,
+ including stream cipher attacks and bit flipping attacks. Instead, use a
+ strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+ https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+ for more information.'
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+ pattern: $CIPHER.getInstance("RC4")
diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml
new file mode 100644
index 00000000..1c24f3e3
--- /dev/null
+++ b/rules/java/security/use-of-sha1-java.yml
@@ -0,0 +1,20 @@
+id: use-of-sha1-java
+language: java
+severity: warning
+message: >-
+ Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
+ collision resistant and is therefore not suitable as a cryptographic
+ signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
+ for other hash function applications.
+note: >-
+ [CWE-328] Use of Weak Hash.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: $DU.getSha1Digest().digest($$$)
+ - pattern: MessageDigest.getInstance($ALGO)
+ - pattern: java.security.MessageDigest.getInstance($ALGO,$$$)
+constraints:
+ ALGO:
+ regex: "SHA1|SHA-1"
diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml
new file mode 100644
index 00000000..8f7c96aa
--- /dev/null
+++ b/rules/java/security/use-of-weak-rsa-key-java.yml
@@ -0,0 +1,16 @@
+id: use-of-weak-rsa-key-java
+language: java
+severity: warning
+message: >-
+ RSA keys should be at least 2048 bits based on NIST recommendation.
+note: >-
+ [CWE-326] Inadequate Encryption Strength.
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
+rule:
+ pattern: |
+ $KEY.initialize($AST)
+follows: KeyPairGenerator $KEY = $G.getInstance("RSA");
+constraints:
+ AST:
+ regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
diff --git a/rules/java/security/weak-ssl-context-java.yml b/rules/java/security/weak-ssl-context-java.yml
new file mode 100644
index 00000000..411ca262
--- /dev/null
+++ b/rules/java/security/weak-ssl-context-java.yml
@@ -0,0 +1,22 @@
+id: weak-ssl-context-java
+language: java
+severity: warning
+message: >-
+ 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
+ SSL versions are considered weak encryption and are deprecated. Use
+ SSLContext.getInstance("TLSv1.2") for the best security.'
+note: >-
+ [CWE-326] Inadequate Encryption Strength
+ [REFERENCES]
+ - https://tools.ietf.org/html/rfc7568
+ - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
+rule:
+ all:
+ - pattern: SSLContext.getInstance($CONTEXT)
+ - not:
+ pattern: SSLContext.getInstance("TLSv1.3")
+ - not:
+ pattern: SSLContext.getInstance("TLSv1.2")
+constraints:
+ CONTEXT:
+ regex: (TLS|SSL)
diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml
new file mode 100644
index 00000000..377e3ed5
--- /dev/null
+++ b/rules/kotlin/security/des-is-deprecated-kotlin.yml
@@ -0,0 +1,16 @@
+id: des-is-deprecated-kotlin
+severity: warning
+language: kotlin
+message: >-
+ DES is considered deprecated. AES is the recommended cipher. Upgrade to
+ use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+ for more information.
+note: >-
+ [CWE-326] Inadequate Encryption Strength.
+ [REFERENCES]
+ - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
+rule:
+ pattern: $CIPHER.getInstance($SAS)
+constraints:
+ SAS:
+ regex: "DES"
diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml
new file mode 100644
index 00000000..f0a7351a
--- /dev/null
+++ b/rules/kotlin/security/desede-is-deprecated-kotlin.yml
@@ -0,0 +1,16 @@
+id: desede-is-deprecated-kotlin
+language: kotlin
+severity: warning
+message: >-
+ Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+ - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml
new file mode 100644
index 00000000..49e07e7b
--- /dev/null
+++ b/rules/kotlin/security/rsa-no-padding-kotlin.yml
@@ -0,0 +1,14 @@
+id: rsa-no-padding-kotlin
+severity: warning
+language: kotlin
+message: >-
+ Using RSA without OAEP mode weakens the encryption.
+note: >-
+ [CWE-326] Inadequate Encryption Strength
+ [REFERENCES]
+ - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
+rule:
+ pattern: $YST.getInstance($MODE)
+constraints:
+ MODE:
+ regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding"
diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml
new file mode 100644
index 00000000..06635555
--- /dev/null
+++ b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml
@@ -0,0 +1,22 @@
+id: system-setproperty-hardcoded-secret-kotlin
+language: kotlin
+severity: warning
+message: >-
+ A secret is hard-coded in the application. Secrets stored in source
+ code, such as credentials, identifiers, and other types of sensitive data,
+ can be leaked and used by internal or external malicious actors. Use
+ environment variables to securely provide credentials and other secrets or
+ retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+ [CWE-798]: Use of Hard-coded Credentials
+ [OWASP A07:2021]: Identification and Authentication Failures
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+rule:
+ all:
+ - any:
+ - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD);
+ - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD);
+constraints:
+ PWD:
+ regex: '^"'
diff --git a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml
new file mode 100644
index 00000000..1620ce16
--- /dev/null
+++ b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml
@@ -0,0 +1,18 @@
+id: use-of-weak-rsa-key-kotlin
+language: kotlin
+severity: warning
+message: >-
+ RSA keys should be at least 2048 bits based on NIST recommendation
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
+rule:
+ pattern: |
+ $KEY.initialize($BITS)
+follows: KEY = $G.getInstance("RSA");
+constraints:
+ BITS:
+ regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml
new file mode 100644
index 00000000..27fc9d8b
--- /dev/null
+++ b/rules/rust/security/reqwest-accept-invalid-rust.yml
@@ -0,0 +1,17 @@
+id: reqwest-accept-invalid-rust
+language: rust
+severity: warning
+message: >-
+ Dangerously accepting invalid TLS
+note: >-
+ [CWE-295]: Improper Certificate
+ [REFERENCES]
+ - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames
+ - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs
+rule:
+ any:
+ - pattern: $CLIENT.danger_accept_invalid_hostnames(true)
+ - pattern: $CLIENT.danger_accept_invalid_certs(true)
+constraints:
+ CLIENT:
+ regex: '^reqwest::Client::builder\(\)'
diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml
new file mode 100644
index 00000000..b4601500
--- /dev/null
+++ b/rules/scala/security/rsa-padding-set-scala.yml
@@ -0,0 +1,18 @@
+id: rsa-padding-set-scala
+language: scala
+severity: warning
+message: >-
+ Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may
+ weaken encryption. This could lead to sensitive data exposure. Instead,
+ use RSA with `OAEPWithMD5AndMGF1Padding` instead.
