From aa522d7467235a289e3044dfc23422dd11d03edb Mon Sep 17 00:00:00 2001 From: "github-classroom[bot]" <66690702+github-classroom[bot]@users.noreply.github.com> Date: Sun, 12 Apr 2026 10:14:26 +0000 Subject: [PATCH 1/3] Setting up GitHub Classroom Feedback From d331d432820d4a71a5fc39dea6d00996d0626040 Mon Sep 17 00:00:00 2001 From: "github-classroom[bot]" <66690702+github-classroom[bot]@users.noreply.github.com> Date: Sun, 12 Apr 2026 10:14:29 +0000 Subject: [PATCH 2/3] add deadline --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 18eee9a..21b4d8d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/NSTTkgmb) # Лабораторная работа №4 — Анализ и тестирование безопасности веб-приложения ## Цель From 4362eed8ee120ebe4ff968d81d1ca38fee5ed7c7 Mon Sep 17 00:00:00 2001 From: Timur Khapchaev Date: Tue, 14 Apr 2026 15:14:49 +0300 Subject: [PATCH 3/3] feat: add impl --- .idea/gradle.xml | 2 +- manual-testing.md | 88 + report.md | 281 + semgrep/results/java.json | 88 + semgrep/results/java.sarif | 1747 + semgrep/results/java.txt | 123 + semgrep/results/javalin.json | 308 + semgrep/results/javalin.sarif | 384 + semgrep/results/javalin.txt | 120 + semgrep/results/owasp-top-ten.json | 88 + semgrep/results/owasp-top-ten.sarif | 15566 ++++++ semgrep/results/owasp-top-ten.txt | 69 + semgrep/results/rules.sha256 | 5 + semgrep/results/secrets.json | 88 + semgrep/results/secrets.sarif | 1450 + semgrep/results/secrets.txt | 119 + semgrep/results/security-audit.json | 88 + semgrep/results/security-audit.sarif | 6420 +++ semgrep/results/security-audit.txt | 69 + semgrep/results/summary.txt | 5 + semgrep/results/version.txt | 1 + semgrep/rules/p-java.yml | 4263 ++ semgrep/rules/p-javalin.yml | 81 + semgrep/rules/p-owasp-top-ten.yml | 40379 ++++++++++++++++ semgrep/rules/p-secrets.yml | 2532 + semgrep/rules/p-security-audit.yml | 13698 ++++++ semgrep/run.sh | 84 + .../pentest/ActivityTamperingPentestTest.java | 83 + .../pentest/ErrorDisclosurePentestTest.java | 92 + .../pentest/PathTraversalPentestTest.java | 95 + .../testing/lab4/pentest/SsrfPentestTest.java | 109 + .../testing/lab4/pentest/XssPentestTest.java | 17 +- 32 files changed, 88536 insertions(+), 6 deletions(-) create mode 100644 manual-testing.md create mode 100644 report.md create mode 100644 semgrep/results/java.json create mode 100644 semgrep/results/java.sarif create mode 100644 semgrep/results/java.txt create mode 100644 semgrep/results/javalin.json create mode 100644 semgrep/results/javalin.sarif create mode 100644 semgrep/results/javalin.txt create mode 100644 semgrep/results/owasp-top-ten.json create mode 100644 semgrep/results/owasp-top-ten.sarif create mode 100644 semgrep/results/owasp-top-ten.txt create mode 100644 semgrep/results/rules.sha256 create mode 100644 semgrep/results/secrets.json create mode 100644 semgrep/results/secrets.sarif create mode 100644 semgrep/results/secrets.txt create mode 100644 semgrep/results/security-audit.json create mode 100644 semgrep/results/security-audit.sarif create mode 100644 semgrep/results/security-audit.txt create mode 100644 semgrep/results/summary.txt create mode 100644 semgrep/results/version.txt create mode 100644 semgrep/rules/p-java.yml create mode 100644 semgrep/rules/p-javalin.yml create mode 100644 semgrep/rules/p-owasp-top-ten.yml create mode 100644 semgrep/rules/p-secrets.yml create mode 100644 semgrep/rules/p-security-audit.yml create mode 100644 semgrep/run.sh create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/ActivityTamperingPentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalPentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/SsrfPentestTest.java diff --git a/.idea/gradle.xml b/.idea/gradle.xml index 9a03a98..ce1c62c 100644 --- a/.idea/gradle.xml +++ b/.idea/gradle.xml @@ -1,5 +1,6 @@ + diff --git a/manual-testing.md b/manual-testing.md new file mode 100644 index 0000000..6937dd9 --- /dev/null +++ b/manual-testing.md @@ -0,0 +1,88 @@ +# Stage 3 — Ручное тестирование (curl) + +## 0) Запуск приложения + +```bash +./gradlew run +# API: http://localhost:7000 +``` + +--- + +## 1) Базовая регистрация и профиль + +```bash +curl -X POST "http://localhost:7000/register?userId=test&userName=Alice" +curl "http://localhost:7000/userProfile?userId=test" +``` + +--- + +## 2) XSS в userProfile + +```bash +curl -X POST "http://localhost:7000/register?userId=evil&userName=%3Cscript%3Ealert(1)%3C%2Fscript%3E" +curl "http://localhost:7000/userProfile?userId=evil" +``` + +--- + +## 3) Tampering: отрицательная длительность сессии + +```bash +curl -X POST "http://localhost:7000/register?userId=tamper&userName=Alice" +curl -X POST "http://localhost:7000/recordSession?userId=tamper&loginTime=2026-01-02T12:00:00&logoutTime=2026-01-02T11:00:00" +curl "http://localhost:7000/totalActivity?userId=tamper" +``` + +--- + +## 4) Path Traversal в exportReport + +```bash +curl -X POST "http://localhost:7000/register?userId=ptr&userName=Bob" +curl "http://localhost:7000/exportReport?userId=ptr&filename=..%2Foutside.txt" +``` + +--- + +## 5) Information Disclosure через ошибки + +```bash +curl -X POST "http://localhost:7000/recordSession?userId=u1&loginTime=not-a-date&logoutTime=still-not-a-date" +curl -X POST "http://localhost:7000/register?userId=u2&userName=Alice" +curl -X POST "http://localhost:7000/notify?userId=u2&callbackUrl=not-a-url" +``` + +--- + +## 6) SSRF (localhost) + +```bash +# В отдельном терминале: +python3 -m http.server 7780 + +# В терминале с API: +curl -X POST "http://localhost:7000/notify?userId=u2&callbackUrl=http%3A%2F%2Flocalhost%3A7780" +``` + +--- + +## 7) SSRF (file://) + +```bash +echo "DB_PASSWORD=super-secret" > /tmp/ssrf-secret.txt +curl -X POST "http://localhost:7000/notify?userId=u2&callbackUrl=file%3A%2F%2F%2Ftmp%2Fssrf-secret.txt" +``` + +--- + +## 8) Дополнительно: граничные проверки + +```bash +curl "http://localhost:7000/userProfile" +curl "http://localhost:7000/userProfile?userId=unknown" +curl "http://localhost:7000/inactiveUsers" +curl "http://localhost:7000/inactiveUsers?days=abc" +curl "http://localhost:7000/monthlyActivity?userId=test&month=not-a-month" +``` diff --git a/report.md b/report.md new file mode 100644 index 0000000..b67b536 --- /dev/null +++ b/report.md @@ -0,0 +1,281 @@ +# Отчёт по лабораторной работе №4 + +## Этап 1 — Asset Inventory + +| Актив | Тип | Ценность | Примечание | +|---|---|---|---| +| Данные пользователей (`userId`, `userName`) | Данные | Высокая | Используются в HTML-ответе; возможны XSS-атаки и утечка профилей | +| Данные сессий (`loginTime`, `logoutTime`, агрегаты активности) | Данные | Высокая | Влияют на аналитические метрики и бизнес-решения | +| Файловая система сервера | Инфраструктура | Критическая | Через `/exportReport` можно записывать файлы на сервер | +| Внутренняя сеть / локальные ресурсы окружения | Инфраструктура | Критическая | Через `/notify` сервер выполняет запросы к произвольным URL | + +Наиболее критичные активы: файловая система сервера и внутренняя сеть окружения. Их компрометация позволяет выйти за рамки обычной логики API и воздействовать на инфраструктуру. + +--- + +## Этап 2 — Threat Modeling (STRIDE) + +| Категория | Применимо | Источник угрозы | Поверхность атаки | Потенциальный ущерб | +|---|---|---|---|---| +| **S**poofing | Да | Внешний неаутентифицированный клиент | Все endpoint'ы с `userId` | Работа с чужими данными по произвольному `userId` | +| **T**ampering | Да | Внешний клиент | `/recordSession`, `/exportReport` | Искажение метрик, запись файлов вне целевой директории | +| **R**epudiation | Да | Любой клиент | Все endpoint'ы | Отсутствие аудита: сложно доказать факт и источник действий | +| **I**nformation Disclosure | Да | Внешний клиент | `/userProfile`, обработка ошибок с `e.getMessage()`, `/notify` | Утечка внутренних деталей приложения и данных | +| **D**enial of Service | Да | Внешний клиент | Все endpoint'ы | Нет rate limit/квот, можно перегружать API запросами | +| **E**levation of Privilege | Частично | Внешний клиент | `/notify`, `/exportReport` | Переход от логики API к доступу к внутренним ресурсам сервера | + +--- + +## Этап 3 — Ручное тестирование + +Проверены все endpoint'ы: + +| Endpoint | Проверка | Результат | +|---|---|---| +| `POST /register` | Спецсимволы в `userName` | Payload сохраняется и попадает в HTML-профиль | +| `POST /recordSession` | `logoutTime < loginTime` | Невалидная сессия принимается | +| `GET /totalActivity` | Значение после tampering-сессии | Возвращается отрицательное время активности | +| `GET /inactiveUsers` | Границы параметра `days` | Критичных security-дефектов не выявлено | +| `GET /monthlyActivity` | Невалидные входные данные | В ответе раскрываются детали исключений | +| `GET /userProfile` | XSS payload в имени | HTML выдаётся без экранирования | +| `GET /exportReport` | `filename=../...` | Подтверждён path traversal / arbitrary file write | +| `POST /notify` | `callbackUrl` на localhost и `file://` | Подтверждён SSRF и чтение локальных ресурсов | + +--- + +## Этап 4 — Статический анализ Semgrep + +### 4.1 Использованные правила + +Скачаны и применены registry-паки: + +- `p/java` +- `p/owasp-top-ten` +- `p/security-audit` +- `p/secrets` + +Дополнительно добавлен Javalin-специфичный пакет: + +- `semgrep/rules/p-javalin.yml` + +### 4.2 Команды и артефакты + +Запуск: + +```bash +bash semgrep/run.sh +``` + +Скрипт формирует: + +- `semgrep/results/*.json` +- `semgrep/results/*.sarif` +- `semgrep/results/*.txt` +- `semgrep/results/summary.txt` +- `semgrep/results/rules.sha256` + +### 4.3 Итоги Semgrep + +Из `semgrep/results/summary.txt`: + +- `java findings: 0` +- `owasp-top-ten findings: 0` +- `security-audit findings: 0` +- `secrets findings: 0` +- `javalin findings: 8` + +Комментарий: стандартные registry-паки не покрыли уязвимости Javalin-приложения (false negatives для данного стека), поэтому для целевого кода потребовались framework-specific правила. + +--- + +## Этап 5 — Findings + +### 🔴 Finding #1 — Stored XSS в `GET /userProfile` + +| Поле | Значение | +|---|---| +| **Компонент** | `GET /userProfile` | +| **Тип** | Stored XSS | +| **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) — Improper Neutralization of Input During Web Page Generation | +| **CVSS v3.1** | `6.1 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)` | +| **Статус** | Confirmed | + +**Описание:** +Имя пользователя (`userName`) вставляется в HTML-страницу без экранирования и рендерится браузером как разметка. + +**Шаги воспроизведения:** +```text +1. POST /register?userId=evil&userName= +2. GET /userProfile?userId=evil +3. Ожидаемый результат: спецсимволы экранируются. + Фактический результат: payload возвращается в HTML как есть. +``` + +**Влияние:** +Выполнение JavaScript в браузере жертвы, кража токенов/данных сессии, фишинговые сценарии. + +**Рекомендации по исправлению:** +Экранировать пользовательские данные (`StringEscapeUtils.escapeHtml4`), добавить CSP, не строить HTML конкатенацией строк. + +**Security Test Case:** +`src/test/java/ru/itmo/testing/lab4/pentest/XssPentestTest.java` + +--- + +### 🔴 Finding #2 — Path Traversal в `GET /exportReport` + +| Поле | Значение | +|---|---| +| **Компонент** | `GET /exportReport` | +| **Тип** | Path Traversal / Arbitrary File Write | +| **CWE** | [CWE-22](https://cwe.mitre.org/data/definitions/22.html) — Improper Limitation of a Pathname to a Restricted Directory | +| **CVSS v3.1** | `8.1 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)` | +| **Статус** | Confirmed | + +**Описание:** +`filename` напрямую конкатенируется с `REPORTS_BASE_DIR`, отсутствуют нормализация пути и проверка выхода за границы каталога. + +**Шаги воспроизведения:** +```text +1. POST /register?userId=ptr_user&userName=Alice +2. GET /exportReport?userId=ptr_user&filename=../outside.txt +3. Ожидаемый результат: 400/403 и отказ в записи. + Фактический результат: файл создаётся вне /tmp/reports. +``` + +**Влияние:** +Запись файлов в произвольный путь, подмена локальных файлов приложения. + +**Рекомендации по исправлению:** +`Path.normalize()` + проверка `target.startsWith(baseDir)`, whitelist имени файла, запрет `..`, `/`, `\`. + +**Security Test Case:** +`src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalPentestTest.java` + +--- + +### 🔴 Finding #3 — SSRF в `POST /notify` + +| Поле | Значение | +|---|---| +| **Компонент** | `POST /notify` | +| **Тип** | Server-Side Request Forgery | +| **CWE** | [CWE-918](https://cwe.mitre.org/data/definitions/918.html) — Server-Side Request Forgery | +| **CVSS v3.1** | `8.6 HIGH (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)` | +| **Статус** | Confirmed | + +**Описание:** +`callbackUrl` принимается от клиента и используется для исходящего соединения сервера без allowlist/denylist. + +**Шаги воспроизведения:** +```text +1. POST /register?userId=ssrf_http&userName=Alice +2. POST /notify?userId=ssrf_http&callbackUrl=http://localhost:/secret +3. Ожидаемый результат: блокировка внутренних URL. + Фактический результат: сервер возвращает ответ внутреннего сервиса. +``` + +Дополнительно подтверждено чтение локального файла через `file://...`. + +**Влияние:** +Доступ к внутренним сервисам и локальным ресурсам от имени сервера. + +**Рекомендации по исправлению:** +Разрешать только доверенные HTTPS-хосты, блокировать `localhost`/private ranges и схему `file://`, вынести egress-контроль на сетевой уровень. + +**Security Test Case:** +`src/test/java/ru/itmo/testing/lab4/pentest/SsrfPentestTest.java` + +--- + +### 🟠 Finding #4 — Tampering аналитики через `POST /recordSession` + +| Поле | Значение | +|---|---| +| **Компонент** | `POST /recordSession`, `GET /totalActivity` | +| **Тип** | Improper Input Validation (Business Logic Abuse) | +| **CWE** | [CWE-20](https://cwe.mitre.org/data/definitions/20.html) — Improper Input Validation | +| **CVSS v3.1** | `7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)` | +| **Статус** | Confirmed | + +**Описание:** +Валидация порядка времени отсутствует: допускается `logoutTime < loginTime`, что даёт отрицательную длительность. + +**Шаги воспроизведения:** +```text +1. POST /register?userId=tamper_user&userName=Alice +2. POST /recordSession?userId=tamper_user&loginTime=2026-01-02T12:00:00&logoutTime=2026-01-02T11:00:00 +3. GET /totalActivity?userId=tamper_user +4. Ожидаемый результат: запрос отклоняется как невалидный. + Фактический результат: Total activity: -60 minutes. +``` + +**Влияние:** +Подмена аналитики и искажение отчётов/метрик. + +**Рекомендации по исправлению:** +Проверять `logoutTime.isAfter(loginTime)` и возвращать `400` для невалидных интервалов. + +**Security Test Case:** +`src/test/java/ru/itmo/testing/lab4/pentest/ActivityTamperingPentestTest.java` + +--- + +### 🟠 Finding #5 — Information Disclosure через сообщения об ошибках + +| Поле | Значение | +|---|---| +| **Компонент** | `POST /recordSession`, `GET /monthlyActivity`, `GET /exportReport`, `POST /notify` | +| **Тип** | Information Exposure Through Error Messages | +| **CWE** | [CWE-209](https://cwe.mitre.org/data/definitions/209.html) — Information Exposure Through an Error Message | +| **CVSS v3.1** | `5.3 MEDIUM (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)` | +| **Статус** | Confirmed | + +**Описание:** +В клиентский ответ включается `e.getMessage()`, что раскрывает внутренние детали исключений. + +**Шаги воспроизведения:** +```text +1. POST /recordSession?userId=u1&loginTime=not-a-date&logoutTime=still-not-a-date +2. Ожидаемый результат: нейтральная ошибка без внутренних деталей. + Фактический результат: "Invalid data: Text 'not-a-date' could not be parsed..." +``` + +**Влияние:** +Упрощение разведки для атакующего и повышение точности последующих атак. + +**Рекомендации по исправлению:** +Возвращать клиенту унифицированные сообщения об ошибке, технические детали писать только в серверный лог. + +**Security Test Case:** +`src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java` + +--- + +## Привязка findings к Semgrep + +Файл: `semgrep/results/javalin.json` + +- `semgrep.rules.javalin.input-validation.session-order` — `UserAnalyticsController.java:67` +- `semgrep.rules.javalin.error-disclosure.exception-message` — `74`, `115`, `163`, `189` +- `semgrep.rules.javalin.xss.user-profile` — `139` +- `semgrep.rules.javalin.path-traversal.export-report` — `154` +- `semgrep.rules.javalin.ssrf.notify` — `181` + +--- + +## Добавленные security test cases + +- `src/test/java/ru/itmo/testing/lab4/pentest/XssPentestTest.java` +- `src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalPentestTest.java` +- `src/test/java/ru/itmo/testing/lab4/pentest/SsrfPentestTest.java` +- `src/test/java/ru/itmo/testing/lab4/pentest/ActivityTamperingPentestTest.java` +- `src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java` + +Проверка: + +```bash +./gradlew test +``` + +Результат: все security-тесты проходят, уязвимости воспроизводятся стабильно. diff --git a/semgrep/results/java.json b/semgrep/results/java.json new file mode 100644 index 0000000..9d3979a --- /dev/null +++ b/semgrep/results/java.json @@ -0,0 +1,88 @@ +{ + "version": "1.159.0", + "results": [], + "errors": [], + "paths": { + "scanned": [ + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/Main.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingDemoMain.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingWorkload.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserAnalyticsService.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserStatusService.java" + ] + }, + "time": { + "rules": [], + "rules_parse_time": 0.09264683723449707, + "profiling_times": { + "config_time": 0.5034759044647217, + "core_time": 0.8210868835449219, + "ignores_time": 0.00012731552124023438, + "total_time": 1.3860316276550293 + }, + "parsing_time": { + "total_time": 0.0, + "per_file_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "scanning_time": { + "total_time": 0.3412787914276123, + "per_file_time": { + "mean": 0.056879798571268715, + "std_dev": 0.00033454798594176636 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "matching_time": { + "total_time": 0.0, + "per_file_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_files": [] + }, + "tainting_time": { + "total_time": 0.0, + "per_def_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_defs": [] + }, + "fixpoint_timeouts": [], + "prefiltering": { + "project_level_time": 0.0, + "file_level_time": 0.0, + "rules_with_project_prefilters_ratio": 0.0, + "rules_with_file_prefilters_ratio": 0.95, + "rules_selected_ratio": 0.10833333333333334, + "rules_matched_ratio": 0.10833333333333334 + }, + "targets": [], + "total_bytes": 0, + "max_memory_bytes": 217551040 + }, + "engine_requested": "OSS", + "skipped_rules": [], + "profiling_results": [] +} diff --git a/semgrep/results/java.sarif b/semgrep/results/java.sarif new file mode 100644 index 0000000..34aa828 --- /dev/null +++ b/semgrep/results/java.sarif @@ -0,0 +1,1747 @@ +{ + "version": "2.1.0", + "runs": [ + { + "invocations": [ + { + "executionSuccessful": true, + "toolExecutionNotifications": [] + } + ], + "results": [], + "tool": { + "driver": { + "name": "Semgrep OSS", + "rules": [ + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." + }, + "help": { + "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", + "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." + }, + "helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string", + "id": "semgrep.rules.java.aws-lambda.security.tainted-sql-string.tainted-sql-string", + "name": "semgrep.rules.java.aws-lambda.security.tainted-sql-string.tainted-sql-string", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.aws-lambda.security.tainted-sql-string.tainted-sql-string" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." + }, + "help": { + "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." + }, + "helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli", + "id": "semgrep.rules.java.aws-lambda.security.tainted-sqli.tainted-sqli", + "name": "semgrep.rules.java.aws-lambda.security.tainted-sqli.tainted-sqli", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.aws-lambda.security.tainted-sqli.tainted-sqli" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." + }, + "help": { + "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", + "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." + }, + "helpUri": "https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", + "id": "semgrep.rules.java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", + "name": "semgrep.rules.java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-345: Insufficient Verification of Data Authenticity", + "MEDIUM CONFIDENCE", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." + }, + "help": { + "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", + "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." + }, + "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", + "id": "semgrep.rules.java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", + "name": "semgrep.rules.java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-798: Use of Hard-coded Credentials", + "HIGH CONFIDENCE", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + }, + "help": { + "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." + }, + "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", + "id": "semgrep.rules.java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", + "name": "semgrep.rules.java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.java-jwt.security.jwt-none-alg.java-jwt-none-alg" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "help": { + "markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n", + "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "helpUri": "https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal", + "id": "semgrep.rules.java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal", + "name": "semgrep.rules.java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "OWASP-A05:2017 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "In $METHOD, $X is used to construct a SQL query via string concatenation." + }, + "help": { + "markdown": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "In $METHOD, $X is used to construct a SQL query via string concatenation." + }, + "helpUri": "https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation", + "id": "semgrep.rules.java.jboss.security.session_sqli.find-sql-string-concatenation", + "name": "semgrep.rules.java.jboss.security.session_sqli.find-sql-string-concatenation", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.jboss.security.session_sqli.find-sql-string-concatenation" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead." + }, + "help": { + "markdown": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", + "id": "semgrep.rules.java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", + "name": "semgrep.rules.java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead." + }, + "help": { + "markdown": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n", + "text": "Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", + "id": "semgrep.rules.java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", + "name": "semgrep.rules.java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content." + }, + "help": { + "markdown": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", + "id": "semgrep.rules.java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", + "name": "semgrep.rules.java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crlf-injection-logs.crlf-injection-logs" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information." + }, + "help": { + "markdown": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", + "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", + "id": "semgrep.rules.java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", + "name": "semgrep.rules.java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES." + }, + "help": { + "markdown": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n", + "text": "Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated", + "id": "semgrep.rules.java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated", + "name": "semgrep.rules.java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY." + }, + "help": { + "markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher", + "id": "semgrep.rules.java.lang.security.audit.crypto.ecb-cipher.ecb-cipher", + "name": "semgrep.rules.java.lang.security.audit.crypto.ecb-cipher.ecb-cipher", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.ecb-cipher.ecb-cipher" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "GCM IV/nonce is reused: encryption can be totally useless" + }, + "help": { + "markdown": "GCM IV/nonce is reused: encryption can be totally useless\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "GCM IV/nonce is reused: encryption can be totally useless" + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse", + "id": "semgrep.rules.java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse", + "name": "semgrep.rules.java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-323: Reusing a Nonce, Key Pair in Encryption", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher", + "id": "semgrep.rules.java.lang.security.audit.crypto.no-null-cipher.no-null-cipher", + "name": "semgrep.rules.java.lang.security.audit.crypto.no-null-cipher.no-null-cipher", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.no-null-cipher.no-null-cipher" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." + }, + "help": { + "markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n", + "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", + "id": "semgrep.rules.java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", + "name": "semgrep.rules.java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-329: Generation of Predictable IV with CBC Mode", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Using RSA without OAEP mode weakens the encryption." + }, + "help": { + "markdown": "Using RSA without OAEP mode weakens the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n", + "text": "Using RSA without OAEP mode weakens the encryption." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding", + "id": "semgrep.rules.java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding", + "name": "semgrep.rules.java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead." + }, + "help": { + "markdown": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", + "id": "semgrep.rules.java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", + "name": "semgrep.rules.java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-319: Cleartext Transmission of Sensitive Information", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", + "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", + "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", + "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." + }, + "help": { + "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." + }, + "help": { + "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-md5.use-of-md5", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-md5.use-of-md5", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-md5.use-of-md5" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", + "text": "Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-rc2.use-of-rc2", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-rc2.use-of-rc2", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-rc2.use-of-rc2" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "help": { + "markdown": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", + "text": "Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-rc4.use-of-rc4", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-rc4.use-of-rc4", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-rc4.use-of-rc4" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "help": { + "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-sha1.use-of-sha1" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security." + }, + "help": { + "markdown": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n", + "text": "This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224", + "id": "semgrep.rules.java.lang.security.audit.crypto.use-of-sha224.use-of-sha224", + "name": "semgrep.rules.java.lang.security.audit.crypto.use-of-sha224.use-of-sha224", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.use-of-sha224.use-of-sha224" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "RSA keys should be at least 2048 bits based on NIST recommendation." + }, + "help": { + "markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", + "text": "RSA keys should be at least 2048 bits based on NIST recommendation." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", + "id": "semgrep.rules.java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", + "name": "semgrep.rules.java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." + }, + "help": { + "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n", + "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string", + "id": "semgrep.rules.java.lang.security.audit.formatted-sql-string.formatted-sql-string", + "name": "semgrep.rules.java.lang.security.audit.formatted-sql-string.formatted-sql-string", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.formatted-sql-string.formatted-sql-string" + } + }, + { + "defaultConfiguration": { + "level": "note" + }, + "fullDescription": { + "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself." + }, + "help": { + "markdown": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n", + "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting", + "id": "semgrep.rules.java.lang.security.audit.http-response-splitting.http-response-splitting", + "name": "semgrep.rules.java.lang.security.audit.http-response-splitting.http-response-splitting", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.http-response-splitting.http-response-splitting" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'." + }, + "help": { + "markdown": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", + "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", + "id": "semgrep.rules.java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", + "name": "semgrep.rules.java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-297: Improper Validation of Certificate with Host Mismatch", + "MEDIUM CONFIDENCE", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`." + }, + "help": { + "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n", + "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password", + "id": "semgrep.rules.java.lang.security.audit.md5-used-as-password.md5-used-as-password", + "name": "semgrep.rules.java.lang.security.audit.md5-used-as-password.md5-used-as-password", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "MEDIUM CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.md5-used-as-password.md5-used-as-password" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", + "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "HIGH CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-454: External Initialization of Trusted Variables or Data Stores", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n", + "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", + "text": "Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-501: Trust Boundary Violation", + "MEDIUM CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can." + }, + "help": { + "markdown": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request", + "id": "semgrep.rules.java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request", + "name": "semgrep.rules.java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs." + }, + "help": { + "markdown": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", + "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", + "id": "semgrep.rules.java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", + "name": "semgrep.rules.java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.unvalidated-redirect.unvalidated-redirect" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security." + }, + "help": { + "markdown": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n", + "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context", + "id": "semgrep.rules.java.lang.security.audit.weak-ssl-context.weak-ssl-context", + "name": "semgrep.rules.java.lang.security.audit.weak-ssl-context.weak-ssl-context", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.weak-ssl-context.weak-ssl-context" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views." + }, + "help": { + "markdown": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n", + "text": "Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer", + "id": "semgrep.rules.java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer", + "name": "semgrep.rules.java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "OWASP-A07:2017 - Cross-Site Scripting (XSS)", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "help": { + "markdown": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", + "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", + "id": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", + "name": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "help": { + "markdown": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", + "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", + "id": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", + "name": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false." + }, + "help": { + "markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n", + "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", + "id": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", + "name": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "help": { + "markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n", + "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true", + "id": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true", + "name": "semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory." + }, + "help": { + "markdown": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", + "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", + "id": "semgrep.rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", + "name": "semgrep.rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"." + }, + "help": { + "markdown": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", + "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", + "id": "semgrep.rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", + "name": "semgrep.rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "help": { + "markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n", + "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", + "id": "semgrep.rules.java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", + "name": "semgrep.rules.java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "OWASP-A05:2017 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method." + }, + "help": { + "markdown": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n", + "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", + "id": "semgrep.rules.java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", + "name": "semgrep.rules.java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization." + }, + "help": { + "markdown": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n", + "text": "When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization", + "id": "semgrep.rules.java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization", + "name": "semgrep.rules.java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A8:2017 Insecure Deserialization", + "OWASP-A8:2021 Software and Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'." + }, + "help": { + "markdown": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", + "id": "semgrep.rules.java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", + "name": "semgrep.rules.java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "OWASP-A07:2017 - Cross-Site Scripting (XSS)", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." + }, + "help": { + "markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n", + "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." + }, + "helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", + "id": "semgrep.rules.java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", + "name": "semgrep.rules.java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "MEDIUM CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." + }, + "help": { + "markdown": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli", + "id": "semgrep.rules.java.spring.security.audit.spring-sqli.spring-sqli", + "name": "semgrep.rules.java.spring.security.audit.spring-sqli.spring-sqli", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.audit.spring-sqli.spring-sqli" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated." + }, + "help": { + "markdown": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", + "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", + "id": "semgrep.rules.java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", + "name": "semgrep.rules.java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "help": { + "markdown": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", + "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path", + "id": "semgrep.rules.java.spring.security.injection.tainted-file-path.tainted-file-path", + "name": "semgrep.rules.java.spring.security.injection.tainted-file-path.tainted-file-path", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-23: Relative Path Traversal", + "HIGH CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.injection.tainted-file-path.tainted-file-path" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data." + }, + "help": { + "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", + "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string", + "id": "semgrep.rules.java.spring.security.injection.tainted-html-string.tainted-html-string", + "name": "semgrep.rules.java.spring.security.injection.tainted-html-string.tainted-html-string", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "OWASP-A07:2017 - Cross-Site Scripting (XSS)", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.injection.tainted-html-string.tainted-html-string" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." + }, + "help": { + "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n", + "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string", + "id": "semgrep.rules.java.spring.security.injection.tainted-sql-string.tainted-sql-string", + "name": "semgrep.rules.java.spring.security.injection.tainted-sql-string.tainted-sql-string", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.injection.tainted-sql-string.tainted-sql-string" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands." + }, + "help": { + "markdown": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n", + "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command", + "id": "semgrep.rules.java.spring.security.injection.tainted-system-command.tainted-system-command", + "name": "semgrep.rules.java.spring.security.injection.tainted-system-command.tainted-system-command", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", + "HIGH CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.injection.tainted-system-command.tainted-system-command" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters." + }, + "help": { + "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", + "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters." + }, + "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host", + "id": "semgrep.rules.java.spring.security.injection.tainted-url-host.tainted-url-host", + "name": "semgrep.rules.java.spring.security.injection.tainted-url-host.tainted-url-host", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-918: Server-Side Request Forgery (SSRF)", + "MEDIUM CONFIDENCE", + "OWASP-A01:2025 - Broken Access Control", + "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.java.spring.security.injection.tainted-url-host.tainted-url-host" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS." + }, + "help": { + "markdown": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n", + "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS." + }, + "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", + "id": "semgrep.rules.problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", + "name": "semgrep.rules.problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-319: Cleartext Transmission of Sensitive Information", + "MEDIUM CONFIDENCE", + "OWASP-A03:2017 - Sensitive Data Exposure", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request" + } + } + ], + "semanticVersion": "1.159.0" + } + } + } + ], + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json" +} diff --git a/semgrep/results/java.txt b/semgrep/results/java.txt new file mode 100644 index 0000000..692e439 --- /dev/null +++ b/semgrep/results/java.txt @@ -0,0 +1,123 @@ +running 60 rules from 1 config /mnt/d/projects/lab4-security-tkhapchaev/semgrep/rules/p-java.yml_0 +Rules: +- semgrep.rules.java.aws-lambda.security.tainted-sql-string.tainted-sql-string +- semgrep.rules.java.aws-lambda.security.tainted-sqli.tainted-sqli +- semgrep.rules.java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify +- semgrep.rules.java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret +- semgrep.rules.java.java-jwt.security.jwt-none-alg.java-jwt-none-alg +- semgrep.rules.java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal +- semgrep.rules.java.jboss.security.session_sqli.find-sql-string-concatenation +- semgrep.rules.java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size +- semgrep.rules.java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle +- semgrep.rules.java.lang.security.audit.crlf-injection-logs.crlf-injection-logs +- semgrep.rules.java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated +- semgrep.rules.java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated +- semgrep.rules.java.lang.security.audit.crypto.ecb-cipher.ecb-cipher +- semgrep.rules.java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse +- semgrep.rules.java.lang.security.audit.crypto.no-null-cipher.no-null-cipher +- semgrep.rules.java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector +- semgrep.rules.java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding +- semgrep.rules.java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket +- semgrep.rules.java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb +- semgrep.rules.java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish +- semgrep.rules.java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes +- semgrep.rules.java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils +- semgrep.rules.java.lang.security.audit.crypto.use-of-md5.use-of-md5 +- semgrep.rules.java.lang.security.audit.crypto.use-of-rc2.use-of-rc2 +- semgrep.rules.java.lang.security.audit.crypto.use-of-rc4.use-of-rc4 +- semgrep.rules.java.lang.security.audit.crypto.use-of-sha1.use-of-sha1 +- semgrep.rules.java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 +- semgrep.rules.java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key +- semgrep.rules.java.lang.security.audit.formatted-sql-string.formatted-sql-string +- semgrep.rules.java.lang.security.audit.http-response-splitting.http-response-splitting +- semgrep.rules.java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection +- semgrep.rules.java.lang.security.audit.md5-used-as-password.md5-used-as-password +- semgrep.rules.java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request +- semgrep.rules.java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request +- semgrep.rules.java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request +- semgrep.rules.java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request +- semgrep.rules.java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request +- semgrep.rules.java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request +- semgrep.rules.java.lang.security.audit.unvalidated-redirect.unvalidated-redirect +- semgrep.rules.java.lang.security.audit.weak-ssl-context.weak-ssl-context +- semgrep.rules.java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer +- semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false +- semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing +- semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true +- semgrep.rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true +- semgrep.rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing +- semgrep.rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled +- semgrep.rules.java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal +- semgrep.rules.java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization +- semgrep.rules.java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization +- semgrep.rules.java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss +- semgrep.rules.java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe +- semgrep.rules.java.spring.security.audit.spring-sqli.spring-sqli +- semgrep.rules.java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect +- semgrep.rules.java.spring.security.injection.tainted-file-path.tainted-file-path +- semgrep.rules.java.spring.security.injection.tainted-html-string.tainted-html-string +- semgrep.rules.java.spring.security.injection.tainted-sql-string.tainted-sql-string +- semgrep.rules.java.spring.security.injection.tainted-system-command.tainted-system-command +- semgrep.rules.java.spring.security.injection.tainted-url-host.tainted-url-host +- semgrep.rules.problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request + + +┌─────────────┐ +│ Scan Status │ +└─────────────┘ + Scanning 6 files tracked by git with 60 Code rules: + Scanning 6 files with 60 java rules. +SCA findings adjustment: No SCA rules to adjust + +======================================== +Files skipped: +======================================== + + Always skipped by Semgrep: + + • + + Skipped by .gitignore: + (Disable by passing --no-git-ignore) + + • + + Skipped by .semgrepignore: + - https://semgrep.dev/docs/ignoring-files-folders-code/#understand-semgrep-defaults + + • + + Skipped by --include patterns: + + • + + Skipped by --exclude patterns: + + • + + Files that couldn't be accessed: + + • + + Skipped by limiting to files smaller than 1000000 bytes: + (Adjust with the --max-target-bytes flag) + + • + + Partially analyzed due to parsing or internal Semgrep errors + + • + + + +┌──────────────┐ +│ Scan Summary │ +└──────────────┘ +✅ Scan completed successfully. + • Findings: 0 (0 blocking) + • Rules run: 60 + • Targets scanned: 6 + • Parsed lines: ~100.0% + • Scan was limited to files tracked by git +Ran 60 rules on 6 files: 0 findings. +Not sending pseudonymous metrics since metrics are configured to OFF, registry usage is False, and login status is False diff --git a/semgrep/results/javalin.json b/semgrep/results/javalin.json new file mode 100644 index 0000000..00a328c --- /dev/null +++ b/semgrep/results/javalin.json @@ -0,0 +1,308 @@ +{ + "version": "1.159.0", + "results": [ + { + "check_id": "semgrep.rules.javalin.input-validation.session-order", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 67, + "col": 17, + "offset": 3236 + }, + "end": { + "line": 67, + "col": 80, + "offset": 3299 + }, + "extra": { + "message": "Session timestamps are accepted without explicit login < logout validation.", + "metadata": { + "category": "security", + "cwe": "CWE-20", + "confidence": "medium" + }, + "severity": "WARNING", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.error-disclosure.exception-message", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 74, + "col": 17, + "offset": 3547 + }, + "end": { + "line": 74, + "col": 75, + "offset": 3605 + }, + "extra": { + "message": "Raw exception message is returned to client (information disclosure).", + "metadata": { + "category": "security", + "cwe": "CWE-209", + "confidence": "high" + }, + "severity": "WARNING", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.error-disclosure.exception-message", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 115, + "col": 17, + "offset": 5202 + }, + "end": { + "line": 115, + "col": 75, + "offset": 5260 + }, + "extra": { + "message": "Raw exception message is returned to client (information disclosure).", + "metadata": { + "category": "security", + "cwe": "CWE-209", + "confidence": "high" + }, + "severity": "WARNING", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.xss.user-profile", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 139, + "col": 13, + "offset": 6375 + }, + "end": { + "line": 139, + "col": 55, + "offset": 6417 + }, + "extra": { + "message": "User-controlled data is embedded into HTML response without escaping (XSS risk).", + "metadata": { + "category": "security", + "cwe": "CWE-79", + "owasp": "A03:2021-Injection", + "confidence": "high" + }, + "severity": "ERROR", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.path-traversal.export-report", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 154, + "col": 13, + "offset": 6964 + }, + "end": { + "line": 154, + "col": 69, + "offset": 7020 + }, + "extra": { + "message": "User-supplied filename is concatenated into server path (path traversal / arbitrary file write risk).", + "metadata": { + "category": "security", + "cwe": "CWE-22", + "owasp": "A01:2021-Broken Access Control", + "confidence": "high" + }, + "severity": "ERROR", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.error-disclosure.exception-message", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 163, + "col": 17, + "offset": 7501 + }, + "end": { + "line": 163, + "col": 85, + "offset": 7569 + }, + "extra": { + "message": "Raw exception message is returned to client (information disclosure).", + "metadata": { + "category": "security", + "cwe": "CWE-209", + "confidence": "high" + }, + "severity": "WARNING", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.ssrf.notify", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 181, + "col": 17, + "offset": 8207 + }, + "end": { + "line": 181, + "col": 65, + "offset": 8255 + }, + "extra": { + "message": "callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk).", + "metadata": { + "category": "security", + "cwe": "CWE-918", + "owasp": "A10:2021-Server-Side Request Forgery", + "confidence": "high" + }, + "severity": "ERROR", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + }, + { + "check_id": "semgrep.rules.javalin.error-disclosure.exception-message", + "path": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "start": { + "line": 189, + "col": 17, + "offset": 8673 + }, + "end": { + "line": 189, + "col": 82, + "offset": 8738 + }, + "extra": { + "message": "Raw exception message is returned to client (information disclosure).", + "metadata": { + "category": "security", + "cwe": "CWE-209", + "confidence": "high" + }, + "severity": "WARNING", + "fingerprint": "requires login", + "lines": "requires login", + "validation_state": "NO_VALIDATOR", + "engine_kind": "OSS" + } + } + ], + "errors": [], + "paths": { + "scanned": [ + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/Main.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingDemoMain.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingWorkload.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserAnalyticsService.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserStatusService.java" + ] + }, + "time": { + "rules": [], + "rules_parse_time": 0.04487299919128418, + "profiling_times": { + "config_time": 0.1614232063293457, + "core_time": 1.1473190784454346, + "ignores_time": 9.918212890625e-05, + "total_time": 1.379101276397705 + }, + "parsing_time": { + "total_time": 0.0, + "per_file_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "scanning_time": { + "total_time": 0.07691717147827148, + "per_file_time": { + "mean": 0.012819528579711914, + "std_dev": 0.0002133424494180266 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "matching_time": { + "total_time": 0.0, + "per_file_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_files": [] + }, + "tainting_time": { + "total_time": 0.0, + "per_def_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_defs": [] + }, + "fixpoint_timeouts": [], + "prefiltering": { + "project_level_time": 0.0, + "file_level_time": 0.0, + "rules_with_project_prefilters_ratio": 0.0, + "rules_with_file_prefilters_ratio": 1.0, + "rules_selected_ratio": 0.16666666666666666, + "rules_matched_ratio": 0.16666666666666666 + }, + "targets": [], + "total_bytes": 0, + "max_memory_bytes": 119903232 + }, + "engine_requested": "OSS", + "skipped_rules": [], + "profiling_results": [] +} diff --git a/semgrep/results/javalin.sarif b/semgrep/results/javalin.sarif new file mode 100644 index 0000000..5d64452 --- /dev/null +++ b/semgrep/results/javalin.sarif @@ -0,0 +1,384 @@ +{ + "version": "2.1.0", + "runs": [ + { + "invocations": [ + { + "executionSuccessful": true, + "toolExecutionNotifications": [] + } + ], + "results": [ + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 80, + "endLine": 67, + "snippet": { + "text": " boolean success = service.recordSession(userId, login, logout);" + }, + "startColumn": 17, + "startLine": 67 + } + } + } + ], + "message": { + "text": "Session timestamps are accepted without explicit login < logout validation." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.input-validation.session-order" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 75, + "endLine": 74, + "snippet": { + "text": " ctx.status(400).result(\"Invalid data: \" + e.getMessage());" + }, + "startColumn": 17, + "startLine": 74 + } + } + } + ], + "message": { + "text": "Raw exception message is returned to client (information disclosure)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.error-disclosure.exception-message" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 75, + "endLine": 115, + "snippet": { + "text": " ctx.status(400).result(\"Invalid data: \" + e.getMessage());" + }, + "startColumn": 17, + "startLine": 115 + } + } + } + ], + "message": { + "text": "Raw exception message is returned to client (information disclosure)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.error-disclosure.exception-message" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 55, + "endLine": 139, + "snippet": { + "text": " ctx.contentType(\"text/html\").result(html);" + }, + "startColumn": 13, + "startLine": 139 + } + } + } + ], + "message": { + "text": "User-controlled data is embedded into HTML response without escaping (XSS risk)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.xss.user-profile" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 69, + "endLine": 154, + "snippet": { + "text": " File reportFile = new File(REPORTS_BASE_DIR + filename);" + }, + "startColumn": 13, + "startLine": 154 + } + } + } + ], + "message": { + "text": "User-supplied filename is concatenated into server path (path traversal / arbitrary file write risk)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.path-traversal.export-report" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 85, + "endLine": 163, + "snippet": { + "text": " ctx.status(500).result(\"Failed to write report: \" + e.getMessage());" + }, + "startColumn": 17, + "startLine": 163 + } + } + } + ], + "message": { + "text": "Raw exception message is returned to client (information disclosure)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.error-disclosure.exception-message" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 65, + "endLine": 181, + "snippet": { + "text": " URLConnection connection = url.openConnection();" + }, + "startColumn": 17, + "startLine": 181 + } + } + } + ], + "message": { + "text": "callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.ssrf.notify" + }, + { + "fingerprints": { + "matchBasedId/v1": "requires login" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "endColumn": 82, + "endLine": 189, + "snippet": { + "text": " ctx.status(500).result(\"Notification failed: \" + e.getMessage());" + }, + "startColumn": 17, + "startLine": 189 + } + } + } + ], + "message": { + "text": "Raw exception message is returned to client (information disclosure)." + }, + "properties": {}, + "ruleId": "semgrep.rules.javalin.error-disclosure.exception-message" + } + ], + "tool": { + "driver": { + "name": "Semgrep OSS", + "rules": [ + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Raw exception message is returned to client (information disclosure)." + }, + "help": { + "markdown": "Raw exception message is returned to client (information disclosure).", + "text": "Raw exception message is returned to client (information disclosure)." + }, + "id": "semgrep.rules.javalin.error-disclosure.exception-message", + "name": "semgrep.rules.javalin.error-disclosure.exception-message", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-209", + "high CONFIDENCE", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.javalin.error-disclosure.exception-message" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Session timestamps are accepted without explicit login < logout validation." + }, + "help": { + "markdown": "Session timestamps are accepted without explicit login < logout validation.", + "text": "Session timestamps are accepted without explicit login < logout validation." + }, + "id": "semgrep.rules.javalin.input-validation.session-order", + "name": "semgrep.rules.javalin.input-validation.session-order", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-20", + "medium CONFIDENCE", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.javalin.input-validation.session-order" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "User-supplied filename is concatenated into server path (path traversal / arbitrary file write risk)." + }, + "help": { + "markdown": "User-supplied filename is concatenated into server path (path traversal / arbitrary file write risk).", + "text": "User-supplied filename is concatenated into server path (path traversal / arbitrary file write risk)." + }, + "id": "semgrep.rules.javalin.path-traversal.export-report", + "name": "semgrep.rules.javalin.path-traversal.export-report", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22", + "OWASP-A01:2021-Broken Access Control", + "high CONFIDENCE", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.javalin.path-traversal.export-report" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk)." + }, + "help": { + "markdown": "callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk).", + "text": "callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk)." + }, + "id": "semgrep.rules.javalin.ssrf.notify", + "name": "semgrep.rules.javalin.ssrf.notify", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-918", + "OWASP-A10:2021-Server-Side Request Forgery", + "high CONFIDENCE", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.javalin.ssrf.notify" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "User-controlled data is embedded into HTML response without escaping (XSS risk)." + }, + "help": { + "markdown": "User-controlled data is embedded into HTML response without escaping (XSS risk).", + "text": "User-controlled data is embedded into HTML response without escaping (XSS risk)." + }, + "id": "semgrep.rules.javalin.xss.user-profile", + "name": "semgrep.rules.javalin.xss.user-profile", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-79", + "OWASP-A03:2021-Injection", + "high CONFIDENCE", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.javalin.xss.user-profile" + } + } + ], + "semanticVersion": "1.159.0" + } + } + } + ], + "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json" +} diff --git a/semgrep/results/javalin.txt b/semgrep/results/javalin.txt new file mode 100644 index 0000000..5f478ee --- /dev/null +++ b/semgrep/results/javalin.txt @@ -0,0 +1,120 @@ +running 5 rules from 1 config /mnt/d/projects/lab4-security-tkhapchaev/semgrep/rules/p-javalin.yml_0 +Rules: +- semgrep.rules.javalin.error-disclosure.exception-message +- semgrep.rules.javalin.input-validation.session-order +- semgrep.rules.javalin.path-traversal.export-report +- semgrep.rules.javalin.ssrf.notify +- semgrep.rules.javalin.xss.user-profile + + +┌─────────────┐ +│ Scan Status │ +└─────────────┘ + Scanning 6 files tracked by git with 5 Code rules: + Scanning 6 files with 5 java rules. +SCA findings adjustment: No SCA rules to adjust + +======================================== +Files skipped: +======================================== + + Always skipped by Semgrep: + + • + + Skipped by .gitignore: + (Disable by passing --no-git-ignore) + + • + + Skipped by .semgrepignore: + - https://semgrep.dev/docs/ignoring-files-folders-code/#understand-semgrep-defaults + + • + + Skipped by --include patterns: + + • + + Skipped by --exclude patterns: + + • + + Files that couldn't be accessed: + + • + + Skipped by limiting to files smaller than 1000000 bytes: + (Adjust with the --max-target-bytes flag) + + • + + Partially analyzed due to parsing or internal Semgrep errors + + • + + + +┌──────────────┐ +│ Scan Summary │ +└──────────────┘ +✅ Scan completed successfully. + • Findings: 8 (8 blocking) + • Rules run: 5 + • Targets scanned: 6 + • Parsed lines: ~100.0% + • Scan was limited to files tracked by git +Ran 5 rules on 6 files: 8 findings. +Not sending pseudonymous metrics since metrics are configured to OFF, registry usage is False, and login status is False + + +┌─────────────────┐ +│ 8 Code Findings │ +└─────────────────┘ + + /mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java + ❯❱ semgrep.rules.javalin.input-validation.session-order + ❰❰ Blocking ❱❱ + Session timestamps are accepted without explicit login < logout validation. + + 67┆ boolean success = service.recordSession(userId, login, logout); + + ❯❱ semgrep.rules.javalin.error-disclosure.exception-message + ❰❰ Blocking ❱❱ + Raw exception message is returned to client (information disclosure). + + 74┆ ctx.status(400).result("Invalid data: " + e.getMessage()); + ⋮┆---------------------------------------- + 115┆ ctx.status(400).result("Invalid data: " + e.getMessage()); + + ❯❯❱ semgrep.rules.javalin.xss.user-profile + ❰❰ Blocking ❱❱ + User-controlled data is embedded into HTML response without escaping (XSS risk). + + 139┆ ctx.contentType("text/html").result(html); + + ❯❯❱ semgrep.rules.javalin.path-traversal.export-report + ❰❰ Blocking ❱❱ + User-supplied filename is concatenated into server path (path traversal / arbitrary file write + risk). + + 154┆ File reportFile = new File(REPORTS_BASE_DIR + filename); + + ❯❱ semgrep.rules.javalin.error-disclosure.exception-message + ❰❰ Blocking ❱❱ + Raw exception message is returned to client (information disclosure). + + 163┆ ctx.status(500).result("Failed to write report: " + e.getMessage()); + + ❯❯❱ semgrep.rules.javalin.ssrf.notify + ❰❰ Blocking ❱❱ + callbackUrl from request is used for outbound URL connection without allowlist checks (SSRF risk). + + 181┆ URLConnection connection = url.openConnection(); + + ❯❱ semgrep.rules.javalin.error-disclosure.exception-message + ❰❰ Blocking ❱❱ + Raw exception message is returned to client (information disclosure). + + 189┆ ctx.status(500).result("Notification failed: " + e.getMessage()); + diff --git a/semgrep/results/owasp-top-ten.json b/semgrep/results/owasp-top-ten.json new file mode 100644 index 0000000..f0fdeb3 --- /dev/null +++ b/semgrep/results/owasp-top-ten.json @@ -0,0 +1,88 @@ +{ + "version": "1.159.0", + "results": [], + "errors": [], + "paths": { + "scanned": [ + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/Main.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/controller/UserAnalyticsController.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingDemoMain.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/profilingdemo/ProfilingWorkload.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserAnalyticsService.java", + "/mnt/d/projects/lab4-security-tkhapchaev/src/main/java/ru/itmo/testing/lab4/service/UserStatusService.java" + ] + }, + "time": { + "rules": [], + "rules_parse_time": 0.6578290462493896, + "profiling_times": { + "config_time": 3.64554500579834, + "core_time": 1.93292236328125, + "ignores_time": 0.0005605220794677734, + "total_time": 5.641040802001953 + }, + "parsing_time": { + "total_time": 0.0, + "per_file_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "scanning_time": { + "total_time": 0.5260541439056396, + "per_file_time": { + "mean": 0.029225230216979977, + "std_dev": 0.001132775091783679 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_files": [] + }, + "matching_time": { + "total_time": 0.0, + "per_file_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_files": [] + }, + "tainting_time": { + "total_time": 0.0, + "per_def_and_rule_time": { + "mean": 0.0, + "std_dev": 0.0 + }, + "very_slow_stats": { + "time_ratio": 0.0, + "count_ratio": 0.0 + }, + "very_slow_rules_on_defs": [] + }, + "fixpoint_timeouts": [], + "prefiltering": { + "project_level_time": 0.0, + "file_level_time": 0.0, + "rules_with_project_prefilters_ratio": 0.0, + "rules_with_file_prefilters_ratio": 0.9538461538461539, + "rules_selected_ratio": 0.10256410256410256, + "rules_matched_ratio": 0.10256410256410256 + }, + "targets": [], + "total_bytes": 0, + "max_memory_bytes": 858223104 + }, + "engine_requested": "OSS", + "skipped_rules": [], + "profiling_results": [] +} diff --git a/semgrep/results/owasp-top-ten.sarif b/semgrep/results/owasp-top-ten.sarif new file mode 100644 index 0000000..9105594 --- /dev/null +++ b/semgrep/results/owasp-top-ten.sarif @@ -0,0 +1,15566 @@ +{ + "version": "2.1.0", + "runs": [ + { + "invocations": [ + { + "executionSuccessful": true, + "toolExecutionNotifications": [] + } + ], + "results": [], + "tool": { + "driver": { + "name": "Semgrep OSS", + "rules": [ + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity." + }, + "help": { + "markdown": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity." + }, + "helpUri": "https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval", + "id": "semgrep.rules.bash.curl.security.curl-eval.curl-eval", + "name": "semgrep.rules.bash.curl.security.curl-eval.curl-eval", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.bash.curl.security.curl-eval.curl-eval" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "help": { + "markdown": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", + "text": "DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." + }, + "helpUri": "https://semgrep.dev/r/clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe", + "id": "semgrep.rules.clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe", + "name": "semgrep.rules.clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.clojure.lang.security.documentbuilderfactory-xxe.documentbuilderfactory-xxe" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms." + }, + "help": { + "markdown": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n", + "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms." + }, + "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5", + "id": "semgrep.rules.clojure.lang.security.use-of-md5.use-of-md5", + "name": "semgrep.rules.clojure.lang.security.use-of-md5.use-of-md5", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.clojure.lang.security.use-of-md5.use-of-md5" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "help": { + "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n", + "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." + }, + "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1", + "id": "semgrep.rules.clojure.lang.security.use-of-sha1.use-of-sha1", + "name": "semgrep.rules.clojure.lang.security.use-of-sha1.use-of-sha1", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "CWE-328: Use of Weak Hash", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.clojure.lang.security.use-of-sha1.use-of-sha1" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution." + }, + "help": { + "markdown": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/90](https://cwe.mitre.org/data/definitions/90)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example)\n", + "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection", + "id": "semgrep.rules.csharp.dotnet.security.audit.ldap-injection.ldap-injection", + "name": "semgrep.rules.csharp.dotnet.security.audit.ldap-injection.ldap-injection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.audit.ldap-injection.ldap-injection" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application." + }, + "help": { + "markdown": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n", + "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment", + "id": "semgrep.rules.csharp.dotnet.security.audit.mass-assignment.mass-assignment", + "name": "semgrep.rules.csharp.dotnet.security.audit.mass-assignment.mass-assignment", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", + "MEDIUM CONFIDENCE", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.audit.mass-assignment.mass-assignment" + } + }, + { + "defaultConfiguration": { + "level": "note" + }, + "fullDescription": { + "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users." + }, + "help": { + "markdown": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://cwe.mitre.org/data/definitions/862.html](https://cwe.mitre.org/data/definitions/862.html)\n - [https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0)\n", + "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", + "id": "semgrep.rules.csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", + "name": "semgrep.rules.csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-862: Missing Authorization", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization" + } + }, + { + "defaultConfiguration": { + "level": "note" + }, + "fullDescription": { + "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers." + }, + "help": { + "markdown": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration/](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n - [https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing)\n", + "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", + "id": "semgrep.rules.csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", + "name": "semgrep.rules.csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-548: Exposure of Information Through Directory Listing", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "OWASP-A06:2017 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.audit.open-directory-listing.open-directory-listing" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation." + }, + "help": { + "markdown": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/643.html](https://cwe.mitre.org/data/definitions/643.html)\n", + "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection", + "id": "semgrep.rules.csharp.dotnet.security.audit.xpath-injection.xpath-injection", + "name": "semgrep.rules.csharp.dotnet.security.audit.xpath-injection.xpath-injection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.audit.xpath-injection.xpath-injection" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process." + }, + "help": { + "markdown": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n", + "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection", + "id": "semgrep.rules.csharp.dotnet.security.razor-template-injection.razor-template-injection", + "name": "semgrep.rules.csharp.dotnet.security.razor-template-injection.razor-template-injection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.razor-template-injection.razor-template-injection" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead." + }, + "help": { + "markdown": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n", + "text": "Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm", + "id": "semgrep.rules.csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm", + "name": "semgrep.rules.csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "MEDIUM CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305." + }, + "help": { + "markdown": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n", + "text": "Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_ecb_mode.use_ecb_mode", + "id": "semgrep.rules.csharp.dotnet.security.use_ecb_mode.use_ecb_mode", + "name": "semgrep.rules.csharp.dotnet.security.use_ecb_mode.use_ecb_mode", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.use_ecb_mode.use_ecb_mode" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead." + }, + "help": { + "markdown": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n", + "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", + "id": "semgrep.rules.csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", + "name": "semgrep.rules.csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead." + }, + "help": { + "markdown": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter)\n", + "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead." + }, + "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", + "id": "semgrep.rules.csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", + "name": "semgrep.rules.csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-780: Use of RSA Algorithm without OAEP", + "MEDIUM CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used." + }, + "help": { + "markdown": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://cwe.mitre.org/data/definitions/613.html](https://cwe.mitre.org/data/definitions/613.html)\n - [https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet](https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet)\n", + "text": "The TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation", + "id": "semgrep.rules.csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation", + "name": "semgrep.rules.csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-613: Insufficient Session Expiration", + "HIGH CONFIDENCE", + "OWASP-A02:2017 - Broken Authentication", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.ad.jwt-tokenvalidationparameters-no-expiry-validation.jwt-tokenvalidationparameters-no-expiry-validation" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true." + }, + "help": { + "markdown": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n", + "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", + "id": "semgrep.rules.csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", + "name": "semgrep.rules.csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-347: Improper Verification of Cryptographic Signature", + "MEDIUM CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead." + }, + "help": { + "markdown": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.issuernameregistry?view=netframework-4.8)\n", + "text": "Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation", + "id": "semgrep.rules.csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation", + "name": "semgrep.rules.csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-295: Improper Certificate Validation", + "MEDIUM CONFIDENCE", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.cryptography.x509-subject-name-validation.X509-subject-name-validation" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal." + }, + "help": { + "markdown": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n", + "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", + "id": "semgrep.rules.csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", + "name": "semgrep.rules.csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "OWASP-A05:2017 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"." + }, + "help": { + "markdown": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n", + "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", + "id": "semgrep.rules.csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", + "name": "semgrep.rules.csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-706: Use of Incorrectly-Resolved Name or Reference", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure" + }, + "help": { + "markdown": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n", + "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", + "id": "semgrep.rules.csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", + "name": "semgrep.rules.csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "HIGH CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability." + }, + "help": { + "markdown": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n", + "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", + "id": "semgrep.rules.csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", + "name": "semgrep.rules.csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure" + }, + "help": { + "markdown": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n", + "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", + "id": "semgrep.rules.csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", + "name": "semgrep.rules.csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure" + }, + "help": { + "markdown": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security)\n", + "text": "The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization", + "id": "semgrep.rules.csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization", + "name": "semgrep.rules.csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure" + }, + "help": { + "markdown": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks)\n", + "text": "The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization", + "id": "semgrep.rules.csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization", + "name": "semgrep.rules.csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-502: Deserialization of Untrusted Data", + "MEDIUM CONFIDENCE", + "OWASP-A08:2017 - Insecure Deserialization", + "OWASP-A08:2021 - Software and Data Integrity Failures", + "OWASP-A08:2025 - Software or Data Integrity Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0" + }, + "help": { + "markdown": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n", + "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", + "id": "semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", + "name": "semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-1333: Inefficient Regular Expression Complexity", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack" + }, + "help": { + "markdown": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n", + "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack" + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", + "id": "semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", + "name": "semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-1333: Inefficient Regular Expression Complexity", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'." + }, + "help": { + "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli", + "id": "semgrep.rules.csharp.lang.security.sqli.csharp-sqli.csharp-sqli", + "name": "semgrep.rules.csharp.lang.security.sqli.csharp-sqli.csharp-sqli", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2017 - Injection", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.sqli.csharp-sqli.csharp-sqli" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering." + }, + "help": { + "markdown": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n", + "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", + "id": "semgrep.rules.csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", + "name": "semgrep.rules.csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-209: Generation of Error Message Containing Sensitive Information", + "HIGH CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2017 - Security Misconfiguration", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "help": { + "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n", + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override", + "id": "semgrep.rules.csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override", + "name": "semgrep.rules.csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "MEDIUM CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.xxe.xmldocument-unsafe-parser-override.xmldocument-unsafe-parser-override" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "help": { + "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n", + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", + "id": "semgrep.rules.csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", + "name": "semgrep.rules.csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "MEDIUM CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "help": { + "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n", + "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." + }, + "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults", + "id": "semgrep.rules.csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults", + "name": "semgrep.rules.csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-611: Improper Restriction of XML External Entity Reference", + "MEDIUM CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A04:2017 - XML External Entities (XXE)", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.csharp.lang.security.xxe.xmltextreader-unsafe-defaults.xmltextreader-unsafe-defaults" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." + }, + "help": { + "markdown": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n", + "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." + }, + "helpUri": "https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root", + "id": "semgrep.rules.dockerfile.security.last-user-is-root.last-user-is-root", + "name": "semgrep.rules.dockerfile.security.last-user-is-root.last-user-is-root", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-269: Improper Privilege Management", + "MEDIUM CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.dockerfile.security.last-user-is-root.last-user-is-root" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." + }, + "help": { + "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", + "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." + }, + "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", + "id": "semgrep.rules.dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", + "name": "semgrep.rules.dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-269: Improper Privilege Management", + "MEDIUM CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.dockerfile.security.missing-user-entrypoint.missing-user-entrypoint" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." + }, + "help": { + "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", + "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." + }, + "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user.missing-user", + "id": "semgrep.rules.dockerfile.security.missing-user.missing-user", + "name": "semgrep.rules.dockerfile.security.missing-user.missing-user", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-250: Execution with Unnecessary Privileges", + "MEDIUM CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.dockerfile.security.missing-user.missing-user" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities." + }, + "help": { + "markdown": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n", + "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities." + }, + "helpUri": "https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", + "id": "semgrep.rules.dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", + "name": "semgrep.rules.dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-250: Execution with Unnecessary Privileges", + "HIGH CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A05:2021 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Semgrep found a bash reverse shell" + }, + "help": { + "markdown": "Semgrep found a bash reverse shell\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", + "text": "Semgrep found a bash reverse shell" + }, + "helpUri": "https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell", + "id": "semgrep.rules.generic.ci.security.bash-reverse-shell.bash_reverse_shell", + "name": "semgrep.rules.generic.ci.security.bash-reverse-shell.bash_reverse_shell", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-94: Improper Control of Generation of Code ('Code Injection')", + "HIGH CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.ci.security.bash-reverse-shell.bash_reverse_shell" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar." + }, + "help": { + "markdown": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n", + "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", + "id": "semgrep.rules.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", + "name": "semgrep.rules.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", + "MEDIUM CONFIDENCE", + "OWASP-A01:2021 - Broken Access Control", + "OWASP-A01:2025 - Broken Access Control", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy." + }, + "help": { + "markdown": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n", + "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", + "id": "semgrep.rules.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", + "name": "semgrep.rules.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-16: CWE CATEGORY: Configuration", + "MEDIUM CONFIDENCE", + "OWASP-A02:2025 - Security Misconfiguration", + "OWASP-A05:2021 - Security Misconfiguration", + "OWASP-A06:2017 - Security Misconfiguration", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'." + }, + "help": { + "markdown": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n", + "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection", + "id": "semgrep.rules.generic.nginx.security.header-injection.header-injection", + "name": "semgrep.rules.generic.nginx.security.header-injection.header-injection", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", + "MEDIUM CONFIDENCE", + "OWASP-A03:2021 - Injection", + "OWASP-A05:2025 - Injection", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.header-injection.header-injection" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later." + }, + "help": { + "markdown": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n", + "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version", + "id": "semgrep.rules.generic.nginx.security.insecure-ssl-version.insecure-ssl-version", + "name": "semgrep.rules.generic.nginx.security.insecure-ssl-version.insecure-ssl-version", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "HIGH CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.insecure-ssl-version.insecure-ssl-version" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions." + }, + "help": { + "markdown": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n", + "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version", + "id": "semgrep.rules.generic.nginx.security.missing-ssl-version.missing-ssl-version", + "name": "semgrep.rules.generic.nginx.security.missing-ssl-version.missing-ssl-version", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-326: Inadequate Encryption Strength", + "MEDIUM CONFIDENCE", + "OWASP-A02:2021 - Cryptographic Failures", + "OWASP-A03:2017 - Sensitive Data Exposure", + "OWASP-A04:2025 - Cryptographic Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.missing-ssl-version.missing-ssl-version" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." + }, + "help": { + "markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n", + "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", + "id": "semgrep.rules.generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", + "name": "semgrep.rules.generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", + "MEDIUM CONFIDENCE", + "OWASP-A04:2021 - Insecure Design", + "OWASP-A06:2025 - Insecure Design", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation." + }, + "help": { + "markdown": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n - [https://portswigger.net/web-security/host-header](https://portswigger.net/web-security/host-header)\n", + "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation." + }, + "helpUri": "https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used", + "id": "semgrep.rules.generic.nginx.security.request-host-used.request-host-used", + "name": "semgrep.rules.generic.nginx.security.request-host-used.request-host-used", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-290: Authentication Bypass by Spoofing", + "MEDIUM CONFIDENCE", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.nginx.security.request-host-used.request-host-used" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Stripe Restricted API Key detected" + }, + "help": { + "markdown": "Stripe Restricted API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", + "text": "Stripe Restricted API Key detected" + }, + "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", + "id": "semgrep.rules.generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", + "name": "semgrep.rules.generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-798: Use of Hard-coded Credentials", + "MEDIUM CONFIDENCE", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key" + } + }, + { + "defaultConfiguration": { + "level": "error" + }, + "fullDescription": { + "text": "Username and password in URI detected" + }, + "help": { + "markdown": "Username and password in URI detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri)\n - [https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go](https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go)\n", + "text": "Username and password in URI detected" + }, + "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri", + "id": "semgrep.rules.generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri", + "name": "semgrep.rules.generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-798: Use of Hard-coded Credentials", + "MEDIUM CONFIDENCE", + "OWASP-A07:2021 - Identification and Authentication Failures", + "OWASP-A07:2025 - Authentication Failures", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Detects potential Google Maps API keys in code" + }, + "help": { + "markdown": "Detects potential Google Maps API keys in code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak)\n - [https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)\n", + "text": "Detects potential Google Maps API keys in code" + }, + "helpUri": "https://semgrep.dev/r/generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak", + "id": "semgrep.rules.generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak", + "name": "semgrep.rules.generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak", + "properties": { + "precision": "very-high", + "tags": [ + "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory", + "MEDIUM CONFIDENCE", + "OWASP-A3:2017 Sensitive Data Exposure", + "security" + ] + }, + "shortDescription": { + "text": "Semgrep Finding: semgrep.rules.generic.secrets.security.google-maps-apikeyleak.google-maps-apikeyleak" + } + }, + { + "defaultConfiguration": { + "level": "warning" + }, + "fullDescription": { + "text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your + - pattern-not: + paths: + include: + - '*.component' + - '*.page' +- id: generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + languages: + - generic + severity: INFO + message: Visualforce Pages must have the cspHeader attribute set to true. This attribute + is available in API version 55 or higher. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://help.salesforce.com/s/articleView?id=sf.csp_trusted_sites.htm&type=5 + category: security + subcategory: + - vuln + technology: + - salesforce + - visualforce + cwe2022-top25: true + cwe2021-top25: true + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + shortlink: https://sg.run/yoj8 + semgrep.dev: + rule: + r_id: 72424 + rv_id: 1262907 + rule_id: DbUj7d + version_id: RGT0L0r + url: https://semgrep.dev/playground/r/RGT0L0r/generic.visualforce.security.ncino.xml.cspheaderattribute.csp-header-attribute + origin: community + patterns: + - pattern: ... + - pattern-not: ... + - pattern-not: ...... + - pattern-not: ...... + paths: + include: + - '*.page' +- id: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + languages: + - generic + severity: WARNING + message: Visualforce Pages must use API version 55 or higher for required use of + the cspHeader attribute set to true. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm + category: security + subcategory: + - vuln + technology: + - salesforce + - visualforce + cwe2022-top25: true + cwe2021-top25: true + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + shortlink: https://sg.run/rWr6 + semgrep.dev: + rule: + r_id: 72425 + rv_id: 1262908 + rule_id: WAUwJW + version_id: A8Tgdgn + url: https://semgrep.dev/playground/r/A8Tgdgn/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version + origin: community + patterns: + - pattern-inside: + - pattern-either: + - pattern-regex: '[>][0-9].[0-9][<]' + - pattern-regex: '[>][1-4][0-9].[0-9][<]' + - pattern-regex: '[>][5][0-4].[0-9][<]' + paths: + include: + - '*.page-meta.xml' +- id: python.django.security.hashids-with-django-secret.hashids-with-django-secret + languages: + - python + message: The Django secret key is used as salt in HashIDs. The HashID mechanism + is not secure. By observing sufficient HashIDs, the salt used to construct them + can be recovered. This means the Django secret key can be obtained by attackers, + through the HashIDs. + metadata: + category: security + subcategory: + - vuln + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - "A02:2021 \u2013 Cryptographic Failures" + references: + - https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY + - http://carnage.github.io/2015/08/cryptanalysis-of-hashids + technology: + - django + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret + shortlink: https://sg.run/bxeZ + semgrep.dev: + rule: + r_id: 72426 + rv_id: 946163 + rule_id: 0oUXqy + version_id: 0bT15nn + url: https://semgrep.dev/playground/r/0bT15nn/python.django.security.hashids-with-django-secret.hashids-with-django-secret + origin: community + pattern-either: + - pattern: hashids.Hashids(..., salt=django.conf.settings.SECRET_KEY, ...) + - pattern: hashids.Hashids(django.conf.settings.SECRET_KEY, ...) + severity: ERROR +- id: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + languages: + - python + message: The Flask secret key is used as salt in HashIDs. The HashID mechanism is + not secure. By observing sufficient HashIDs, the salt used to construct them can + be recovered. This means the Flask secret key can be obtained by attackers, through + the HashIDs. + metadata: + category: security + subcategory: + - vuln + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - "A02:2021 \u2013 Cryptographic Failures" + references: + - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY + - http://carnage.github.io/2015/08/cryptanalysis-of-hashids + technology: + - flask + likelihood: LOW + impact: HIGH + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + shortlink: https://sg.run/N0Rx + semgrep.dev: + rule: + r_id: 72427 + rv_id: 946220 + rule_id: KxUX3z + version_id: 0bT15Px + url: https://semgrep.dev/playground/r/0bT15Px/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret + origin: community + pattern-either: + - pattern: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...) + - pattern: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...) + - patterns: + - pattern-inside: | + $APP = flask.Flask(...) + ... + - pattern-either: + - pattern: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...) + - pattern: hashids.Hashids($APP.config['SECRET_KEY'], ...) + severity: ERROR +- id: python.lang.security.use-defused-xml-parse.use-defused-xml-parse + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + references: + - https://docs.python.org/3/library/xml.html + - https://github.com/tiran/defusedxml + - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + category: security + technology: + - python + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/python.lang.security.use-defused-xml-parse.use-defused-xml-parse + shortlink: https://sg.run/n3jG + semgrep.dev: + rule: + r_id: 72436 + rv_id: 1263541 + rule_id: X5Uqnx + version_id: vdT06ER + url: https://semgrep.dev/playground/r/vdT06ER/python.lang.security.use-defused-xml-parse.use-defused-xml-parse + origin: community + message: The native Python `xml` library is vulnerable to XML External Entity (XXE) + attacks. These attacks can leak confidential data and "XML bombs" can cause denial + of service. Do not use this library to parse untrusted input. Instead the Python + documentation recommends using `defusedxml`. + languages: + - python + severity: ERROR + patterns: + - pattern: xml.etree.ElementTree.parse($...ARGS) + - pattern-not: xml.etree.ElementTree.parse("...") + fix: defusedxml.etree.ElementTree.parse($...ARGS) +- id: php.lang.security.tainted-exec.tainted-exec + mode: taint + pattern-sources: + - pattern: $_REQUEST + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + pattern-sinks: + - pattern: exec(...) + - pattern: system(...) + - pattern: popen(...) + - pattern: passthru(...) + - pattern: shell_exec(...) + - pattern: pcntl_exec(...) + - pattern: proc_open(...) + pattern-sanitizers: + - pattern: escapeshellarg(...) + message: Executing non-constant commands. This can lead to command injection. You + should use `escapeshellarg()` when using command. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + references: + - https://www.stackhawk.com/blog/php-command-injection/ + - https://brightsec.com/blog/code-injection-php/ + - https://www.acunetix.com/websitesecurity/php-security-2/ + category: security + technology: + - php + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + cwe2022-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/php.lang.security.tainted-exec.tainted-exec + shortlink: https://sg.run/JAkP + semgrep.dev: + rule: + r_id: 73146 + rv_id: 1263300 + rule_id: 9AUw06 + version_id: BjTkZ4y + url: https://semgrep.dev/playground/r/BjTkZ4y/php.lang.security.tainted-exec.tainted-exec + origin: community + languages: + - php + severity: ERROR +- id: php.lang.security.injection.tainted-session.tainted-session + severity: WARNING + message: Session key based on user input risks session poisoning. The user can determine + the key used for the session, and thus write any session variable. Session variables + are typically trusted to be set only by the application, and manipulating the + session can result in access control issues. + metadata: + technology: + - php + category: security + cwe: + - 'CWE-284: Improper Access Control' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + references: + - https://en.wikipedia.org/wiki/Session_poisoning + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session + shortlink: https://sg.run/bxNp + semgrep.dev: + rule: + r_id: 73470 + rv_id: 1263289 + rule_id: 4bUdoP + version_id: 8KT5rPE + url: https://semgrep.dev/playground/r/8KT5rPE/php.lang.security.injection.tainted-session.tainted-session + origin: community + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern: $A . $B + - pattern: bin2hex(...) + - pattern: crc32(...) + - pattern: crypt(...) + - pattern: filter_input(...) + - pattern: filter_var(...) + - pattern: hash(...) + - pattern: md5(...) + - pattern: preg_filter(...) + - pattern: preg_grep(...) + - pattern: preg_match_all(...) + - pattern: sha1(...) + - pattern: sprintf(...) + - pattern: str_contains(...) + - pattern: str_ends_with(...) + - pattern: str_starts_with(...) + - pattern: strcasecmp(...) + - pattern: strchr(...) + - pattern: stripos(...) + - pattern: stristr(...) + - pattern: strnatcasecmp(...) + - pattern: strnatcmp(...) + - pattern: strncmp(...) + - pattern: strpbrk(...) + - pattern: strpos(...) + - pattern: strripos(...) + - pattern: strrpos(...) + - pattern: strspn(...) + - pattern: strstr(...) + - pattern: strtok(...) + - pattern: substr_compare(...) + - pattern: substr_count(...) + - pattern: vsprintf(...) + pattern-sinks: + - patterns: + - pattern-inside: $_SESSION[$KEY] = $VAL; + - pattern: $KEY +- id: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions + patterns: + - pattern: | + "*" + - pattern-inside: | + resources: $A + ... + - pattern-inside: | + verbs: $A + ... + - pattern-inside: | + - apiGroups: [""] + ... + - pattern-inside: | + apiVersion: rbac.authorization.k8s.io/v1 + ... + - pattern-inside: | + kind: ClusterRole + ... + message: 'Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. + Attaching excessive permissions to a ClusterRole associated with the core namespace + allows the V1 API to perform arbitrary actions on arbitrary resources attached + to the cluster. Prefer explicit allowlists of verbs/resources when configuring + the core API namespace. ' + languages: + - yaml + severity: WARNING + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + owasp: + - A05:2021 - Security Misconfiguration + - A06:2017 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + references: + - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole + - https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice + - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups + category: security + technology: + - kubernetes + cwe2021-top25: false + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions + shortlink: https://sg.run/x6Dz + semgrep.dev: + rule: + r_id: 73474 + rv_id: 1263935 + rule_id: GdUR2A + version_id: 9lT4bw7 + url: https://semgrep.dev/playground/r/9lT4bw7/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions + origin: community +- id: python.fastapi.security.wildcard-cors.wildcard-cors + languages: + - python + message: CORS policy allows any origin (using wildcard '*'). This is insecure and + should be avoided. + mode: taint + pattern-sources: + - pattern: '[..., "*", ...]' + pattern-sinks: + - patterns: + - pattern: | + $APP.add_middleware( + CORSMiddleware, + allow_origins=$ORIGIN, + ...); + - focus-metavariable: $ORIGIN + severity: WARNING + metadata: + cwe: + - 'CWE-942: Permissive Cross-domain Policy with Untrusted Domains' + owasp: + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + category: security + technology: + - python + - fastapi + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + - https://cwe.mitre.org/data/definitions/942.html + likelihood: HIGH + impact: LOW + confidence: MEDIUM + vulnerability_class: + - Configuration + subcategory: + - vuln + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + source: https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors + shortlink: https://sg.run/KxApY + semgrep.dev: + rule: + r_id: 112311 + rv_id: 1263413 + rule_id: lBU4JQ3 + version_id: A8Tgd1R + url: https://semgrep.dev/playground/r/A8Tgd1R/python.fastapi.security.wildcard-cors.wildcard-cors + origin: community +- id: javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify + message: Detected the decoding of a JWT token without a verify step. JWT tokens + must be verified before use, otherwise the token's integrity is unknown. This + means a malicious actor could forge a JWT token with any claims. Set 'verify' + to `true` before using the token. + severity: ERROR + metadata: + owasp: + - A05:2021 - Security Misconfiguration + - A07:2021 - Identification and Authentication Failures + - A02:2025 - Security Misconfiguration + - A07:2025 - Authentication Failures + cwe: + - 'CWE-287: Improper Authentication' + - 'CWE-345: Insufficient Verification of Data Authenticity' + - 'CWE-347: Improper Verification of Cryptographic Signature' + category: security + subcategory: + - vuln + technology: + - jwt-simple + - jwt + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + references: + - https://www.npmjs.com/package/jwt-simple + - https://cwe.mitre.org/data/definitions/287 + - https://cwe.mitre.org/data/definitions/345 + - https://cwe.mitre.org/data/definitions/347 + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + - Improper Authentication + source: https://semgrep.dev/r/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify + shortlink: https://sg.run/zdjod + semgrep.dev: + rule: + r_id: 120561 + rv_id: 1263191 + rule_id: r6UyNLy + version_id: 3ZT4Xxv + url: https://semgrep.dev/playground/r/3ZT4Xxv/javascript.jwt-simple.security.jwt-simple-noverify.jwt-simple-noverify + origin: community + languages: + - javascript + - typescript + patterns: + - pattern-inside: | + $JWT = require('jwt-simple'); + ... + - pattern: $JWT.decode($TOKEN, $SECRET, $NOVERIFY, ...) + - metavariable-pattern: + metavariable: $NOVERIFY + patterns: + - pattern-either: + - pattern: | + true + - pattern: | + "..." +- id: php.lang.security.injection.printed-request.printed-request + mode: taint + message: '`Printing user input risks cross-site scripting vulnerability. You should + use `htmlentities()` when showing data to users.' + languages: + - php + severity: ERROR + pattern-sources: + - pattern: $_REQUEST + - pattern: $_GET + - pattern: $_POST + pattern-sinks: + - pattern: print($...VARS); + pattern-sanitizers: + - pattern: htmlentities(...) + - pattern: htmlspecialchars(...) + - pattern: strip_tags(...) + - pattern: isset(...) + - pattern: empty(...) + - pattern: esc_html(...) + - pattern: esc_attr(...) + - pattern: wp_kses(...) + - pattern: e(...) + - pattern: twig_escape_filter(...) + - pattern: xss_clean(...) + - pattern: html_escape(...) + - pattern: Html::escape(...) + - pattern: Xss::filter(...) + - pattern: escapeHtml(...) + - pattern: escapeHtml(...) + - pattern: escapeHtmlAttr(...) + fix: print(htmlentities($...VARS)); + metadata: + technology: + - php + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + category: security + references: + - https://www.php.net/manual/en/function.htmlentities.php + - https://www.php.net/manual/en/reserved.variables.request.php + - https://www.php.net/manual/en/reserved.variables.post.php + - https://www.php.net/manual/en/reserved.variables.get.php + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/php.lang.security.injection.printed-request.printed-request + shortlink: https://sg.run/QrxEJ + semgrep.dev: + rule: + r_id: 128886 + rv_id: 1263284 + rule_id: KxUvRBw + version_id: ZRTKAk4 + url: https://semgrep.dev/playground/r/ZRTKAk4/php.lang.security.injection.printed-request.printed-request + origin: community +- id: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone + patterns: + - pattern-inside: | + &sessions.Options{ + ..., + SameSite: http.SameSiteNoneMode, + ..., + } + - pattern: | + &sessions.Options{ + ..., + } + message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting + SameSite to Lax, Strict or Default for enhanced security. + metadata: + cwe: + - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' + owasp: + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + references: + - https://pkg.go.dev/github.com/gorilla/sessions#Options + category: security + technology: + - gorilla + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone + shortlink: https://sg.run/x8Nwj + semgrep.dev: + rule: + r_id: 133074 + rv_id: 1262913 + rule_id: YGUpGd4 + version_id: K3TKkKB + url: https://semgrep.dev/playground/r/K3TKkKB/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone + origin: community + fix-regex: + regex: (SameSite\s*:\s+)http.SameSiteNoneMode + replacement: \1http.SameSiteDefaultMode + severity: WARNING + languages: + - go +- id: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx + languages: + - solidity + message: Missing check for 'from' and 'to' being the same before updating balances + could lead to incorrect balance manipulation on self-transfers. Include a check + to ensure 'from' and 'to' are not the same before updating balances to prevent + balance manipulation during self-transfers. + severity: ERROR + metadata: + category: security + technology: + - blockchain + - solidity + cwe: 'CWE-682: Incorrect Calculation' + subcategory: + - vuln + confidence: HIGH + likelihood: HIGH + impact: HIGH + owasp: + - A7:2021 Identification and Authentication Failures + references: + - https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities + - https://x.com/shoucccc/status/1757777764646859121 + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx + shortlink: https://sg.run/Or6X7 + semgrep.dev: + rule: + r_id: 133075 + rv_id: 946620 + rule_id: 6JUv7Nz + version_id: A8TJzYz + url: https://semgrep.dev/playground/r/A8TJzYz/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx + origin: community + patterns: + - pattern-either: + - pattern: | + _balances[$FROM] = $FROM_BALANCE - value; + - pattern: | + _balances[$TO] = $TO_BALANCE + value; + - pattern-not-inside: | + if ($FROM != $TO) { + ... + _balances[$FROM] = $FROM_BALANCE - value; + ... + _balances[$TO] = $TO_BALANCE + value; + ... + } + - pattern-inside: | + function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual { + ... + } +- id: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication + languages: + - yaml + message: Basic authentication is considered weak and should be avoided. Use a different + authentication scheme, such of OAuth2, OpenID Connect, or mTLS. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + $SCHEME: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + type: http + ... + scheme: basic + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-287: Improper Authentication' + owasp: + - A04:2021 Insecure Design + - A07:2021 Identification and Authentication Failures + references: + - https://cwe.mitre.org/data/definitions/287.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication + shortlink: https://sg.run/v8wNW + semgrep.dev: + rule: + r_id: 133077 + rv_id: 947072 + rule_id: zdUKgEX + version_id: 0bT1ErG + url: https://semgrep.dev/playground/r/0bT1ErG/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication + origin: community +- id: python.twilio.security.twiml-injection.twiml-injection + languages: + - python + severity: WARNING + message: Using non-constant TwiML (Twilio Markup Language) argument when creating + a Twilio conversation could allow the injection of additional TwiML commands + metadata: + cwe: + - 'CWE-91: XML Injection' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + category: security + technology: + - python + - twilio + - twiml + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + subcategory: + - vuln + references: + - https://codeberg.org/fennix/funjection + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection + shortlink: https://sg.run/GdEEy + semgrep.dev: + rule: + r_id: 134692 + rv_id: 1263580 + rule_id: oqUgjj2 + version_id: kbTzGp1 + url: https://semgrep.dev/playground/r/kbTzGp1/python.twilio.security.twiml-injection.twiml-injection + origin: community + mode: taint + pattern-sources: + - pattern: | + f"..." + - pattern: | + "..." % ... + - pattern: | + "...".format(...) + - patterns: + - pattern: $ARG + - pattern-inside: | + def $F(..., $ARG, ...): + ... + pattern-sanitizers: + - pattern: xml.sax.saxutils.escape(...) + - pattern: html.escape(...) + pattern-sinks: + - patterns: + - pattern: | + $CLIENT.calls.create(..., twiml=$SINK, ...) + - focus-metavariable: $SINK +- id: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded + message: A secret is hard-coded in the application. Secrets stored in source code, + such as credentials, identifiers, and other types of sensitive data, can be leaked + and used by internal or external malicious actors. It is recommended to rotate + the secret and retrieve them from a secure secret vault or Hardware Security Module + (HSM), alternatively environment variables can be used if allowed by your company + policy. + severity: WARNING + metadata: + likelihood: LOW + impact: HIGH + confidence: MEDIUM + category: security + subcategory: + - vuln + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + cwe2020-top25: true + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + technology: + - secrets + vulnerability_class: + - Hard-coded Secrets + source_rule_url: https://semgrep.dev/playground/r/d8Ur5BA/achufistov6_personal_org.build-gradle-password-hardcoded + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + source: https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded + shortlink: https://sg.run/qN29x + semgrep.dev: + rule: + r_id: 137856 + rv_id: 1263257 + rule_id: ReUD6Kg + version_id: DkTRbLX + url: https://semgrep.dev/playground/r/DkTRbLX/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded + origin: community + languages: + - kotlin + options: + symbolic_propagation: true + patterns: + - pattern-either: + - pattern: '$PASS = env[...] ?: $VALUE' + - metavariable-regex: + metavariable: $PASS + regex: (password|pass|passwd|loginPassword) + - metavariable-pattern: + language: generic + metavariable: $VALUE + patterns: + - pattern-either: + - pattern-regex: ^[A-Za-z0-9/+=]+$ + paths: + include: + - '*build.gradle.kts' +- id: php.lang.security.injection.tainted-callable.tainted-callable + severity: WARNING + message: Callable based on user input risks remote code execution. + metadata: + technology: + - php + category: security + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://www.php.net/manual/en/language.types.callable.php + subcategory: + - vuln + impact: HIGH + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/php.lang.security.injection.tainted-callable.tainted-callable + shortlink: https://sg.run/YGb33 + semgrep.dev: + rule: + r_id: 141958 + rv_id: 1263285 + rule_id: 0oULBKK + version_id: nWT2L5x + url: https://semgrep.dev/playground/r/nWT2L5x/php.lang.security.injection.tainted-callable.tainted-callable + origin: community + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: file_get_contents('php://input') + pattern-sinks: + - patterns: + - pattern: $CALLABLE + - pattern-either: + - pattern-inside: $ARRAYITERATOR->uasort($CALLABLE) + - pattern-inside: $ARRAYITERATOR->uksort($CALLABLE) + - pattern-inside: $EVENTHTTP->setCallback($CALLABLE, ...) + - pattern-inside: $EVENTHTTPCONNECTION->setCloseCallback($CALLABLE, ...) + - pattern-inside: $EVLOOP->fork($CALLABLE, ...) + - pattern-inside: $EVLOOP->idle($CALLABLE, ...) + - pattern-inside: $EVLOOP->prepare($CALLABLE, ...) + - pattern-inside: $EVWATCHER->setCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setClientCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setCompleteCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setCreatedCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setDataCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setExceptionCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setFailCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setStatusCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setWarningCallback($CALLABLE) + - pattern-inside: $GEARMANCLIENT->setWorkloadCallback($CALLABLE) + - pattern-inside: $IMAGICK->setProgressMonitor($CALLABLE) + - pattern-inside: $OAUTHPROVIDER->consumerHandler($CALLABLE) + - pattern-inside: $OAUTHPROVIDER->tokenHandler($CALLABLE) + - pattern-inside: $PDO->sqliteCreateCollation($NAME, $CALLABLE) + - pattern-inside: $PDOSTATEMENT->fetchAll(PDO::FETCH_FUNC, $CALLABLE) + - pattern-inside: $SQLITE3->createCollation($NAME, $CALLABLE) + - pattern-inside: $SQLITE3->setAuthorizer($CALLABLE) + - pattern-inside: $ZIPARCHIVE->registerCancelCallback($CALLABLE) + - pattern-inside: $ZIPARCHIVE->registerProgressCallback($RATE, $CALLABLE) + - pattern-inside: $ZMQDEVICE->setIdleCallback($CALLABLE, ...) + - pattern-inside: $ZMQDEVICE->setTimerCallback($CALLABLE, ...) + - pattern-inside: apcu_entry($KEY, $CALLABLE, ...) + - pattern-inside: array_filter($ARRAY, $CALLABLE, ...) + - pattern-inside: array_map($CALLABLE, ...) + - pattern-inside: array_reduce($ARRAY, $CALLABLE, ...) + - pattern-inside: array_walk_recursive($ARRAY, $CALLABLE, ...) + - pattern-inside: array_walk($ARRAY, $CALLABLE, ...) + - pattern-inside: call_user_func_array($CALLABLE, ...) + - pattern-inside: call_user_func($CALLABLE, ...) + - pattern-inside: Closure::fromCallable($CALLABLE) + - pattern-inside: createCollation($NAME, $CALLABLE) + - pattern-inside: eio_grp($CALLABLE, ...) + - pattern-inside: eio_nop($PRI, $CALLABLE, ...) + - pattern-inside: eio_sync($PRI, $CALLABLE, ...) + - pattern-inside: EvPrepare::createStopped($CALLABLE, ...) + - pattern-inside: fann_set_callback($ANN, $CALLABLE) + - pattern-inside: fdf_enum_values($FDF_DOCUMENT, $CALLABLE, ...) + - pattern-inside: forward_static_call_array($CALLABLE, ...) + - pattern-inside: forward_static_call($CALLABLE, ...) + - pattern-inside: header_register_callback($CALLABLE) + - pattern-inside: ibase_set_event_handler($CALLABLE, ...) + - pattern-inside: IntlChar::enumCharTypes($CALLABLE) + - pattern-inside: iterator_apply($ITERATOR, $CALLABLE) + - pattern-inside: ldap_set_rebind_proc($LDAP, $CALLABLE) + - pattern-inside: libxml_set_external_entity_loader($CALLABLE, ...) + - pattern-inside: new CallbackFilterIterator($ITERATOR, $CALLABLE) + - pattern-inside: new EvCheck($CALLABLE, ...) + - pattern-inside: new EventHttpRequest($CALLABLE, ...) + - pattern-inside: new EvFork($CALLABLE, ...) + - pattern-inside: new EvIdle($CALLABLE, ...) + - pattern-inside: new Fiber($CALLABLE) + - pattern-inside: new Memcached($PERSISTENT_ID, $CALLABLE, ...) + - pattern-inside: new RecursiveCallbackFilterIterator($ITERATOR, $CALLABLE) + - pattern-inside: new Zookeeper($HOST, $CALLABLE, ...) + - pattern-inside: ob_start($CALLABLE, ...) + - pattern-inside: oci_register_taf_callback($CONNECTION, $CALLABLE) + - pattern-inside: readline_callback_handler_install($PROMPT, $CALLABLE) + - pattern-inside: readline_completion_function($CALLABLE) + - pattern-inside: register_shutdown_function($CALLABLE, ...) + - pattern-inside: register_tick_function($CALLABLE, ...) + - pattern-inside: rnp_ffi_set_pass_provider($FFI, $CALLABLE) + - pattern-inside: sapi_windows_set_ctrl_handler($CALLABLE, ...) + - pattern-inside: set_error_handler($CALLABLE, ...) + - pattern-inside: set_exception_handler($CALLABLE) + - pattern-inside: setAuthorizer($CALLABLE) + - pattern-inside: spl_autoload_register($CALLABLE, ...) + - pattern-inside: uasort($ARRAY, $CALLABLE) + - pattern-inside: uksort($ARRAY, $CALLABLE) + - pattern-inside: usort($ARRAY, $CALLABLE) + - pattern-inside: xml_set_character_data_handler($PARSER, $CALLABLE) + - pattern-inside: xml_set_default_handler($PARSER, $CALLABLE) + - pattern-inside: xml_set_element_handler($PARSER, $CALLABLE, $CALLABLE) + - pattern-inside: xml_set_notation_decl_handler($PARSER, $CALLABLE) + - pattern-inside: Yar_Concurrent_Client::loop($CALLABLE, ...) +- id: javascript.node-crypto.security.aead-no-final.aead-no-final + message: The 'final' call of a Decipher object checks the authentication tag in + a mode for authenticated encryption. Failing to call 'final' will invalidate all + integrity guarantees of the released ciphertext. + metadata: + cwe: + - 'CWE-310: CWE CATEGORY: Cryptographic Issues' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + category: security + subcategory: + - vuln + technology: + - node-crypto + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + references: + - https://nodejs.org/api/crypto.html#deciphersetauthtagbuffer-encoding + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.node-crypto.security.aead-no-final.aead-no-final + shortlink: https://sg.run/r6EEA + semgrep.dev: + rule: + r_id: 146569 + rv_id: 1263222 + rule_id: 2ZUz884 + version_id: zyTb2X0 + url: https://semgrep.dev/playground/r/zyTb2X0/javascript.node-crypto.security.aead-no-final.aead-no-final + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern: | + $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...) + ... + $DECIPHER.update(...) + - pattern-not-inside: | + $DECIPHER = $CRYPTO.createDecipheriv('$ALGO', ...) + ... + $DECIPHER.final(...) + - metavariable-regex: + metavariable: $ALGO + regex: .*(-gcm|-ccm|-ocb|chacha20-poly1305)$ +- id: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length + message: The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode + of operation is missing an expected authentication tag length. If the expected + authentication tag length is not specified or otherwise checked, the application + might be tricked into verifying a shorter-than-expected authentication tag. This + can be abused by an attacker to spoof ciphertexts or recover the implicit authentication + key of GCM, allowing arbitrary forgeries. + metadata: + cwe: + - 'CWE-310: CWE CATEGORY: Cryptographic Issues' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + category: security + subcategory: + - vuln + technology: + - node-crypto + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + references: + - https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/ + - https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length + shortlink: https://sg.run/NbGG1 + semgrep.dev: + rule: + r_id: 146571 + rv_id: 1263223 + rule_id: j2UgPP3 + version_id: pZT03qd + url: https://semgrep.dev/playground/r/pZT03qd/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern: | + $CRYPTO.createDecipheriv('$ALGO', $KEY, $IV) + - metavariable-regex: + metavariable: $ALGO + regex: .*(-gcm)$ +- id: php.lang.security.injection.tainted-exec.tainted-exec + languages: + - php + severity: WARNING + message: User input is passed to a function that executes a shell command. This + can lead to remote code execution. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + category: security + technology: + - php + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + impact: HIGH + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/php.lang.security.injection.tainted-exec.tainted-exec + shortlink: https://sg.run/kxEEz + semgrep.dev: + rule: + r_id: 146572 + rv_id: 1263286 + rule_id: 10UOGG5 + version_id: ExTExyR + url: https://semgrep.dev/playground/r/ExTExyR/php.lang.security.injection.tainted-exec.tainted-exec + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: file_get_contents('php://input') + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern: escapeshellcmd(...) + - pattern: escapeshellarg(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: exec(...) + - pattern: system(...) + - pattern: passthru(...) + - patterns: + - pattern: proc_open(...) + - pattern-not: proc_open([...], ...) + - pattern: popen(...) + - pattern: expect_popen(...) + - pattern: shell_exec(...) + - pattern: | + `...