+
+note: >-
+ [CWE-780] Use of RSA Algorithm without OAEP
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: $CIPHER.getInstance($MODE)
+constraints:
+ MODE:
+ regex: ".*RSA/.*/NoPadding.*"
diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
new file mode 100644
index 00000000..9ba9cb7f
--- /dev/null
+++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
@@ -0,0 +1,25 @@
+id: xmlinputfactory-dtd-enabled-scala
+language: scala
+severity: warning
+message: >-
+ XMLInputFactory being instantiated without calling the setProperty
+ functions that are generally used for disabling entity processing. User
+ controlled data in XML Document builder can result in XML Internal Entity
+ Processing vulnerabilities like the disclosure of confidential data,
+ denial of service, Server Side Request Forgery (SSRF), port scanning. Make
+ sure to disable entity processing functionality.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: XMLInputFactory.newFactory($$$)
+ - pattern: XMLInputFactory.newInstance($$$)
+ - pattern: new XMLInputFactory($$$)
+precedes:
+ not:
+ pattern: $XMLFACTORY.setProperty($MODE, false)
+constraints:
+ MODE:
+ regex: "javax.xml.stream.isSupportingExternalEntities"
diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml
new file mode 100644
index 00000000..8ea5a821
--- /dev/null
+++ b/rules/swift/security/insecure-biometrics-swift.yml
@@ -0,0 +1,19 @@
+id: insecure-biometrics-swift
+language: swift
+severity: info
+message: >-
+ The application was observed to leverage biometrics via Local
+ Authentication, which returns a simple boolean result for authentication.
+ This design is subject to bypass with runtime tampering tools such as
+ Frida, Substrate, and others. Although this is limited to rooted
+ (jailbroken) devices, consider implementing biometric authentication the
+ reliable way - via Keychain Services.
+note: >-
+ [CWE-305] Authentication Bypass by Primary Weakness
+ [REFERENCES]
+ - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication
+ - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df
+rule:
+ any:
+ - pattern: LAContext.evaluatePolicy
+ - pattern: $X.evaluatePolicy
diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml
new file mode 100644
index 00000000..12d32ee1
--- /dev/null
+++ b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml
@@ -0,0 +1,15 @@
+id: cbc-padding-oracle-java
+snapshots:
+ Cipher.getInstance("AES/CBC/PKCS5Padding");:
+ labels:
+ - source: Cipher.getInstance("AES/CBC/PKCS5Padding")
+ style: primary
+ start: 0
+ end: 42
+ ? |
+ Cipher.getInstance("AES/CBC/PKCS5Padding");
+ : labels:
+ - source: Cipher.getInstance("AES/CBC/PKCS5Padding")
+ style: primary
+ start: 0
+ end: 42
diff --git a/tests/__snapshots__/des-is-deprecated-java-snapshot.yml b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml
new file mode 100644
index 00000000..35070ef2
--- /dev/null
+++ b/tests/__snapshots__/des-is-deprecated-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: des-is-deprecated-java
+snapshots:
+ ? |
+ Cipher.getInstance("DES/ECB/PKCS5Padding");
+ : labels:
+ - source: Cipher.getInstance("DES/ECB/PKCS5Padding")
+ style: primary
+ start: 0
+ end: 42
diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml
new file mode 100644
index 00000000..ebce9bbf
--- /dev/null
+++ b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml
@@ -0,0 +1,9 @@
+id: des-is-deprecated-kotlin
+snapshots:
+ ? |
+ Cipher.getInstance("DES/ECB/PKCS5Padding");
+ : labels:
+ - source: Cipher.getInstance("DES/ECB/PKCS5Padding")
+ style: primary
+ start: 0
+ end: 42
diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml
new file mode 100644
index 00000000..1b0bc359
--- /dev/null
+++ b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: desede-is-deprecated-java
+snapshots:
+ ? |
+ Cipher.getInstance("DESede/ECB/PKCS5Padding");
+ javax.crypto.KeyGenerator.getInstance("DES")
+ : labels:
+ - source: javax.crypto.KeyGenerator.getInstance("DES")
+ style: primary
+ start: 47
+ end: 91
diff --git a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml
new file mode 100644
index 00000000..7eb1119d
--- /dev/null
+++ b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml
@@ -0,0 +1,10 @@
+id: desede-is-deprecated-kotlin
+snapshots:
+ ? |
+ Cipher.getInstance("DESede/ECB/PKCS5Padding");
+ javax.crypto.KeyGenerator.getInstance("DES")
+ : labels:
+ - source: javax.crypto.KeyGenerator.getInstance("DES")
+ style: primary
+ start: 47
+ end: 91
diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml
new file mode 100644
index 00000000..a9c76fd2
--- /dev/null
+++ b/tests/__snapshots__/ecb-cipher-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: ecb-cipher-java