` +- id: yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false + languages: + - yaml + message: 'Found ''x-openai-isConsequential: false'' in a state-changing HTTP method: + $METHOD $PATH. This Action configuration will enable the ''Always Allow'' option + for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk + of a user selecting the ''Always Allow'' button is that the agent could perform + unintended actions on behalf of the user. When working with sensitive functionality, + it is always best to include a Human In The Loop (HITL) type of control. Consider + the trade-off between security and user friction and then make a risk-based decision + about this function.' + severity: WARNING + pattern-either: + - pattern-inside: | + post: + ... + x-openai-isConsequential: false + - pattern-inside: | + put: + ... + x-openai-isConsequential: false + - pattern-inside: | + patch: + ... + x-openai-isConsequential: false + - pattern-inside: | + delete: + ... + x-openai-isConsequential: false + metadata: + category: security + subcategory: + - audit + technology: + - openapi + - openai + likelihood: HIGH + impact: HIGH + confidence: HIGH + cwe: 'CWE-441: Unintended Proxy or Intermediary (''Confused Deputy'')' + owasp: + - A04:2021 Insecure Design + - LLM08:2023 - Excessive Agency + references: + - https://platform.openai.com/docs/actions/consequential-flag + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false + shortlink: https://sg.run/x8EEP + semgrep.dev: + rule: + r_id: 146574 + rv_id: 947071 + rule_id: yyURooD + version_id: WrTEZN8 + url: https://semgrep.dev/playground/r/WrTEZN8/yaml.openapi.security.openai-consequential-action-false.openai-consequential-action-false + origin: community +- id: python.lang.security.insecure-uuid-version.insecure-uuid-version + patterns: + - pattern: uuid.uuid1(...) + message: Using UUID version 1 for UUID generation can lead to predictable UUIDs + based on system information (e.g., MAC address, timestamp). This may lead to security + risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better + randomness and security. + metadata: + references: + - https://www.landh.tech/blog/20230811-sandwich-attack/ + cwe: + - 'CWE-330: Use of Insufficiently Random Values' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.3.2 Insecure UUID Generation + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values + version: '4' + category: security + technology: + - python + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version + shortlink: https://sg.run/BYBgW + semgrep.dev: + rule: + r_id: 148295 + rv_id: 1263539 + rule_id: kxUd1yD + version_id: O9Tpx97 + url: https://semgrep.dev/playground/r/O9Tpx97/python.lang.security.insecure-uuid-version.insecure-uuid-version + origin: community + languages: + - python + severity: WARNING + fix-regex: + regex: uuid1 + replacement: uuid4 +- id: go.lang.security.audit.crypto.sha224-hash.sha224-hash + pattern-either: + - patterns: + - pattern-inside: | + import "crypto/sha256" + ... + - pattern-either: + - pattern: | + sha256.New224() + - pattern: | + sha256.Sum224(...) + - patterns: + - pattern-inside: | + import "golang.org/x/crypto/sha3" + ... + - pattern-either: + - pattern: | + sha3.New224() + - pattern: | + sha3.Sum224(...) + message: This code uses a 224-bit hash function, which is deprecated or disallowed + in some security policies. Consider updating to a stronger hash function such + as SHA-384 or higher to ensure compliance and security. + languages: + - go + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + category: security + technology: + - go + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf + - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/go.lang.security.audit.crypto.sha224-hash.sha224-hash + shortlink: https://sg.run/ReJwY + semgrep.dev: + rule: + r_id: 151749 + rv_id: 1262925 + rule_id: GdUvElR + version_id: 9lT4b4w + url: https://semgrep.dev/playground/r/9lT4b4w/go.lang.security.audit.crypto.sha224-hash.sha224-hash + origin: community +- id: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 + message: This code uses a 224-bit hash function, which is deprecated or disallowed + in some security policies. Consider updating to a stronger hash function such + as SHA-384 or higher to ensure compliance and security. + languages: + - java + severity: WARNING + metadata: + functional-categories: + - crypto::search::hash-algorithm::javax.crypto + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf + - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 + shortlink: https://sg.run/Ab2KQ + semgrep.dev: + rule: + r_id: 151750 + rv_id: 1263017 + rule_id: ReUDGEz + version_id: YDTZewo + url: https://semgrep.dev/playground/r/YDTZewo/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224 + origin: community + pattern-either: + - pattern: org.apache.commons.codec.digest.DigestUtils.getSha3_224Digest() + - pattern: org.apache.commons.codec.digest.DigestUtils.getSha512_224Digest() + - pattern: org.apache.commons.codec.digest.DigestUtils.sha3_224(...) + - pattern: org.apache.commons.codec.digest.DigestUtils.sha3_224Hex(...) + - pattern: org.apache.commons.codec.digest.DigestUtils.sha512_224(...) + - pattern: org.apache.commons.codec.digest.DigestUtils.sha512_224Hex(...) + - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_224) + - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA_512_224) + - pattern: new org.apache.commons.codec.digest.DigestUtils(org.apache.commons.codec.digest.MessageDigestAlgorithms.SHA3_224) + - patterns: + - pattern: java.security.MessageDigest.getInstance("$ALGO", ...); + - metavariable-regex: + metavariable: $ALGO + regex: .*224 +- id: php.lang.security.audit.sha224-hash.sha224-hash + pattern-either: + - pattern: hash('sha224', ...); + - pattern: hash('sha512/224', ...); + - pattern: hash('sha3-224', ...); + - pattern: hash_hmac('sha224', ...); + - pattern: hash_hmac('sha512/224', ...); + - pattern: hash_hmac('sha3-224', ...); + message: This code uses a 224-bit hash function, which is deprecated or disallowed + in some security policies. Consider updating to a stronger hash function such + as SHA-384 or higher to ensure compliance and security. + metadata: + cwe: + - 'CWE-328: Use of Weak Hash' + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf + - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography + category: security + technology: + - php + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/php.lang.security.audit.sha224-hash.sha224-hash + shortlink: https://sg.run/BYXqv + semgrep.dev: + rule: + r_id: 151751 + rv_id: 1263275 + rule_id: AbU97EA + version_id: bZT53Jo + url: https://semgrep.dev/playground/r/bZT53Jo/php.lang.security.audit.sha224-hash.sha224-hash + origin: community + languages: + - php + severity: WARNING +- id: python.lang.security.audit.sha224-hash.sha224-hash + message: This code uses a 224-bit hash function, which is deprecated or disallowed + in some security policies. Consider updating to a stronger hash function such + as SHA-384 or higher to ensure compliance and security. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf + - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography + category: security + technology: + - python + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/python.lang.security.audit.sha224-hash.sha224-hash + shortlink: https://sg.run/Db1Yv + semgrep.dev: + rule: + r_id: 151752 + rv_id: 1263511 + rule_id: BYUX0y9 + version_id: 5PTo1QL + url: https://semgrep.dev/playground/r/5PTo1QL/python.lang.security.audit.sha224-hash.sha224-hash + origin: community + severity: WARNING + languages: + - python + pattern-either: + - pattern: hashlib.sha224(...) + - pattern: hashlib.sha3_224(...) +- id: ruby.lang.security.audit.sha224-hash.sha224-hash + message: This code uses a 224-bit hash function, which is deprecated or disallowed + in some security policies. Consider updating to a stronger hash function such + as SHA-384 or higher to ensure compliance and security. + metadata: + cwe: + - 'CWE-328: Use of Weak Hash' + references: + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf + - https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography + category: security + technology: + - ruby + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/ruby.lang.security.audit.sha224-hash.sha224-hash + shortlink: https://sg.run/WABbo + semgrep.dev: + rule: + r_id: 151753 + rv_id: 1263592 + rule_id: DbU60wQ + version_id: 8KT5rRY + url: https://semgrep.dev/playground/r/8KT5rRY/ruby.lang.security.audit.sha224-hash.sha224-hash + origin: community + languages: + - ruby + severity: WARNING + pattern-either: + - pattern: Digest::SHA224.$FUNC + - pattern: OpenSSL::Digest::SHA224.$FUNC + - pattern: SHA3::Digest::SHA224(...) + - patterns: + - pattern-either: + - pattern: OpenSSL::HMAC.hexdigest("$ALGO", ...) + - pattern: OpenSSL::HMAC.digest("$ALGO", ...) + - pattern: OpenSSL::HMAC.new($KEY, "$ALGO") + - pattern: OpenSSL::Digest.digest("$ALGO", ...) + - pattern: OpenSSL::Digest.new("$ALGO", ...) + - metavariable-regex: + metavariable: $ALGO + regex: .*224 +- id: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql + patterns: + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + database_version = "$DB" + ... + } + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = $VALUE + ... + } + ... + } + - pattern-not-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + ... + } + ... + } + - metavariable-regex: + metavariable: $DB + regex: .*(MYSQL|POSTGRES).* + - focus-metavariable: $VALUE + fix: | + "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + message: Ensure all Cloud SQL database instance require incoming connections to + use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode="TRUSTED_CLIENT_CERTIFICATE_REQUIRED"`. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - gcp + references: + - https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql + shortlink: https://sg.run/WANR2 + semgrep.dev: + rule: + r_id: 153509 + rv_id: 1263874 + rule_id: 5rUdGAz + version_id: 2KTv22E + url: https://semgrep.dev/playground/r/2KTv22E/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-postgres-mysql.gcp-sql-database-ssl-insecure-value-postgres-mysql + origin: community + languages: + - hcl + severity: WARNING +- id: terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver + patterns: + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + database_version = "$DB" + ... + } + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = $VALUE + ... + } + ... + } + - pattern-not-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = "ENCRYPTED_ONLY" + ... + } + ... + } + - metavariable-regex: + metavariable: $DB + regex: .*(SQLSERVER).* + - focus-metavariable: $VALUE + fix: | + "ENCRYPTED_ONLY" + message: Ensure all Cloud SQL database instance require incoming connections to + use SSL. For SQL Server, `ssl_mode="ENCRYPTED_ONLY"` is the most secure value + that is supported. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - gcp + references: + - https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver + shortlink: https://sg.run/0o92j + semgrep.dev: + rule: + r_id: 153510 + rv_id: 1263875 + rule_id: GdUvX6A + version_id: X0Tzyyl + url: https://semgrep.dev/playground/r/X0Tzyyl/terraform.gcp.security.gcp-sql-database-ssl-insecure-value-sqlserver.gcp-sql-database-ssl-insecure-value-sqlserver + origin: community + languages: + - hcl + severity: WARNING +- id: python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true + message: Function `flask.url_for` with `_external=True` argument will generate URLs + using the `Host` header of the HTTP request, which may lead to security risks + such as Host header injection + metadata: + cwe: + - 'CWE-673: External Influence of Sphere Definition' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + category: security + technology: + - flask + references: + - https://flask.palletsprojects.com/en/latest/api/#flask.url_for + - https://portswigger.net/kb/issues/00500300_host-header-injection + subcategory: + - audit + likelihood: MEDIUM + impact: LOW + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true + shortlink: https://sg.run/gEGeR + semgrep.dev: + rule: + r_id: 191541 + rv_id: 1263418 + rule_id: JDU5oql + version_id: K3TKk6n + url: https://semgrep.dev/playground/r/K3TKk6n/python.flask.security.audit.flask-url-for-external-true.flask-url-for-external-true + origin: community + languages: + - python + severity: WARNING + patterns: + - pattern-not: flask.url_for(..., _external=False, ...) + - pattern-not: url_for(..., _external=False, ...) + - pattern-either: + - pattern: flask.url_for(..., _external=$VAR, ...) + - pattern: url_for(..., _external=$VAR, ...) +- id: php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit + languages: + - php + severity: WARNING + message: Detected usage of vulnerable functions with user input, which could lead + to SSRF vulnerabilities. + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET[...] + - pattern: $_POST[...] + - pattern: $_REQUEST[...] + - pattern: get_option(...) + - pattern: get_user_meta(...) + - pattern: get_query_var(...) + pattern-sinks: + - patterns: + - focus-metavariable: $URL + - pattern-either: + - pattern: wp_remote_get($URL, ...) + - pattern: wp_safe_remote_get($URL, ...) + - pattern: wp_safe_remote_request($URL, ...) + - pattern: wp_safe_remote_head($URL, ...) + - pattern: wp_oembed_get($URL, ...) + - pattern: vip_safe_wp_remote_get($URL, ...) + - pattern: wp_safe_remote_post($URL, ...) + paths: + include: + - '**/wp-content/plugins/**/*.php' + metadata: + cwe: 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: A10:2021 - Server-Side Request Forgery (SSRF) + category: security + confidence: MEDIUM + likelihood: MEDIUM + impact: HIGH + subcategory: + - audit + technology: + - Wordpress Plugins + references: + - https://developer.wordpress.org/reference/functions/wp_safe_remote_get/ + - https://developer.wordpress.org/reference/functions/wp_remote_get/ + - https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf/ + vulnerability_class: + - Server-Side Request Forgery (SSRF) + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + source: https://semgrep.dev/r/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit + shortlink: https://sg.run/K3y06 + semgrep.dev: + rule: + r_id: 191611 + rv_id: 1039233 + rule_id: 6JUZyKX + version_id: JdTp6rq + url: https://semgrep.dev/playground/r/JdTp6rq/php.wordpress-plugins.security.audit.wp-ssrf-audit.wp-ssrf-audit + origin: community +- id: yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor + languages: + - yaml + message: The Shai-hulud backdoor creates a purposefully vulnerable github action + with the name `discussion.yaml`. + paths: + include: + - '**/.github/workflows/discussion.yaml' + metadata: + category: security + cwe: + - 'CWE-509: Replicating Malicious Code (Virus or Worm)' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + technology: + - github-actions + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Command Injection + source_rule_url: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack + references: + - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains + source: https://semgrep.dev/r/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor + shortlink: https://sg.run/JdYPZ + semgrep.dev: + rule: + r_id: 238946 + rv_id: 1263927 + rule_id: 7KUDRPj + version_id: 6xT29ol + url: https://semgrep.dev/playground/r/6xT29ol/yaml.github-actions.security.detect-shai-hulud-backdoor.detect-shai-hulud-backdoor + origin: community + patterns: + - pattern-inside: 'steps: [...]' + - pattern-inside: | + - run: ... + ... + - pattern: 'run: $SHELL' + - metavariable-pattern: + language: generic + metavariable: $SHELL + patterns: + - pattern-either: + - pattern: ${{ github.event.issue.title }} + - pattern: ${{ github.event.issue.body }} + - pattern: ${{ github.event.pull_request.title }} + - pattern: ${{ github.event.pull_request.body }} + - pattern: ${{ github.event.comment.body }} + - pattern: ${{ github.event.review.body }} + - pattern: ${{ github.event.review_comment.body }} + - pattern: ${{ github.event.pages. ... .page_name}} + - pattern: ${{ github.event.head_commit.message }} + - pattern: ${{ github.event.head_commit.author.email }} + - pattern: ${{ github.event.head_commit.author.name }} + - pattern: ${{ github.event.commits ... .author.email }} + - pattern: ${{ github.event.commits ... .author.name }} + - pattern: ${{ github.event.pull_request.head.ref }} + - pattern: ${{ github.event.pull_request.head.label }} + - pattern: ${{ github.event.pull_request.head.repo.default_branch }} + - pattern: ${{ github.head_ref }} + - pattern: ${{ github.event.inputs ... }} + - pattern: ${{ github.event.discussion.title }} + - pattern: ${{ github.event.discussion.body }} + - pattern: ${{ inputs ... }} + severity: ERROR +- id: go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface + languages: + - go + message: Deserializing into `interface{}` allows arbitrary data structures and types, + which can lead to security vulnerabilities (CWE-502). Use a concrete struct type + instead. + severity: WARNING + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + category: security + technology: + - go + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + subcategory: + - vuln + references: + - https://cwe.mitre.org/data/definitions/502.html + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface + shortlink: https://sg.run/6WbKL + semgrep.dev: + rule: + r_id: 274359 + rv_id: 1409387 + rule_id: 4bUAQDG + version_id: ZRTDkjk + url: https://semgrep.dev/playground/r/ZRTDkjk/go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface + origin: community + patterns: + - pattern-either: + - pattern: | + var $VAR interface{} + ... + json.Unmarshal($DATA, &$VAR) + - pattern: | + var $VAR interface{} + ... + yaml.Unmarshal($DATA, &$VAR) + - pattern: | + var $VAR interface{} + ... + xml.Unmarshal($DATA, &$VAR) +- id: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + patterns: + - pattern: a + - pattern: b + languages: + - hcl + severity: INFO + message: This rule has been deprecated, as all s3 buckets are encrypted by default + with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration + for more info. + metadata: + references: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration + - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html + cwe: + - 'CWE-311: Missing Encryption of Sensitive Data' + category: security + technology: + - terraform + - aws + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + - A06:2025 - Insecure Design + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + deprecated: true + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + shortlink: https://sg.run/Jezw + semgrep.dev: + rule: + r_id: 16202 + rv_id: 1263901 + rule_id: 3qU62L + version_id: JdTzxjN + url: https://semgrep.dev/playground/r/JdTzxjN/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket + origin: community +- id: php.lang.security.injection.tainted-filename.tainted-filename + severity: WARNING + message: File name based on user input risks server-side request forgery. + metadata: + technology: + - php + category: security + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + - A01:2025 - Broken Access Control + references: + - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29 + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Server-Side Request Forgery (SSRF) + source: https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename + shortlink: https://sg.run/Ayqp + semgrep.dev: + rule: + r_id: 16250 + rv_id: 1263287 + rule_id: 5rUpro + version_id: 7ZTE3J1 + url: https://semgrep.dev/playground/r/7ZTE3J1/php.lang.security.injection.tainted-filename.tainted-filename + origin: community + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern-inside: basename($PATH, ...) + - pattern-inside: linkinfo($PATH, ...) + - pattern-inside: readlink($PATH, ...) + - pattern-inside: realpath($PATH, ...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: opcache_compile_file($FILENAME, ...) + - pattern-inside: opcache_invalidate($FILENAME, ...) + - pattern-inside: opcache_is_script_cached($FILENAME, ...) + - pattern-inside: runkit7_import($FILENAME, ...) + - pattern-inside: readline_read_history($FILENAME, ...) + - pattern-inside: readline_write_history($FILENAME, ...) + - pattern-inside: rar_open($FILENAME, ...) + - pattern-inside: zip_open($FILENAME, ...) + - pattern-inside: gzfile($FILENAME, ...) + - pattern-inside: gzopen($FILENAME, ...) + - pattern-inside: readgzfile($FILENAME, ...) + - pattern-inside: hash_file($ALGO, $FILENAME, ...) + - pattern-inside: hash_update_file($CONTEXT, $FILENAME, ...) + - pattern-inside: pg_trace($FILENAME, ...) + - pattern-inside: dio_open($FILENAME, ...) + - pattern-inside: finfo_file($FINFO, $FILENAME, ...) + - pattern-inside: mime_content_type($FILENAME, ...) + - pattern-inside: chgrp($FILENAME, ...) + - pattern-inside: chmod($FILENAME, ...) + - pattern-inside: chown($FILENAME, ...) + - pattern-inside: clearstatcache($CLEAR_REALPATH_CACHE, $FILENAME, ...) + - pattern-inside: file_exists($FILENAME, ...) + - pattern-inside: file_get_contents($FILENAME, ...) + - pattern-inside: file_put_contents($FILENAME, ...) + - pattern-inside: file($FILENAME, ...) + - pattern-inside: fileatime($FILENAME, ...) + - pattern-inside: filectime($FILENAME, ...) + - pattern-inside: filegroup($FILENAME, ...) + - pattern-inside: fileinode($FILENAME, ...) + - pattern-inside: filemtime($FILENAME, ...) + - pattern-inside: fileowner($FILENAME, ...) + - pattern-inside: fileperms($FILENAME, ...) + - pattern-inside: filesize($FILENAME, ...) + - pattern-inside: filetype($FILENAME, ...) + - pattern-inside: fnmatch($PATTERN, $FILENAME, ...) + - pattern-inside: fopen($FILENAME, ...) + - pattern-inside: is_dir($FILENAME, ...) + - pattern-inside: is_executable($FILENAME, ...) + - pattern-inside: is_file($FILENAME, ...) + - pattern-inside: is_link($FILENAME, ...) + - pattern-inside: is_readable($FILENAME, ...) + - pattern-inside: is_uploaded_file($FILENAME, ...) + - pattern-inside: is_writable($FILENAME, ...) + - pattern-inside: lchgrp($FILENAME, ...) + - pattern-inside: lchown($FILENAME, ...) + - pattern-inside: lstat($FILENAME, ...) + - pattern-inside: parse_ini_file($FILENAME, ...) + - pattern-inside: readfile($FILENAME, ...) + - pattern-inside: stat($FILENAME, ...) + - pattern-inside: touch($FILENAME, ...) + - pattern-inside: unlink($FILENAME, ...) + - pattern-inside: xattr_get($FILENAME, ...) + - pattern-inside: xattr_list($FILENAME, ...) + - pattern-inside: xattr_remove($FILENAME, ...) + - pattern-inside: xattr_set($FILENAME, ...) + - pattern-inside: xattr_supported($FILENAME, ...) + - pattern-inside: enchant_broker_request_pwl_dict($BROKER, $FILENAME, ...) + - pattern-inside: pspell_config_personal($CONFIG, $FILENAME, ...) + - pattern-inside: pspell_config_repl($CONFIG, $FILENAME, ...) + - pattern-inside: pspell_new_personal($FILENAME, ...) + - pattern-inside: exif_imagetype($FILENAME, ...) + - pattern-inside: getimagesize($FILENAME, ...) + - pattern-inside: image2wbmp($IMAGE, $FILENAME, ...) + - pattern-inside: imagecreatefromavif($FILENAME, ...) + - pattern-inside: imagecreatefrombmp($FILENAME, ...) + - pattern-inside: imagecreatefromgd2($FILENAME, ...) + - pattern-inside: imagecreatefromgd2part($FILENAME, ...) + - pattern-inside: imagecreatefromgd($FILENAME, ...) + - pattern-inside: imagecreatefromgif($FILENAME, ...) + - pattern-inside: imagecreatefromjpeg($FILENAME, ...) + - pattern-inside: imagecreatefrompng($FILENAME, ...) + - pattern-inside: imagecreatefromtga($FILENAME, ...) + - pattern-inside: imagecreatefromwbmp($FILENAME, ...) + - pattern-inside: imagecreatefromwebp($FILENAME, ...) + - pattern-inside: imagecreatefromxbm($FILENAME, ...) + - pattern-inside: imagecreatefromxpm($FILENAME, ...) + - pattern-inside: imageloadfont($FILENAME, ...) + - pattern-inside: imagexbm($IMAGE, $FILENAME, ...) + - pattern-inside: iptcembed($IPTC_DATA, $FILENAME, ...) + - pattern-inside: mailparse_msg_extract_part_file($MIMEMAIL, $FILENAME, ...) + - pattern-inside: mailparse_msg_extract_whole_part_file($MIMEMAIL, $FILENAME, + ...) + - pattern-inside: mailparse_msg_parse_file($FILENAME, ...) + - pattern-inside: fdf_add_template($FDF_DOCUMENT, $NEWPAGE, $FILENAME, ...) + - pattern-inside: fdf_get_ap($FDF_DOCUMENT, $FIELD, $FACE, $FILENAME, ...) + - pattern-inside: fdf_open($FILENAME, ...) + - pattern-inside: fdf_save($FDF_DOCUMENT, $FILENAME, ...) + - pattern-inside: fdf_set_ap($FDF_DOCUMENT, $FIELD_NAME, $FACE, $FILENAME, ...) + - pattern-inside: ps_add_launchlink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, + ...) + - pattern-inside: ps_add_pdflink($PSDOC, $LLX, $LLY, $URX, $URY, $FILENAME, + ...) + - pattern-inside: ps_open_file($PSDOC, $FILENAME, ...) + - pattern-inside: ps_open_image_file($PSDOC, $TYPE, $FILENAME, ...) + - pattern-inside: posix_access($FILENAME, ...) + - pattern-inside: posix_mkfifo($FILENAME, ...) + - pattern-inside: posix_mknod($FILENAME, ...) + - pattern-inside: ftok($FILENAME, ...) + - pattern-inside: fann_cascadetrain_on_file($ANN, $FILENAME, ...) + - pattern-inside: fann_read_train_from_file($FILENAME, ...) + - pattern-inside: fann_train_on_file($ANN, $FILENAME, ...) + - pattern-inside: highlight_file($FILENAME, ...) + - pattern-inside: php_strip_whitespace($FILENAME, ...) + - pattern-inside: stream_resolve_include_path($FILENAME, ...) + - pattern-inside: swoole_async_read($FILENAME, ...) + - pattern-inside: swoole_async_readfile($FILENAME, ...) + - pattern-inside: swoole_async_write($FILENAME, ...) + - pattern-inside: swoole_async_writefile($FILENAME, ...) + - pattern-inside: swoole_load_module($FILENAME, ...) + - pattern-inside: tidy_parse_file($FILENAME, ...) + - pattern-inside: tidy_repair_file($FILENAME, ...) + - pattern-inside: get_meta_tags($FILENAME, ...) + - pattern-inside: yaml_emit_file($FILENAME, ...) + - pattern-inside: yaml_parse_file($FILENAME, ...) + - pattern-inside: curl_file_create($FILENAME, ...) + - pattern-inside: ftp_chmod($FTP, $PERMISSIONS, $FILENAME, ...) + - pattern-inside: ftp_delete($FTP, $FILENAME, ...) + - pattern-inside: ftp_mdtm($FTP, $FILENAME, ...) + - pattern-inside: ftp_size($FTP, $FILENAME, ...) + - pattern-inside: rrd_create($FILENAME, ...) + - pattern-inside: rrd_fetch($FILENAME, ...) + - pattern-inside: rrd_graph($FILENAME, ...) + - pattern-inside: rrd_info($FILENAME, ...) + - pattern-inside: rrd_last($FILENAME, ...) + - pattern-inside: rrd_lastupdate($FILENAME, ...) + - pattern-inside: rrd_tune($FILENAME, ...) + - pattern-inside: rrd_update($FILENAME, ...) + - pattern-inside: snmp_read_mib($FILENAME, ...) + - pattern-inside: ssh2_sftp_chmod($SFTP, $FILENAME, ...) + - pattern-inside: ssh2_sftp_realpath($SFTP, $FILENAME, ...) + - pattern-inside: ssh2_sftp_unlink($SFTP, $FILENAME, ...) + - pattern-inside: apache_lookup_uri($FILENAME, ...) + - pattern-inside: md5_file($FILENAME, ...) + - pattern-inside: sha1_file($FILENAME, ...) + - pattern-inside: simplexml_load_file($FILENAME, ...) + - pattern: $FILENAME +- id: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + languages: + - php + severity: WARNING + message: <- A new object is created where the class name is based on user input. + This could lead to remote code execution, as it allows to instantiate any class + in the application. + metadata: + cwe: + - 'CWE-470: Use of Externally-Controlled Input to Select Classes or Code (''Unsafe + Reflection'')' + category: security + technology: + - php + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + shortlink: https://sg.run/7ndw + semgrep.dev: + rule: + r_id: 16438 + rv_id: 1263288 + rule_id: v8U4DA + version_id: LjTkgLy + url: https://semgrep.dev/playground/r/LjTkgLy/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation + origin: community + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: new $SINK(...) + - pattern: $SINK +- id: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + patterns: + - pattern-inside: | + provider "aws" { + ... + secret_key = "$SECRET" + } + - focus-metavariable: $SECRET + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + languages: + - hcl + severity: WARNING + metadata: + technology: + - secrets + - aws + - terraform + category: security + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + shortlink: https://sg.run/L3kn + semgrep.dev: + rule: + r_id: 16439 + rv_id: 1263735 + rule_id: d8U4n0 + version_id: rxTAK76 + url: https://semgrep.dev/playground/r/rxTAK76/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + origin: community +- id: php.laravel.security.laravel-sql-injection.laravel-sql-injection + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + category: security + technology: + - laravel + references: + - https://laravel.com/docs/8.x/queries + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection + shortlink: https://sg.run/x40p + semgrep.dev: + rule: + r_id: 16830 + rv_id: 1263313 + rule_id: j2UQdp + version_id: BjTkZ45 + url: https://semgrep.dev/playground/r/BjTkZ45/php.laravel.security.laravel-sql-injection.laravel-sql-injection + origin: community + severity: WARNING + message: Detected a SQL query based on user input. This could lead to SQL injection, + which could potentially result in sensitive data being exfiltrated by attackers. + Instead, use parameterized queries and prepared statements. + languages: + - php + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: $_GET + - pattern: $_POST + - pattern: $_COOKIE + - pattern: $_REQUEST + - pattern: $_SERVER + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: $SQL + - pattern-either: + - pattern-inside: DB::table(...)