+snapshots:
+ ? |
+ Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
+ : labels:
+ - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
+ style: primary
+ start: 0
+ end: 51
diff --git a/tests/__snapshots__/httponly-false-csharp-snapshot.yml b/tests/__snapshots__/httponly-false-csharp-snapshot.yml
new file mode 100644
index 00000000..4ec18734
--- /dev/null
+++ b/tests/__snapshots__/httponly-false-csharp-snapshot.yml
@@ -0,0 +1,16 @@
+id: httponly-false-csharp
+snapshots:
+ ? |
+ myHttpOnlyCookie.HttpOnly = false;
+ : labels:
+ - source: myHttpOnlyCookie.HttpOnly = false;
+ style: primary
+ start: 0
+ end: 34
+ ? |
+ options.Cookie.HttpOnly = false;
+ : labels:
+ - source: options.Cookie.HttpOnly = false;
+ style: primary
+ start: 0
+ end: 32
diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml
new file mode 100644
index 00000000..2e7ddc4c
--- /dev/null
+++ b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml
@@ -0,0 +1,9 @@
+id: insecure-biometrics-swift
+snapshots:
+ ? |
+ context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application"
+ : labels:
+ - source: context.evaluatePolicy
+ style: primary
+ start: 0
+ end: 22
diff --git a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml
new file mode 100644
index 00000000..60994812
--- /dev/null
+++ b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml
@@ -0,0 +1,12 @@
+id: libxml2-audit-parser-c
+snapshots:
+ ? |
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode);
+ : labels:
+ - source: |-
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode)
+ style: primary
+ start: 0
+ end: 103
diff --git a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml
new file mode 100644
index 00000000..6d424b83
--- /dev/null
+++ b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml
@@ -0,0 +1,12 @@
+id: libxml2-audit-parser-cpp
+snapshots:
+ ? |
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode);
+ : labels:
+ - source: |-
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode)
+ style: primary
+ start: 0
+ end: 103
diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml
new file mode 100644
index 00000000..a926152d
--- /dev/null
+++ b/tests/__snapshots__/no-null-cipher-java-snapshot.yml
@@ -0,0 +1,18 @@
+id: no-null-cipher-java
+snapshots:
+ ? |-
+ Cipher doNothingCihper = new NullCipher();
+ new javax.crypto.NullCipher();
+ : labels:
+ - source: new NullCipher()
+ style: primary
+ start: 25
+ end: 41
+ ? |
+ Cipher doNothingCihper = new NullCipher();
+ new javax.crypto.NullCipher();
+ : labels:
+ - source: new NullCipher()
+ style: primary
+ start: 25
+ end: 41
diff --git a/tests/__snapshots__/plaintext-http-link-html-snapshot.yml b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml
new file mode 100644
index 00000000..98516a80
--- /dev/null
+++ b/tests/__snapshots__/plaintext-http-link-html-snapshot.yml
@@ -0,0 +1,15 @@
+id: plaintext-http-link-html
+snapshots:
+ ? |
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ : labels:
+ - source: Astgrep
+ style: primary
+ start: 0
+ end: 40
diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml
new file mode 100644
index 00000000..cb1eeac4
--- /dev/null
+++ b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml
@@ -0,0 +1,30 @@
+id: reqwest-accept-invalid-rust
+snapshots:
+ ? |
+ reqwest::Client::builder().danger_accept_invalid_certs(true)
+ : labels:
+ - source: reqwest::Client::builder().danger_accept_invalid_certs(true)
+ style: primary
+ start: 0
+ end: 60
+ ? |
+ reqwest::Client::builder().danger_accept_invalid_hostnames(true)
+ : labels:
+ - source: reqwest::Client::builder().danger_accept_invalid_hostnames(true)
+ style: primary
+ start: 0
+ end: 64
+ ? |
+ reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)
+ : labels:
+ - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)
+ style: primary
+ start: 0
+ end: 104
+ ? |
+ reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true)
+ : labels:
+ - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true)
+ style: primary
+ start: 0
+ end: 108
diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml
new file mode 100644
index 00000000..80e65e5d
--- /dev/null
+++ b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml
@@ -0,0 +1,18 @@
+id: rsa-no-padding-java
+snapshots:
+ ? |-
+ Cipher.getInstance("RSA/None/NoPadding");
+ Cipher.getInstance("RSA/NONE/NoPadding");
+ : labels:
+ - source: Cipher.getInstance("RSA/None/NoPadding")
+ style: primary
+ start: 0
+ end: 40
+ ? |
+ Cipher.getInstance("RSA/None/NoPadding");
+ Cipher.getInstance("RSA/NONE/NoPadding");
+ : labels:
+ - source: Cipher.getInstance("RSA/None/NoPadding")
+ style: primary
+ start: 0
+ end: 40
diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml
new file mode 100644
index 00000000..4507882d
--- /dev/null
+++ b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml
@@ -0,0 +1,10 @@
+id: rsa-no-padding-kotlin
+snapshots:
+ ? |
+ Cipher.getInstance("RSA/None/NoPadding");
+ Cipher.getInstance("RSA/NONE/NoPadding");
+ : labels:
+ - source: Cipher.getInstance("RSA/None/NoPadding")
+ style: primary
+ start: 0
+ end: 40
diff --git a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml
new file mode 100644
index 00000000..1274abe0
--- /dev/null
+++ b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml
@@ -0,0 +1,15 @@
+id: rsa-padding-set-scala
+snapshots:
+ Cipher.getInstance("RSA/ECB/NoPadding"):
+ labels:
+ - source: Cipher.getInstance("RSA/ECB/NoPadding")
+ style: primary
+ start: 0
+ end: 39
+ ? |
+ Cipher.getInstance("RSA/ECB/NoPadding")
+ : labels:
+ - source: Cipher.getInstance("RSA/ECB/NoPadding")
+ style: primary
+ start: 0
+ end: 39
diff --git a/tests/__snapshots__/sizeof-this-c-snapshot.yml b/tests/__snapshots__/sizeof-this-c-snapshot.yml
new file mode 100644
index 00000000..e8db9995
--- /dev/null
+++ b/tests/__snapshots__/sizeof-this-c-snapshot.yml
@@ -0,0 +1,9 @@
+id: sizeof-this-c
+snapshots:
+ ? |
+ return sizeof(this);
+ : labels:
+ - source: sizeof(this)
+ style: primary
+ start: 7
+ end: 19
diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml
new file mode 100644
index 00000000..9130101a
--- /dev/null
+++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: system-setproperty-hardcoded-secret-java
+snapshots:
+ ? |
+ System.setProperty("javax.net.ssl.keyStorePassword", "password");
+ System.setProperty("javax.net.ssl.trustStorePassword", "password");
+ : labels:
+ - source: System.setProperty("javax.net.ssl.keyStorePassword", "password");
+ style: primary
+ start: 0
+ end: 65
diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml
new file mode 100644
index 00000000..0d421bce
--- /dev/null
+++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml
@@ -0,0 +1,10 @@
+id: system-setproperty-hardcoded-secret-kotlin
+snapshots:
+ ? |
+ System.setProperty("javax.net.ssl.keyStorePassword", "password");
+ System.setProperty("javax.net.ssl.trustStorePassword", "password");
+ : labels:
+ - source: System.setProperty("javax.net.ssl.keyStorePassword", "password")
+ style: primary
+ start: 0
+ end: 64
diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml
new file mode 100644
index 00000000..e0becd2b
--- /dev/null
+++ b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml
@@ -0,0 +1,58 @@
+id: unencrypted-socket-java
+snapshots:
+ ? |
+ ServerSocket ssoc = new ServerSocket(1234);
+ : labels:
+ - source: new ServerSocket(1234)
+ style: primary
+ start: 20
+ end: 42
+ ? |
+ ServerSocket ssoc1 = new ServerSocket();
+ : labels:
+ - source: new ServerSocket()
+ style: primary
+ start: 21
+ end: 39
+ ? |
+ ServerSocket ssoc2 = new ServerSocket(1234, 10);
+ : labels:
+ - source: new ServerSocket(1234, 10)
+ style: primary
+ start: 21
+ end: 47
+ ? |
+ ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
+ : labels:
+ - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address))
+ style: primary
+ start: 21
+ end: 82
+ ? |
+ Socket soc = new Socket("www.google.com", 80);
+ : labels:
+ - source: new Socket("www.google.com", 80)
+ style: primary
+ start: 13
+ end: 45
+ ? |
+ Socket soc1 = new Socket("www.google.com", 80, true);
+ : labels:
+ - source: new Socket("www.google.com", 80, true)
+ style: primary
+ start: 14
+ end: 52
+ ? |
+ Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+ : labels:
+ - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337)
+ style: primary
+ start: 14
+ end: 88
+ ? |
+ Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+ : labels:
+ - source: new Socket(InetAddress.getByAddress(remoteAddress), 80)
+ style: primary
+ start: 14
+ end: 69
diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml
new file mode 100644
index 00000000..6c8a701c
--- /dev/null
+++ b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: use-of-aes-ecb-java
+snapshots:
+ ? |
+ Cipher.getInstance("AES/ECB/NoPadding")
+ Cipher.getInstance("AES/ECB/PKCS5Padding")
+ : labels:
+ - source: Cipher.getInstance("AES/ECB/NoPadding")
+ style: primary
+ start: 0
+ end: 39
diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml
new file mode 100644
index 00000000..cc54e7fb
--- /dev/null
+++ b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: use-of-blowfish-java
+snapshots:
+ ? |
+ Cipher.getInstance("Blowfish");
+ : labels:
+ - source: Cipher.getInstance("Blowfish")
+ style: primary