->whereRaw($SQL, ...) + - pattern-inside: DB::table(...)->orWhereRaw($SQL, ...) + - pattern-inside: DB::table(...)->groupByRaw($SQL, ...) + - pattern-inside: DB::table(...)->havingRaw($SQL, ...) + - pattern-inside: DB::table(...)->orHavingRaw($SQL, ...) + - pattern-inside: DB::table(...)->orderByRaw($SQL, ...) + - patterns: + - pattern: $EXPRESSION + - pattern-either: + - pattern-inside: DB::table(...)->selectRaw($EXPRESSION, ...) + - pattern-inside: DB::table(...)->fromRaw($EXPRESSION, ...) + - patterns: + - pattern: $COLUMNS + - pattern-either: + - pattern-inside: DB::table(...)->whereNull($COLUMNS, ...) + - pattern-inside: DB::table(...)->orWhereNull($COLUMN) + - pattern-inside: DB::table(...)->whereNotNull($COLUMNS, ...) + - pattern-inside: DB::table(...)->whereRowValues($COLUMNS, ...) + - pattern-inside: DB::table(...)->orWhereRowValues($COLUMNS, ...) + - pattern-inside: DB::table(...)->find($ID, $COLUMNS) + - pattern-inside: DB::table(...)->paginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->simplePaginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->cursorPaginate($PERPAGE, $COLUMNS, ...) + - pattern-inside: DB::table(...)->getCountForPagination($COLUMNS) + - pattern-inside: DB::table(...)->aggregate($FUNCTION, $COLUMNS) + - pattern-inside: DB::table(...)->numericAggregate($FUNCTION, $COLUMNS) + - pattern-inside: DB::table(...)->insertUsing($COLUMNS, ...) + - pattern-inside: DB::table(...)->select($COLUMNS) + - pattern-inside: DB::table(...)->get($COLUMNS) + - pattern-inside: DB::table(...)->count($COLUMNS) + - patterns: + - pattern: $COLUMN + - pattern-either: + - pattern-inside: DB::table(...)->whereIn($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIn($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotIn($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotIn($COLUMN, ...) + - pattern-inside: DB::table(...)->whereIntegerInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIntegerInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->whereIntegerNotInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereIntegerNotInRaw($COLUMN, ...) + - pattern-inside: DB::table(...)->whereBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->whereNotBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotBetweenColumns($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereNotNull($COLUMN) + - pattern-inside: DB::table(...)->whereDate($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereDate($COLUMN, ...) + - pattern-inside: DB::table(...)->whereTime($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereTime($COLUMN, ...) + - pattern-inside: DB::table(...)->whereDay($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereDay($COLUMN, ...) + - pattern-inside: DB::table(...)->whereMonth($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereMonth($COLUMN, ...) + - pattern-inside: DB::table(...)->whereYear($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereYear($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonContains($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonContains($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonDoesntContain($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonDoesntContain($COLUMN, ...) + - pattern-inside: DB::table(...)->whereJsonLength($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhereJsonLength($COLUMN, ...) + - pattern-inside: DB::table(...)->having($COLUMN, ...) + - pattern-inside: DB::table(...)->orHaving($COLUMN, ...) + - pattern-inside: DB::table(...)->havingBetween($COLUMN, ...) + - pattern-inside: DB::table(...)->orderBy($COLUMN, ...) + - pattern-inside: DB::table(...)->orderByDesc($COLUMN) + - pattern-inside: DB::table(...)->latest($COLUMN) + - pattern-inside: DB::table(...)->oldest($COLUMN) + - pattern-inside: DB::table(...)->forPageBeforeId($PERPAGE, $LASTID, $COLUMN) + - pattern-inside: DB::table(...)->forPageAfterId($PERPAGE, $LASTID, $COLUMN) + - pattern-inside: DB::table(...)->value($COLUMN) + - pattern-inside: DB::table(...)->pluck($COLUMN, ...) + - pattern-inside: DB::table(...)->implode($COLUMN, ...) + - pattern-inside: DB::table(...)->min($COLUMN) + - pattern-inside: DB::table(...)->max($COLUMN) + - pattern-inside: DB::table(...)->sum($COLUMN) + - pattern-inside: DB::table(...)->avg($COLUMN) + - pattern-inside: DB::table(...)->average($COLUMN) + - pattern-inside: DB::table(...)->increment($COLUMN, ...) + - pattern-inside: DB::table(...)->decrement($COLUMN, ...) + - pattern-inside: DB::table(...)->where($COLUMN, ...) + - pattern-inside: DB::table(...)->orWhere($COLUMN, ...) + - pattern-inside: DB::table(...)->addSelect($COLUMN) + - patterns: + - pattern: $QUERY + - pattern-inside: DB::unprepared($QUERY) diff --git a/semgrep/rules/p-secrets.yml b/semgrep/rules/p-secrets.yml new file mode 100644 index 0000000..5bc79a6 --- /dev/null +++ b/semgrep/rules/p-secrets.yml @@ -0,0 +1,2532 @@ +rules: +- id: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token + pattern-regex: amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} + languages: + - regex + message: Amazon MWS Auth Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - aws + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token + shortlink: https://sg.run/PJzE + semgrep.dev: + rule: + r_id: 9045 + rv_id: 1262856 + rule_id: lBU9bw + version_id: K3TKkGj + url: https://semgrep.dev/playground/r/K3TKkGj/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token + origin: community +- id: generic.secrets.security.detected-artifactory-password.detected-artifactory-password + patterns: + - pattern-regex: (?\bAP[\dABCDEF][a-zA-Z0-9]{8,}) + - pattern-regex: .*(?i)arti[-_]?factory.* + - pattern-not-regex: .*(?i)sha(1|2|3|118|256|512).* + - pattern-not-regex: (?i)-----\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\s\S]*?-----\s*?END[ + A-Z0-9_-]*?\s*?----- + - metavariable-analysis: + analyzer: entropy + metavariable: $ITEM + - pattern-not-regex: (\w|\.|\*)\1{4} + languages: + - regex + paths: + exclude: + - '*.svg' + - '*go.sum' + - '*package.json' + - '*cargo.lock' + - '*package-lock.json' + - '*bundle.js' + - '*pnpm-lock*' + - '*Podfile.lock' + - '**/*/openssl/*.h' + - '*.xcscmblueprint' + message: Artifactory token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py + category: security + technology: + - secrets + - artifactory + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password + shortlink: https://sg.run/J9KZ + semgrep.dev: + rule: + r_id: 9046 + rv_id: 1262857 + rule_id: YGUR5K + version_id: qkTR7BB + url: https://semgrep.dev/playground/r/qkTR7BB/generic.secrets.security.detected-artifactory-password.detected-artifactory-password + origin: community +- id: generic.secrets.security.detected-artifactory-token.detected-artifactory-token + patterns: + - pattern-regex: | + \bAKC[a-zA-Z0-9]{10,} + - pattern-not-regex: | + sha(128|256|512).* + - pattern-not-regex: (?s)---BEGIN.*---\Z + languages: + - regex + paths: + exclude: + - '*.svg' + - '*go.sum' + - '*package.json' + - '*package-lock.json' + - '*bundle.js' + - '*pnpm-lock*' + - '*Podfile.lock' + - '**/*/openssl/*.h' + - '*.xcscmblueprint' + - '*cargo.lock' + message: Artifactory token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/artifactory.py + category: security + technology: + - secrets + - artifactory + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token + shortlink: https://sg.run/5Q2l + semgrep.dev: + rule: + r_id: 9047 + rv_id: 1262858 + rule_id: 6JUj3l + version_id: l4TJR6J + url: https://semgrep.dev/playground/r/l4TJR6J/generic.secrets.security.detected-artifactory-token.detected-artifactory-token + origin: community +- id: generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value + patterns: + - pattern-regex: \b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b + - pattern-not-regex: (?i)example|sample|test|fake + languages: + - regex + message: AWS Access Key ID Value detected. This is a sensitive credential and should + not be hardcoded here. Instead, read this value from an environment variable or + keep it in a separate, private file. + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - aws + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value + shortlink: https://sg.run/GeD1 + semgrep.dev: + rule: + r_id: 9048 + rv_id: 1262859 + rule_id: oqUevO + version_id: YDTZenE + url: https://semgrep.dev/playground/r/YDTZenE/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value + origin: community +- id: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key + pattern-regex: da2-[a-z0-9]{26} + languages: + - regex + message: AWS AppSync GraphQL Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - appsync + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key + shortlink: https://sg.run/AvJ6 + semgrep.dev: + rule: + r_id: 9050 + rv_id: 1262861 + rule_id: pKUOoZ + version_id: o5TbD9o + url: https://semgrep.dev/playground/r/o5TbD9o/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key + origin: community +- id: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key + patterns: + - pattern-regex: (("|'|`)?((?i)aws)_?\w*((?i)secret)_?\w*("|'|`)?\s{0,50}(:|=>|=)\s{0,50}("|'|`)?[A-Za-z0-9/+=]{40}("|'|`)?) + - pattern-not-regex: (?i)example|sample|test|fake|xxxxxx + languages: + - regex + message: AWS Secret Access Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - aws + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key + shortlink: https://sg.run/Bk39 + semgrep.dev: + rule: + r_id: 9051 + rv_id: 1262862 + rule_id: 2ZUbe8 + version_id: zyTb2Dr + url: https://semgrep.dev/playground/r/zyTb2Dr/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key + origin: community +- id: generic.secrets.security.detected-aws-session-token.detected-aws-session-token + patterns: + - pattern-regex: ((?i)AWS_SESSION_TOKEN)\s*(:|=>|=)\s*(?P[A-Za-z0-9/+=]{16,}) + - pattern-not-regex: (?i)example|sample|test|fake + - metavariable-analysis: + analyzer: entropy + metavariable: $TOKEN + languages: + - regex + message: AWS Session Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - aws + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token + shortlink: https://sg.run/DoRW + semgrep.dev: + rule: + r_id: 9052 + rv_id: 1262863 + rule_id: X5U8Er + version_id: pZT03Lx + url: https://semgrep.dev/playground/r/pZT03Lx/generic.secrets.security.detected-aws-session-token.detected-aws-session-token + origin: community +- id: generic.secrets.security.detected-codeclimate.detected-codeclimate + pattern-regex: (?i)codeclima.{0,50}["|'|`]?[0-9a-f]{64}["|'|`]? + languages: + - regex + message: CodeClimate detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - codeclimate + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate + shortlink: https://sg.run/W8yz + semgrep.dev: + rule: + r_id: 9053 + rv_id: 1262865 + rule_id: j2UvW7 + version_id: X0Tzy2o + url: https://semgrep.dev/playground/r/X0Tzy2o/generic.secrets.security.detected-codeclimate.detected-codeclimate + origin: community +- id: generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token + pattern-either: + - pattern-regex: EAACEdEose0cBA[0-9A-Za-z]+ + - pattern-regex: EAAAACZAVC6ygB[0-9A-Za-z]+ + - pattern-regex: EAAAAZAw4[0-9A-Za-z]+ + languages: + - regex + message: Facebook Access Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - facebook + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token + shortlink: https://sg.run/0QYJ + semgrep.dev: + rule: + r_id: 9054 + rv_id: 1262867 + rule_id: 10UKBL + version_id: 1QTyp7J + url: https://semgrep.dev/playground/r/1QTyp7J/generic.secrets.security.detected-facebook-access-token.detected-facebook-access-token + origin: community +- id: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth + pattern-regex: '[fF][aA][cC][eE][bB][oO][oO][kK].*[tT][oO][kK][eE][nN].*[''|"]?[0-9a-f]{32}[''|"]?' + languages: + - regex + message: Facebook OAuth detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - facebook + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth + shortlink: https://sg.run/Klq6 + semgrep.dev: + rule: + r_id: 9055 + rv_id: 1262868 + rule_id: 9AU127 + version_id: 9lT4b5N + url: https://semgrep.dev/playground/r/9lT4b5N/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth + origin: community +- id: generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key + pattern-regex: sk_live_[0-9a-z]{32} + languages: + - regex + message: Picatic API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - picatic + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key + shortlink: https://sg.run/rdGA + semgrep.dev: + rule: + r_id: 9069 + rv_id: 1262887 + rule_id: EwU274 + version_id: QkTGqwK + url: https://semgrep.dev/playground/r/QkTGqwK/generic.secrets.security.detected-picatic-api-key.detected-picatic-api-key + origin: community +- id: generic.secrets.security.detected-private-key.detected-private-key + patterns: + - pattern-either: + - patterns: + - pattern: '-----BEGIN $TYPE PRIVATE KEY----- $KEY' + - metavariable-regex: + metavariable: $TYPE + regex: (?i)([dr]sa|ec|openssh|encrypted)? + - patterns: + - pattern: | + -----BEGIN PRIVATE KEY----- + $KEY + - metavariable-analysis: + metavariable: $KEY + analyzer: entropy + languages: + - generic + message: Private Key detected. This is a sensitive credential and should not be + hardcoded here. Instead, store this in a separate, private file. + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key + shortlink: https://sg.run/b7dr + semgrep.dev: + rule: + r_id: 9070 + rv_id: 1262888 + rule_id: 7KUQ0p + version_id: 3ZT4X4Y + url: https://semgrep.dev/playground/r/3ZT4X4Y/generic.secrets.security.detected-private-key.detected-private-key + origin: community +- id: generic.secrets.security.detected-sauce-token.detected-sauce-token + pattern-regex: (?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}(\\\"|'|`)? + languages: + - regex + message: Sauce Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - sauce + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token + shortlink: https://sg.run/N4k1 + semgrep.dev: + rule: + r_id: 9071 + rv_id: 1262889 + rule_id: L1UyZ5 + version_id: 44TEjER + url: https://semgrep.dev/playground/r/44TEjER/generic.secrets.security.detected-sauce-token.detected-sauce-token + origin: community +- id: generic.secrets.security.detected-slack-token.detected-slack-token + pattern-either: + - pattern-regex: (xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}) + - pattern-regex: xox.-[0-9]{12}-[0-9]{12}-[0-9a-zA-Z]{24} + languages: + - regex + message: Slack Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + references: + - https://github.com/davidburkitt/python-secret-scanner/blob/335a1f6dab8de59cf39063e57aea39a58951e939/patterns.txt#L58 + category: security + technology: + - secrets + - slack + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-slack-token.detected-slack-token + shortlink: https://sg.run/kXdz + semgrep.dev: + rule: + r_id: 9072 + rv_id: 1262891 + rule_id: 8GUjRA + version_id: JdTzxz3 + url: https://semgrep.dev/playground/r/JdTzxz3/generic.secrets.security.detected-slack-token.detected-slack-token + origin: community +- id: generic.secrets.security.detected-slack-webhook.detected-slack-webhook + patterns: + - pattern-regex: https://hooks\.slack\.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,10}/[a-zA-Z0-9_]{24} + - pattern-not: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX + languages: + - regex + message: Slack Webhook detected + severity: ERROR + metadata: + references: + - https://api.slack.com/messaging/webhooks + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - slack + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-slack-webhook.detected-slack-webhook + shortlink: https://sg.run/weWX + semgrep.dev: + rule: + r_id: 9073 + rv_id: 1262892 + rule_id: gxU1dy + version_id: 5PTo1oO + url: https://semgrep.dev/playground/r/5PTo1oO/generic.secrets.security.detected-slack-webhook.detected-slack-webhook + origin: community +- id: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key + pattern-regex: (?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)? + languages: + - regex + message: SonarQube Docs API Key detected + severity: ERROR + paths: + exclude: + - '*.svg' + - '*go.sum' + - '*cargo.lock' + - '*package.json' + - '*yarn.lock' + - '*package-lock.json' + - '*bundle.js' + - '*pnpm-lock*' + - '*Podfile.lock' + - '**/*/openssl/*.h' + - '*.xcscmblueprint' + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - sonarqube + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key + shortlink: https://sg.run/x10P + semgrep.dev: + rule: + r_id: 9074 + rv_id: 1262895 + rule_id: QrUzP1 + version_id: A8TgdgQ + url: https://semgrep.dev/playground/r/A8TgdgQ/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key + origin: community +- id: generic.secrets.security.detected-square-access-token.detected-square-access-token + pattern-regex: sq0atp-[0-9A-Za-z\-_]{22} + languages: + - regex + message: Square Access Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - square + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token + shortlink: https://sg.run/OP3b + semgrep.dev: + rule: + r_id: 9075 + rv_id: 1262896 + rule_id: 3qUPqO + version_id: BjTkZkz + url: https://semgrep.dev/playground/r/BjTkZkz/generic.secrets.security.detected-square-access-token.detected-square-access-token + origin: community +- id: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret + pattern-regex: sq0csp-[0-9A-Za-z\\\-_]{43} + languages: + - regex + message: Square OAuth Secret detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + references: + - https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py + category: security + technology: + - secrets + - square + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret + shortlink: https://sg.run/eL7E + semgrep.dev: + rule: + r_id: 9076 + rv_id: 1262897 + rule_id: 4bUk4l + version_id: DkTRbRG + url: https://semgrep.dev/playground/r/DkTRbRG/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret + origin: community +- id: generic.secrets.security.detected-ssh-password.detected-ssh-password + pattern-regex: sshpass -p\s*['|\\\"][^%] + languages: + - regex + message: SSH Password detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - ssh + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password + shortlink: https://sg.run/vzDR + semgrep.dev: + rule: + r_id: 9077 + rv_id: 1262898 + rule_id: PeUZ4d + version_id: WrTqKqY + url: https://semgrep.dev/playground/r/WrTqKqY/generic.secrets.security.detected-ssh-password.detected-ssh-password + origin: community +- id: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key + pattern-regex: sk_live_[0-9a-zA-Z]{24} + languages: + - regex + message: Stripe API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - stripe + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key + shortlink: https://sg.run/dKd5 + semgrep.dev: + rule: + r_id: 9078 + rv_id: 1262899 + rule_id: JDUy0z + version_id: 0bTKzK1 + url: https://semgrep.dev/playground/r/0bTKzK1/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key + origin: community +- id: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key + pattern-regex: rk_live_[0-9a-zA-Z]{24} + languages: + - regex + message: Stripe Restricted API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - stripe + confidence: MEDIUM + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key + shortlink: https://sg.run/ZvdL + semgrep.dev: + rule: + r_id: 9079 + rv_id: 1262900 + rule_id: 5rUOWq + version_id: K3TKkKj + url: https://semgrep.dev/playground/r/K3TKkKj/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key + origin: community +- id: generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key + patterns: + - pattern-regex: '[0-9]+:AA[0-9A-Za-z\-_]{33}' + - pattern-not-regex: go\.mod.* + - pattern-not-regex: v[\d]+\.[\d]+\.[\d]+.* + languages: + - regex + message: Telegram Bot API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - telegram + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key + shortlink: https://sg.run/nd4b + semgrep.dev: + rule: + r_id: 9080 + rv_id: 1262901 + rule_id: GdU7Nl + version_id: qkTR7RB + url: https://semgrep.dev/playground/r/qkTR7RB/generic.secrets.security.detected-telegram-bot-api-key.detected-telegram-bot-api-key + origin: community +- id: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key + pattern-regex: SK[0-9a-fA-F]{32} + languages: + - regex + message: Twilio API Key detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - twilio + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key + shortlink: https://sg.run/Ek2o + semgrep.dev: + rule: + r_id: 9081 + rv_id: 1262902 + rule_id: ReUgJn + version_id: l4TJRJJ + url: https://semgrep.dev/playground/r/l4TJRJJ/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key + origin: community +- id: generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri + patterns: + - pattern: $PROTOCOL://$...USERNAME:$...PASSWORD@$END + - metavariable-regex: + metavariable: $...USERNAME + regex: \A({?)([A-Za-z])([A-Za-z0-9_-]){5,31}(}?)\Z + - metavariable-regex: + metavariable: $...PASSWORD + regex: (?!.*[\s])(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]){6,32} + - metavariable-regex: + metavariable: $PROTOCOL + regex: (.*http.*)|(.*sql.*)|(.*ftp.*)|(.*smtp.*) + languages: + - generic + message: Username and password in URI detected + severity: ERROR + metadata: + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri + shortlink: https://sg.run/8yA4 + semgrep.dev: + rule: + r_id: 9084 + rv_id: 1262903 + rule_id: DbUple + version_id: YDTZeZE + url: https://semgrep.dev/playground/r/YDTZeZE/generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri + origin: community +- id: generic.secrets.security.detected-etc-shadow.detected-etc-shadow + patterns: + - pattern-regex: ^(\s*)(?Proot:[x!*]*:[0-9]*:[0-9]*) + - focus-metavariable: $ROOT + languages: + - regex + message: linux shadow file detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow + shortlink: https://sg.run/4ylL + semgrep.dev: + rule: + r_id: 10044 + rv_id: 1262866 + rule_id: JDUP6p + version_id: jQTn5yp + url: https://semgrep.dev/playground/r/jQTn5yp/generic.secrets.security.detected-etc-shadow.detected-etc-shadow + origin: community +- id: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + pattern-regex: \$2[aby]?