+ start: 0
+ end: 30
+ ? |
+ useCipher(Cipher.getInstance("Blowfish"));
+ : labels:
+ - source: Cipher.getInstance("Blowfish")
+ style: primary
+ start: 10
+ end: 40
diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml
new file mode 100644
index 00000000..fe41e08d
--- /dev/null
+++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: use-of-md5-digest-utils-java
+snapshots:
+ ? |
+ byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
+ : labels:
+ - source: DigestUtils.getMd5Digest().digest(password.getBytes())
+ style: primary
+ start: 19
+ end: 73
diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml
new file mode 100644
index 00000000..6f6c27ae
--- /dev/null
+++ b/tests/__snapshots__/use-of-md5-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: use-of-md5-java
+snapshots:
+ ? |
+ MessageDigest md5Digest = MessageDigest.getInstance("MD5");
+ : labels:
+ - source: MessageDigest.getInstance("MD5")
+ style: primary
+ start: 26
+ end: 58
diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml
new file mode 100644
index 00000000..cbf4423c
--- /dev/null
+++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: use-of-rc4-java
+snapshots:
+ ? |
+ Cipher.getInstance("RC4");
+ : labels:
+ - source: Cipher.getInstance("RC4")
+ style: primary
+ start: 0
+ end: 25
+ ? |
+ useCipher(Cipher.getInstance("RC4"));
+ : labels:
+ - source: Cipher.getInstance("RC4")
+ style: primary
+ start: 10
+ end: 35
diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml
new file mode 100644
index 00000000..444fe5b3
--- /dev/null
+++ b/tests/__snapshots__/use-of-sha1-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: use-of-sha1-java
+snapshots:
+ ? |
+ java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");
+ DigestUtils.getSha1Digest().digest(password.getBytes());
+ : labels:
+ - source: java.security.MessageDigest.getInstance("SHA1", "SUN")
+ style: primary
+ start: 33
+ end: 87
diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml
new file mode 100644
index 00000000..bb83308a
--- /dev/null
+++ b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml
@@ -0,0 +1,34 @@
+id: use-of-weak-rsa-key-java
+snapshots:
+ ? |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(-512);
+ : labels:
+ - source: keyGen.initialize(-512)
+ style: primary
+ start: 63
+ end: 86
+ ? |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512);
+ : labels:
+ - source: keyGen.initialize(512)
+ style: primary
+ start: 63
+ end: 85
+ ? |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512.0);
+ : labels:
+ - source: keyGen.initialize(512.0)
+ style: primary
+ start: 63
+ end: 87
+ ? |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512.09);
+ : labels:
+ - source: keyGen.initialize(512.09)
+ style: primary
+ start: 63
+ end: 88
diff --git a/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml
new file mode 100644
index 00000000..5c7fe552
--- /dev/null
+++ b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml
@@ -0,0 +1,10 @@
+id: use-of-weak-rsa-key-kotlin
+snapshots:
+ ? |
+ KeyPairGenerator.getInstance("RSA")
+ keyGen.initialize(-5.12);
+ : labels:
+ - source: keyGen.initialize(-5.12)
+ style: primary
+ start: 36
+ end: 60
diff --git a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml
new file mode 100644
index 00000000..ca21f566
--- /dev/null
+++ b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml
@@ -0,0 +1,37 @@
+id: weak-ssl-context-java
+snapshots:
+ ? |
+ SSLContext ctx = SSLContext.getInstance("SSL");
+ : labels:
+ - source: SSLContext.getInstance("SSL")
+ style: primary
+ start: 17
+ end: 46
+ ? |
+ SSLContext ctx = SSLContext.getInstance("SSLv3");
+ : labels:
+ - source: SSLContext.getInstance("SSLv3")
+ style: primary
+ start: 17
+ end: 48
+ ? |
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ : labels:
+ - source: SSLContext.getInstance("TLS")
+ style: primary
+ start: 17
+ end: 46
+ ? |
+ SSLContext ctx = SSLContext.getInstance("TLSv1");
+ : labels:
+ - source: SSLContext.getInstance("TLSv1")
+ style: primary
+ start: 17
+ end: 48
+ ? |
+ SSLContext ctx = SSLContext.getInstance("TLSv1.1");
+ : labels:
+ - source: SSLContext.getInstance("TLSv1.1")
+ style: primary
+ start: 17
+ end: 50
diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml
new file mode 100644
index 00000000..ed6503fc
--- /dev/null
+++ b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml
@@ -0,0 +1,19 @@
+id: xmlinputfactory-dtd-enabled-scala
+snapshots:
+ ? |-
+ val factory = XMLInputFactory.newFactory()
+ val fileReader = new FileReader(file)
+ : labels:
+ - source: XMLInputFactory.newFactory()
+ style: primary
+ start: 14
+ end: 42
+ ? |-
+ val factory = XMLInputFactory.newFactory()
+ val fileReader = new FileReader(file)
+ val fileReader = new FileReader(file)
+ : labels:
+ - source: XMLInputFactory.newFactory()
+ style: primary
+ start: 14
+ end: 42
diff --git a/tests/c/libxml2-audit-parser-c-test.yml b/tests/c/libxml2-audit-parser-c-test.yml
new file mode 100644
index 00000000..d5fca034
--- /dev/null
+++ b/tests/c/libxml2-audit-parser-c-test.yml
@@ -0,0 +1,8 @@
+id: libxml2-audit-parser-c
+valid:
+ - |
+ xmlCtxtReadMemory();
+invalid:
+ - |
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode);
diff --git a/tests/c/sizeof-this-c-test.yml b/tests/c/sizeof-this-c-test.yml
new file mode 100644
index 00000000..f9be53fb
--- /dev/null
+++ b/tests/c/sizeof-this-c-test.yml
@@ -0,0 +1,7 @@
+id: sizeof-this-c
+valid:
+ - |
+ return sizeof(*this);
+invalid:
+ - |
+ return sizeof(this);
diff --git a/tests/cpp/libxml2-audit-parser-cpp-test.yml b/tests/cpp/libxml2-audit-parser-cpp-test.yml
new file mode 100644
index 00000000..f09ad2bd
--- /dev/null
+++ b/tests/cpp/libxml2-audit-parser-cpp-test.yml
@@ -0,0 +1,8 @@
+id: libxml2-audit-parser-cpp
+valid:
+ - |
+ xmlCtxtReadMemory();
+invalid:
+ - |
+ xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(),
+ (int)xml_filtered.length(), 0, &pNewNode);
diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml
new file mode 100644
index 00000000..92062f04
--- /dev/null
+++ b/tests/csharp/httponly-false-csharp-test.yml
@@ -0,0 +1,11 @@
+id: httponly-false-csharp
+valid:
+ - |
+ myHttpOnlyCookie.HttpOnly = true;
+ - |
+ options.Cookie.HttpOnly = true;
+invalid:
+ - |
+ myHttpOnlyCookie.HttpOnly = false;
+ - |
+ options.Cookie.HttpOnly = false;
diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml
new file mode 100644
index 00000000..c73d9bd0
--- /dev/null
+++ b/tests/html/plaintext-http-link-html-test.yml
@@ -0,0 +1,15 @@
+id: plaintext-http-link-html
+valid:
+ - |
+ Astgrep
+ Astgrep
+ Astgrep
+invalid:
+ - |
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
+ Astgrep
diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml
new file mode 100644
index 00000000..8a0336cf
--- /dev/null
+++ b/tests/java/cbc-padding-oracle-java-test.yml
@@ -0,0 +1,7 @@
+id: cbc-padding-oracle-java
+valid:
+ - |
+ Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher.getInstance("AES/CBC/PKCS5Padding");
diff --git a/tests/java/cbc-padding-oracle-test.yml b/tests/java/cbc-padding-oracle-test.yml
deleted file mode 100644
index 2085aa72..00000000
--- a/tests/java/cbc-padding-oracle-test.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-id: cbc-padding-oracle
-valid:
- - |
- Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
- c.init(Cipher.ENCRYPT_MODE, k, iv);
- byte[] cipherText = c.doFinal(plainText);
-invalid:
- - |
- Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
- IvParameterSpec iv = new IvParameterSpec(new byte[16]);
- cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(new byte[16], "AES"), iv);
\ No newline at end of file
diff --git a/tests/java/des-is-deprecated-java-test.yml b/tests/java/des-is-deprecated-java-test.yml
new file mode 100644
index 00000000..bc26dbd7
--- /dev/null
+++ b/tests/java/des-is-deprecated-java-test.yml
@@ -0,0 +1,7 @@
+id: des-is-deprecated-java
+valid:
+ - |
+ Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher.getInstance("DES/ECB/PKCS5Padding");
diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml
new file mode 100644
index 00000000..7ae2996e
--- /dev/null
+++ b/tests/java/desede-is-deprecated-java-test.yml
@@ -0,0 +1,8 @@
+id: desede-is-deprecated-java
+valid:
+ - |
+ Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher.getInstance("DESede/ECB/PKCS5Padding");
+ javax.crypto.KeyGenerator.getInstance("DES")
diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml
new file mode 100644
index 00000000..b9089221
--- /dev/null
+++ b/tests/java/ecb-cipher-java-test.yml
@@ -0,0 +1,7 @@
+id: ecb-cipher-java
+valid:
+ - |
+ Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml
new file mode 100644
index 00000000..ef38e9f6
--- /dev/null
+++ b/tests/java/no-null-cipher-java-test.yml
@@ -0,0 +1,8 @@
+id: no-null-cipher-java
+valid:
+ - |
+ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+invalid:
+ - |
+ Cipher doNothingCihper = new NullCipher();
+ new javax.crypto.NullCipher();
diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml
new file mode 100644
index 00000000..cb962e9e
--- /dev/null
+++ b/tests/java/rsa-no-padding-java-test.yml
@@ -0,0 +1,8 @@
+id: rsa-no-padding-java
+valid:
+ - |
+ Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
+invalid:
+ - |
+ Cipher.getInstance("RSA/None/NoPadding");
+ Cipher.getInstance("RSA/NONE/NoPadding");
diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml
new file mode 100644
index 00000000..4bf72c91
--- /dev/null
+++ b/tests/java/system-setproperty-hardcoded-secret-java-test.yml
@@ -0,0 +1,9 @@
+id: system-setproperty-hardcoded-secret-java
+valid:
+ - |
+ System.setProperty("javax.net.ssl.trustStorePassword", config);
+ System.setProperty("javax.net.ssl.keyStorePassword", config);
+invalid:
+ - |
+ System.setProperty("javax.net.ssl.keyStorePassword", "password");
+ System.setProperty("javax.net.ssl.trustStorePassword", "password");
diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml
new file mode 100644
index 00000000..d023debf
--- /dev/null
+++ b/tests/java/unencrypted-socket-java-test.yml
@@ -0,0 +1,23 @@
+id: unencrypted-socket-java
+valid:
+ - |
+ Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443);
+ - |
+ ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234);
+invalid:
+ - |
+ Socket soc = new Socket("www.google.com", 80);
+ - |
+ Socket soc1 = new Socket("www.google.com", 80, true);
+ - |
+ Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+ - |
+ Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+ - |
+ ServerSocket ssoc = new ServerSocket(1234);
+ - |
+ ServerSocket ssoc1 = new ServerSocket();
+ - |
+ ServerSocket ssoc2 = new ServerSocket(1234, 10);
+ - |
+ ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
diff --git a/tests/java/use-of-aes-ecb-java-test.yml b/tests/java/use-of-aes-ecb-java-test.yml
new file mode 100644
index 00000000..cd41ad9e
--- /dev/null
+++ b/tests/java/use-of-aes-ecb-java-test.yml
@@ -0,0 +1,8 @@
+id: use-of-aes-ecb-java
+valid:
+ - |
+ Cipher.getInstance("AES/CBC/PKCS7PADDING")
+invalid:
+ - |
+ Cipher.getInstance("AES/ECB/NoPadding")
+ Cipher.getInstance("AES/ECB/PKCS5Padding")
diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml
new file mode 100644
index 00000000..c4a43b2d
--- /dev/null
+++ b/tests/java/use-of-blowfish-java-test.yml
@@ -0,0 +1,9 @@
+id: use-of-blowfish-java
+valid:
+ - |
+ Cipher.getInstance("AES/CBC/PKCS7PADDING");
+invalid:
+ - |
+ Cipher.getInstance("Blowfish");
+ - |
+ useCipher(Cipher.getInstance("Blowfish"));
diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml
new file mode 100644
index 00000000..f6bc228d
--- /dev/null
+++ b/tests/java/use-of-md5-digest-utils-java-test.yml
@@ -0,0 +1,9 @@
+id: use-of-md5-digest-utils-java
+valid:
+ - |
+ MessageDigest md5Digest = MessageDigest.getInstance("MD5");
+ - |
+ byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes());
+invalid:
+ - |
+ byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes());
diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml
new file mode 100644
index 00000000..af34098d
--- /dev/null
+++ b/tests/java/use-of-md5-java-test.yml
@@ -0,0 +1,7 @@
+id: use-of-md5-java
+valid:
+ - |
+ MessageDigest md5Digest = MessageDigest.getInstance("SHA-512");
+invalid:
+ - |
+ MessageDigest md5Digest = MessageDigest.getInstance("MD5");
diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml
new file mode 100644
index 00000000..a82db3b3
--- /dev/null
+++ b/tests/java/use-of-rc4-java-test.yml
@@ -0,0 +1,9 @@
+id: use-of-rc4-java
+valid:
+ - |
+ Cipher.getInstance("AES/CBC/PKCS7PADDING");
+invalid:
+ - |
+ Cipher.getInstance("RC4");
+ - |
+ useCipher(Cipher.getInstance("RC4"));
diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml
new file mode 100644
index 00000000..307dc641
--- /dev/null
+++ b/tests/java/use-of-sha1-java-test.yml
@@ -0,0 +1,10 @@
+id: use-of-sha1-java
+valid:
+ - |
+ java.io.File fileTarget = new java.io.File(
+ new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
+ "passwordFile.txt");
+invalid:
+ - |
+ java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");
+ DigestUtils.getSha1Digest().digest(password.getBytes());
diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml
new file mode 100644
index 00000000..c1aee8fa
--- /dev/null
+++ b/tests/java/use-of-weak-rsa-key-java-test.yml
@@ -0,0 +1,18 @@
+id: use-of-weak-rsa-key-java
+valid:
+ - |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(2048);
+invalid:
+ - |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512);
+ - |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(-512);
+ - |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512.09);
+ - |
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ keyGen.initialize(512.0);
diff --git a/tests/java/weak-ssl-context-java-test.yml b/tests/java/weak-ssl-context-java-test.yml
new file mode 100644
index 00000000..66505656
--- /dev/null
+++ b/tests/java/weak-ssl-context-java-test.yml
@@ -0,0 +1,19 @@
+id: weak-ssl-context-java
+valid:
+ - |
+ SSLContext ctx = SSLContext.getInstance("TLSv1.2");
+ - |
+ SSLContext ctx = SSLContext.getInstance("TLSv1.3");
+ - |
+ SSLContext ctx = SSLContext.getInstance(getSslContext());
+invalid:
+ - |
+ SSLContext ctx = SSLContext.getInstance("SSL");
+ - |
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ - |
+ SSLContext ctx = SSLContext.getInstance("TLSv1");
+ - |
+ SSLContext ctx = SSLContext.getInstance("SSLv3");
+ - |
+ SSLContext ctx = SSLContext.getInstance("TLSv1.1");
diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml
new file mode 100644
index 00000000..60949d48
--- /dev/null
+++ b/tests/kotlin/des-is-deprecated-kotlin-test.yml
@@ -0,0 +1,7 @@
+id: des-is-deprecated-kotlin
+valid:
+ - |
+ Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher.getInstance("DES/ECB/PKCS5Padding");
diff --git a/tests/kotlin/desede-is-deprecated-kotlin-test.yml b/tests/kotlin/desede-is-deprecated-kotlin-test.yml
new file mode 100644
index 00000000..c3d2e28e
--- /dev/null
+++ b/tests/kotlin/desede-is-deprecated-kotlin-test.yml
@@ -0,0 +1,8 @@
+id: desede-is-deprecated-kotlin
+valid:
+ - |
+ Cipher.getInstance("AES/GCM/NoPadding");
+invalid:
+ - |
+ Cipher.getInstance("DESede/ECB/PKCS5Padding");
+ javax.crypto.KeyGenerator.getInstance("DES")
diff --git a/tests/kotlin/rsa-no-padding-kotlin.yml b/tests/kotlin/rsa-no-padding-kotlin.yml
new file mode 100644
index 00000000..6dc46d21
--- /dev/null
+++ b/tests/kotlin/rsa-no-padding-kotlin.yml
@@ -0,0 +1,8 @@
+id: rsa-no-padding-kotlin
+valid:
+ - |
+ Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding");
+invalid:
+ - |
+ Cipher.getInstance("RSA/None/NoPadding");
+ Cipher.getInstance("RSA/NONE/NoPadding");
diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml
new file mode 100644
index 00000000..d66da67a
--- /dev/null
+++ b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml
@@ -0,0 +1,9 @@
+id: system-setproperty-hardcoded-secret-kotlin
+valid:
+ - |
+ System.setProperty("javax.net.ssl.trustStorePassword", config);
+ System.setProperty("javax.net.ssl.keyStorePassword", config);
+invalid:
+ - |
+ System.setProperty("javax.net.ssl.keyStorePassword", "password");
+ System.setProperty("javax.net.ssl.trustStorePassword", "password");
diff --git a/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml
new file mode 100644
index 00000000..199c4b1e
--- /dev/null
+++ b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml
@@ -0,0 +1,9 @@
+id: use-of-weak-rsa-key-kotlin
+valid:
+ - |
+ KeyPairGenerator.getInstance("RSA")
+ keyGen.initialize(2048);
+invalid:
+ - |
+ KeyPairGenerator.getInstance("RSA")
+ keyGen.initialize(-5.12);
diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml
new file mode 100644
index 00000000..894c5cec
--- /dev/null
+++ b/tests/rust/reqwest-accept-invalid-rust-test.yml
@@ -0,0 +1,13 @@
+id: reqwest-accept-invalid-rust
+valid:
+ - |
+ reqwest::Client::builder().user_agent("USER AGENT")
+invalid:
+ - |
+ reqwest::Client::builder().danger_accept_invalid_hostnames(true)
+ - |
+ reqwest::Client::builder().danger_accept_invalid_certs(true)
+ - |
+ reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true)
+ - |
+ reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true)
diff --git a/tests/scala/rsa-padding-set-scala-test.yml b/tests/scala/rsa-padding-set-scala-test.yml
new file mode 100644
index 00000000..3196e148
--- /dev/null
+++ b/tests/scala/rsa-padding-set-scala-test.yml
@@ -0,0 +1,9 @@
+id: rsa-padding-set-scala
+valid:
+ - |
+ Cipher.getInstance("AES/CBC/PKCS5Padding");
+ Cipher.getInstance("DES/ECB/PKCS5Padding");
+ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+invalid:
+ - |
+ Cipher.getInstance("RSA/ECB/NoPadding")
diff --git a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml
new file mode 100644
index 00000000..ab78f6be
--- /dev/null
+++ b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml
@@ -0,0 +1,11 @@
+id: xmlinputfactory-dtd-enabled-scala
+valid:
+ - |
+ val factory = XMLInputFactory.newInstance
+ factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false)
+ val fileReader = new FileReader(file)
+invalid:
+ - |
+ val factory = XMLInputFactory.newFactory()
+ val fileReader = new FileReader(file)
+ val fileReader = new FileReader(file)
\ No newline at end of file
diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml
new file mode 100644
index 00000000..fffee11c
--- /dev/null
+++ b/tests/swift/insecure-biometrics-swift-test.yml
@@ -0,0 +1,7 @@
+id: insecure-biometrics-swift
+valid:
+ - |
+ context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error)
+invalid:
+ - |
+ context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application"