\$[\d]+\$[./A-Za-z0-9]{53} + languages: + - regex + message: bcrypt hash detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + category: security + technology: + - secrets + - bcrypt + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + shortlink: https://sg.run/3A8G + semgrep.dev: + rule: + r_id: 10043 + rv_id: 1262864 + rule_id: PeUk0Q + version_id: 2KTv236 + url: https://semgrep.dev/playground/r/2KTv236/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash + origin: community +- id: go.jwt-go.security.jwt.hardcoded-jwt-key + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + options: + interfile: true + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + category: security + technology: + - jwt + - secrets + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + interfile: true + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key + shortlink: https://sg.run/Rod2 + semgrep.dev: + rule: + r_id: 9093 + rv_id: 1262920 + rule_id: GdU7Ny + version_id: pZT0305 + url: https://semgrep.dev/playground/r/pZT0305/go.jwt-go.security.jwt.hardcoded-jwt-key + origin: community + severity: WARNING + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + []byte("$F") + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $TOKEN.SignedString($F) + - focus-metavariable: $F +- id: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + technology: + - java + - secrets + - jwt + category: security + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + shortlink: https://sg.run/RoDK + semgrep.dev: + rule: + r_id: 9149 + rv_id: 1262980 + rule_id: oqUeAn + version_id: d6Tyx8j + url: https://semgrep.dev/playground/r/d6Tyx8j/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret + origin: community + languages: + - java + severity: WARNING + patterns: + - pattern-either: + - pattern: | + (Algorithm $ALG) = $ALGO.$HMAC("$Y"); + - pattern: | + $SECRET = "$Y"; + ... + (Algorithm $ALG) = $ALGO.$HMAC($SECRET); + - pattern: | + class $CLASS { + ... + $TYPE $SECRET = "$Y"; + ... + $RETURNTYPE $FUNC (...) { + ... + (Algorithm $ALG) = $ALGO.$HMAC($SECRET); + ... + } + ... + } + - focus-metavariable: $Y + - metavariable-regex: + metavariable: $HMAC + regex: (HMAC384|HMAC256|HMAC512) +- id: javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + options: + interfile: true + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + category: security + technology: + - express + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: HIGH + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + shortlink: https://sg.run/LYvG + semgrep.dev: + rule: + r_id: 22083 + rv_id: 1263143 + rule_id: 10Uo39 + version_id: LjTkgle + url: https://semgrep.dev/playground/r/LjTkgle/javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + $SESSION = require('express-session'); + ... + - pattern-inside: | + import $SESSION from 'express-session' + ... + - pattern-inside: | + import {..., $SESSION, ...} from 'express-session' + ... + - pattern-inside: | + import * as $SESSION from 'express-session' + ... + - patterns: + - pattern-either: + - pattern-inside: $APP.use($SESSION({...})) + - pattern: | + $SECRET = $VALUE + ... + $APP.use($SESSION($SECRET)) + - pattern: | + secret: '$Y' +- id: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + options: + interfile: true + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + category: security + technology: + - express + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + shortlink: https://sg.run/Do1d + semgrep.dev: + rule: + r_id: 9252 + rv_id: 1263166 + rule_id: pKUOjy + version_id: pZT03Q0 + url: https://semgrep.dev/playground/r/pZT03Q0/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: | + $JWT = require('express-jwt'); + ... + - pattern-inside: | + import $JWT from 'express-jwt'; + ... + - pattern-inside: | + import * as $JWT from 'express-jwt'; + ... + - pattern-inside: | + import { ..., $JWT, ... } from 'express-jwt'; + ... + - pattern-either: + - pattern: | + $JWT({...,secret: "$Y",...},...) + - pattern: | + $OPTS = "$Y"; + ... + $JWT({...,secret: $OPTS},...); + - focus-metavariable: $Y +- id: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.2 Static API keys or secret + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jose + - jwt + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + shortlink: https://sg.run/Ro1g + semgrep.dev: + rule: + r_id: 9293 + rv_id: 1263182 + rule_id: JDUyRl + version_id: d6TyxbX + url: https://semgrep.dev/playground/r/d6TyxbX/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-inside: | + $JOSE = require("jose"); + ... + - pattern-either: + - pattern-inside: | + var {JWT} = $JOSE; + ... + - pattern-inside: | + var {JWK, JWT} = $JOSE; + ... + - pattern-inside: | + const {JWT} = $JOSE; + ... + - pattern-inside: | + const {JWK, JWT} = $JOSE; + ... + - pattern-inside: | + let {JWT} = $JOSE; + ... + - pattern-inside: | + let {JWK, JWT} = $JOSE; + ... + - pattern-either: + - pattern: | + JWT.verify($P, "...", ...); + - pattern: | + JWT.sign($P, "...", ...); + - pattern: "JWT.verify($P, JWK.asKey(\"...\"), ...); \n" + - pattern: | + $JWT.sign($P, JWK.asKey("..."), ...); + options: + symbolic_propagation: true + interfile: true +- id: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.2 Static API keys or secret + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jwt + - javascript + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + shortlink: https://sg.run/4xN9 + semgrep.dev: + rule: + r_id: 9300 + rv_id: 1263189 + rule_id: WAUon7 + version_id: gETB75D + url: https://semgrep.dev/playground/r/gETB75D/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: "$X = '...' \n" + - pattern: "$X = '$Y' \n" + - patterns: + - pattern-either: + - pattern-inside: | + $JWT.sign($DATA,"...",...); + - pattern-inside: | + $JWT.verify($DATA,"...",...); + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $JWT = require("jsonwebtoken") + ... + - pattern-inside: | + import $JWT from "jsonwebtoken" + ... + - pattern-inside: | + import * as $JWT from "jsonwebtoken" + ... + - pattern-inside: | + import {...,$JWT,...} from "jsonwebtoken" + ... + - pattern-either: + - pattern-inside: | + $JWT.sign($DATA,$VALUE,...); + - pattern-inside: | + $JWT.verify($DATA,$VALUE,...); + - focus-metavariable: $VALUE +- id: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.2 Static API keys or secret + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jwt + - nodejs + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret + shortlink: https://sg.run/vz70 + semgrep.dev: + rule: + r_id: 9333 + rv_id: 1263225 + rule_id: QrUzq6 + version_id: X0TzyoE + url: https://semgrep.dev/playground/r/X0TzyoE/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - by-side-effect: true + patterns: + - pattern-either: + - pattern: | + {..., clientSecret: "...", ...} + - pattern: | + {..., secretOrKey: "...", ...} + - pattern: | + {..., consumerSecret: "...", ...} + - patterns: + - pattern-inside: | + $OBJ = {} + ... + - pattern-either: + - pattern: | + $OBJ.clientSecret = "..." + - pattern: | + $OBJ.secretOrKey = "..." + - pattern: | + $OBJ.consumerSecret = "..." + - pattern: $OBJ + - patterns: + - pattern-inside: | + $SECRET = '...' + ... + - pattern-either: + - pattern: | + {..., clientSecret: $SECRET, ...} + - pattern: | + {..., secretOrKey: $SECRET, ...} + - pattern: | + {..., consumerSecret: $SECRET, ...} + - patterns: + - pattern-inside: | + $SECRET = '...' + ... + - pattern-either: + - pattern-inside: | + $VALUE = {..., clientSecret: $SECRET, ...} + ... + - pattern-inside: | + $VALUE = {..., secretOrKey: $SECRET, ...} + ... + - pattern-inside: | + $VALUE = {..., consumerSecret: $SECRET, ...} + ... + - pattern: $VALUE + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $F = require("$I").Strategy + ... + - pattern-inside: | + $F = require("$I") + ... + - pattern-inside: | + import { $STRAT as $F } from '$I' + ... + - pattern-inside: | + import $F from '$I' + ... + - metavariable-regex: + metavariable: $I + regex: (passport-.*) + - pattern-inside: | + new $F($VALUE,...) + - focus-metavariable: $VALUE +- id: python.boto3.security.hardcoded-token.hardcoded-token + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + - https://bento.dev/checks/boto3/hardcoded-access-token/ + - https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/ + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + category: security + technology: + - boto3 + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token + shortlink: https://sg.run/LwQ6 + semgrep.dev: + rule: + r_id: 9439 + rv_id: 1263347 + rule_id: 5rUOwK + version_id: gETB78n + url: https://semgrep.dev/playground/r/gETB78n/python.boto3.security.hardcoded-token.hardcoded-token + origin: community + languages: + - python + severity: WARNING + mode: taint + pattern-sources: + - pattern: | + "..." + pattern-sinks: + - patterns: + - pattern-either: + - pattern: $W(...,$TOKEN="$VALUE",...) + - pattern: $BOTO. ... .$W(...,$TOKEN="$VALUE",...) + - metavariable-regex: + metavariable: $TOKEN + regex: (aws_session_token|aws_access_key_id|aws_secret_access_key) + - metavariable-pattern: + language: generic + metavariable: $VALUE + patterns: + - pattern-either: + - pattern-regex: ^AKI + - pattern-regex: ^[A-Za-z0-9/+=]+$ + - metavariable-analysis: + metavariable: $VALUE + analyzer: entropy +- id: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + patterns: + - pattern-inside: | + class $CONTROLLER < ApplicationController + ... + http_basic_authenticate_with ..., :password => "$SECRET", ... + end + - focus-metavariable: $SECRET + message: Detected hardcoded password used in basic authentication in a controller + class. Including this password in version control could expose this credential. + Consider refactoring to use environment variables or configuration files. + severity: WARNING + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/basic_auth/index.markdown + category: security + technology: + - ruby + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + shortlink: https://sg.run/6r0w + semgrep.dev: + rule: + r_id: 9715 + rv_id: 1263606 + rule_id: X5UZWK + version_id: 0bTKzNK + url: https://semgrep.dev/playground/r/0bTKzNK/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller + origin: community + languages: + - ruby +- id: terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + patterns: + - pattern-inside: | + provider "aws" { + ... + secret_key = "$SECRET" + } + - focus-metavariable: $SECRET + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + languages: + - hcl + severity: WARNING + metadata: + technology: + - secrets + - aws + - terraform + category: security + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + shortlink: https://sg.run/L3kn + semgrep.dev: + rule: + r_id: 16439 + rv_id: 1263735 + rule_id: d8U4n0 + version_id: rxTAK76 + url: https://semgrep.dev/playground/r/rxTAK76/terraform.aws.security.aws-provider-static-credentials.aws-provider-static-credentials + origin: community +- id: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials + patterns: + - pattern-inside: | + resource "$ANYTING" $ANYTHING { + ... + environment { + variables = { + ... + } + } + ... + } + - pattern-either: + - pattern-inside: | + AWS_ACCESS_KEY_ID = "$Y" + - pattern-regex: | + (?|=)\s{0,50}("|'|`)?service_account("|'|`)?,?) + languages: + - regex + message: Google (GCM) Service account detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - google-cloud + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account + shortlink: https://sg.run/6nXj + semgrep.dev: + rule: + r_id: 9059 + rv_id: 1262874 + rule_id: NbUkL8 + version_id: w8TRoDX + url: https://semgrep.dev/playground/r/w8TRoDX/generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account + origin: community +- id: generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token + pattern-regex: access_token\$production\$[0-9a-z]{16}\$[0-9a-z]{32} + languages: + - regex + message: PayPal Braintree Access Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - paypal + - braintree + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token + shortlink: https://sg.run/9oBR + semgrep.dev: + rule: + r_id: 9067 + rv_id: 1262885 + rule_id: ZqU507 + version_id: 8KT5ryb + url: https://semgrep.dev/playground/r/8KT5ryb/generic.secrets.security.detected-paypal-braintree-access-token.detected-paypal-braintree-access-token + origin: community +- id: generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token + pattern-regex: ya29\.[0-9A-Za-z\-_]+ + languages: + - regex + message: Google OAuth Access Token detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json + category: security + technology: + - secrets + - google + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token + shortlink: https://sg.run/ox2n + semgrep.dev: + rule: + r_id: 9060 + rv_id: 1262875 + rule_id: kxUkpo + version_id: xyTjzp6 + url: https://semgrep.dev/playground/r/xyTjzp6/generic.secrets.security.detected-google-oauth-access-token.detected-google-oauth-access-token + origin: community +- id: generic.secrets.security.detected-hockeyapp.detected-hockeyapp + pattern-regex: (?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)? + languages: + - regex + message: HockeyApp detected + severity: ERROR + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + source-rule-url: https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go + category: security + technology: + - secrets + - hockeyapp + confidence: LOW + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/generic.secrets.security.detected-hockeyapp.detected-hockeyapp + shortlink: https://sg.run/2xoY + semgrep.dev: + rule: + r_id: 9063 + rv_id: 1262878 + rule_id: OrU3zo + version_id: vdT068z + url: https://semgrep.dev/playground/r/vdT068z/generic.secrets.security.detected-hockeyapp.detected-hockeyapp + origin: community diff --git a/semgrep/rules/p-security-audit.yml b/semgrep/rules/p-security-audit.yml new file mode 100644 index 0000000..8dbccb2 --- /dev/null +++ b/semgrep/rules/p-security-audit.yml @@ -0,0 +1,13698 @@ +rules: +- id: dockerfile.security.last-user-is-root.last-user-is-root + patterns: + - pattern: USER root + - pattern-not-inside: + patterns: + - pattern: | + USER root + ... + USER $X + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-not: root + message: The last user in the container is 'root'. This is a security hazard because + if an attacker gains control of the container they will have root access. Switch + back to another user after running commands as 'root'. + severity: ERROR + languages: + - dockerfile + metadata: + cwe: + - 'CWE-269: Improper Privilege Management' + source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002 + references: + - https://github.com/hadolint/hadolint/wiki/DL3002 + category: security + technology: + - dockerfile + confidence: MEDIUM + owasp: + - A04:2021 - Insecure Design + - A06:2025 - Insecure Design + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root + shortlink: https://sg.run/5Z43 + semgrep.dev: + rule: + r_id: 20147 + rv_id: 1262658 + rule_id: ReU2n5 + version_id: 6xT29Eg + url: https://semgrep.dev/playground/r/6xT29Eg/dockerfile.security.last-user-is-root.last-user-is-root + origin: community +- id: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + pattern: gets(...) + message: Avoid 'gets()'. This function does not consider buffer boundaries and can + lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + shortlink: https://sg.run/dKqX + semgrep.dev: + rule: + r_id: 8834 + rv_id: 945170 + rule_id: GdU7OE + version_id: YDTvRlQ + url: https://semgrep.dev/playground/r/YDTvRlQ/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn + origin: community + languages: + - c + severity: ERROR +- id: c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + message: Avoid using user-controlled format strings passed into 'sprintf', 'printf' + and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities + through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'. + metadata: + cwe: + - 'CWE-134: Use of Externally-Controlled Format String' + references: + - https://doc.castsoftware.com/display/SBX/Never+use+sprintf%28%29+or+vsprintf%28%29+functions + - https://www.cvedetails.com/cwe-details/134/Uncontrolled-Format-String.html + category: security + technology: + - c + confidence: LOW + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + shortlink: https://sg.run/ZvJx + semgrep.dev: + rule: + r_id: 8835 + rv_id: 945172 + rule_id: ReUgWx + version_id: o5TZeB2 + url: https://semgrep.dev/playground/r/o5TZeB2/c.lang.security.insecure-use-printf-fn.insecure-use-printf-fn + origin: community + languages: + - c + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + vsprintf(..., $BUFFER, ...); + - pattern: vsprintf(..., argv[$NUM], ...) + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + sprintf(..., $BUFFER, ...); + - pattern: sprintf(...,argv[$NUM],...) + - pattern: | + $FUNC($BUFFER, argv[$NUM], ...); + ... + printf(..., $BUFFER, ...); + - pattern: printf(...,argv[$NUM],...) + - metavariable-comparison: + metavariable: $NUM + comparison: int($NUM) > 0 +- id: c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn + pattern-either: + - pattern: strcat(...) + - pattern: strncat(...) + message: Finding triggers whenever there is a strcat or strncat used. This is an + issue because strcat or strncat can lead to buffer overflow vulns. Fix this by + using strcat_s instead. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - https://nvd.nist.gov/vuln/detail/CVE-2019-12553 + - https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/ + category: security + technology: + - c + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn + shortlink: https://sg.run/EkRP + semgrep.dev: + rule: + r_id: 8837 + rv_id: 945174 + rule_id: BYUNjA + version_id: pZTNOXb + url: https://semgrep.dev/playground/r/pZTNOXb/c.lang.security.insecure-use-strcat-fn.insecure-use-strcat-fn + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + pattern: strtok(...) + message: Avoid using 'strtok()'. This function directly modifies the first argument + buffer, permanently erasing the delimiter character. Use 'strtok_r()' instead. + metadata: + cwe: + - 'CWE-676: Use of Potentially Dangerous Function' + references: + - https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged + - https://man7.org/linux/man-pages/man3/strtok.3.html#BUGS + - https://stackoverflow.com/a/40335556 + category: security + technology: + - c + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + shortlink: https://sg.run/LwqG + semgrep.dev: + rule: + r_id: 8839 + rv_id: 1028278 + rule_id: WAUo5v + version_id: qkTx1oq + url: https://semgrep.dev/playground/r/qkTx1oq/c.lang.security.insecure-use-strtok-fn.insecure-use-strtok-fn + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.double-free.double-free + patterns: + - pattern-not: | + free($VAR); + ... + $VAR = NULL; + ... + free($VAR); + - pattern-not: | + free($VAR); + ... + $VAR = malloc(...); + ... + free($VAR); + - pattern-inside: | + free($VAR); + ... + $FREE($VAR); + - metavariable-pattern: + metavariable: $FREE + pattern: free + - focus-metavariable: $FREE + message: Variable '$VAR' was freed twice. This can lead to undefined behavior. + metadata: + cwe: + - 'CWE-415: Double Free' + owasp: + - A03:2021 - Injection + - A01:2017 - Injection + - A05:2025 - Injection + references: + - https://cwe.mitre.org/data/definitions/415.html + - https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory + category: security + technology: + - c + confidence: LOW + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/c.lang.security.double-free.double-free + shortlink: https://sg.run/eLl0 + semgrep.dev: + rule: + r_id: 8832 + rv_id: 1262604 + rule_id: JDUyw8 + version_id: RGT0L3W + url: https://semgrep.dev/playground/r/RGT0L3W/c.lang.security.double-free.double-free + origin: community + languages: + - c + severity: ERROR +- id: c.lang.security.use-after-free.use-after-free + patterns: + - pattern-either: + - pattern: $VAR->$ACCESSOR + - pattern: (*$VAR).$ACCESSOR + - pattern: $VAR[$NUM] + - pattern-inside: free($VAR); ... + - pattern-not-inside: $VAR = NULL; ... + - pattern-not-inside: free($VAR); ... $VAR = malloc(...); ... + message: Variable '$VAR' was used after being freed. This can lead to undefined + behavior. + metadata: + cwe: + - 'CWE-416: Use After Free' + references: + - https://cwe.mitre.org/data/definitions/416.html + - https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/use_after_free/ + category: security + technology: + - c + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/c.lang.security.use-after-free.use-after-free + shortlink: https://sg.run/gL6e + semgrep.dev: + rule: + r_id: 8841 + rv_id: 945178 + rule_id: KxUb9l + version_id: 1QToKPy + url: https://semgrep.dev/playground/r/1QToKPy/c.lang.security.use-after-free.use-after-free + origin: community + languages: + - c + severity: WARNING +- id: c.lang.security.random-fd-exhaustion.random-fd-exhaustion + pattern-either: + - patterns: + - pattern: | + $FD = open("/dev/urandom", ...); + ... + read($FD, ...); + - pattern-not: | + $FD = open("/dev/urandom", ...); + ... + $BYTES_READ = read($FD, ...); + - patterns: + - pattern: | + $FD = open("/dev/random", ...); + ... + read($FD, ...); + - pattern-not: | + $FD = open("/dev/random", ...); + ... + $BYTES_READ = read($FD, ...); + message: Call to 'read()' without error checking is susceptible to file descriptor + exhaustion. Consider using the 'getrandom()' function. + metadata: + cwe: + - 'CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling' + references: + - https://lwn.net/Articles/606141/ + category: security + technology: + - c + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion + shortlink: https://sg.run/8yNj + semgrep.dev: + rule: + r_id: 8840 + rv_id: 945177 + rule_id: 0oU5k4 + version_id: jQTzvry + url: https://semgrep.dev/playground/r/jQTzvry/c.lang.security.random-fd-exhaustion.random-fd-exhaustion + origin: community + languages: + - c + severity: WARNING +- id: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection + metadata: + cwe: + - 'CWE-300: Channel Accessible by Non-Endpoint' + references: + - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption + category: security + technology: + - grpc + confidence: HIGH + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection + shortlink: https://sg.run/J9yZ + semgrep.dev: + rule: + r_id: 9090 + rv_id: 1262916 + rule_id: PeUZ4X + version_id: YDTZeZB + url: https://semgrep.dev/playground/r/YDTZeZB/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection + origin: community + message: 'Found an insecure gRPC connection using ''grpc.WithInsecure()''. This + creates a connection without encryption to a gRPC server. A malicious attacker + could tamper with the gRPC message, which could compromise the machine. Instead, + establish a secure connection with an SSL certificate using the ''grpc.WithTransportCredentials()'' + function. You can create a create credentials using a ''tls.Config{}'' struct + with ''credentials.NewTLS()''. The final fix looks like this: ''grpc.WithTransportCredentials(credentials.NewTLS())''.' + languages: + - go + severity: ERROR + pattern: $GRPC.Dial($ADDR, ..., $GRPC.WithInsecure(...), ...) + fix-regex: + regex: (.*)WithInsecure\(.*?\) + replacement: \1WithTransportCredentials(credentials.NewTLS()) +- id: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection + metadata: + cwe: + - 'CWE-300: Channel Accessible by Non-Endpoint' + references: + - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption + category: security + technology: + - grpc + confidence: HIGH + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection + shortlink: https://sg.run/5Q5l + semgrep.dev: + rule: + r_id: 9091 + rv_id: 1262917 + rule_id: JDUy0B + version_id: 6xT2923 + url: https://semgrep.dev/playground/r/6xT2923/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection + origin: community + message: Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. + This allows for a connection without encryption to this server. A malicious attacker + could tamper with the gRPC message, which could compromise the machine. Include + credentials derived from an SSL certificate in order to create a secure gRPC connection. + You can create credentials using 'credentials.NewServerTLSFromFile("cert.pem", + "cert.key")'. + languages: + - go + severity: ERROR + mode: taint + pattern-sinks: + - requires: OPTIONS and not CREDS + pattern: grpc.NewServer($OPT, ...) + - requires: EMPTY_CONSTRUCTOR + pattern: grpc.NewServer() + pattern-sources: + - label: OPTIONS + pattern: grpc.ServerOption{ ... } + - label: CREDS + pattern: grpc.Creds(...) + - label: EMPTY_CONSTRUCTOR + pattern: grpc.NewServer() +- id: go.jwt-go.security.jwt.hardcoded-jwt-key + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + options: + interfile: true + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + category: security + technology: + - jwt + - secrets + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + interfile: true + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key + shortlink: https://sg.run/Rod2 + semgrep.dev: + rule: + r_id: 9093 + rv_id: 1262920 + rule_id: GdU7Ny + version_id: pZT0305 + url: https://semgrep.dev/playground/r/pZT0305/go.jwt-go.security.jwt.hardcoded-jwt-key + origin: community + severity: WARNING + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + []byte("$F") + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $TOKEN.SignedString($F) + - focus-metavariable: $F +- id: go.lang.security.audit.crypto.bad_imports.insecure-module-used + message: The package `net/http/cgi` is on the import blocklist. The package is + vulnerable to httpoxy attacks (CVE-2015-5386). It is recommended to use `net/http` + or a web framework to build a web application instead. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + source-rule-url: https://github.com/securego/gosec + references: + - https://godoc.org/golang.org/x/crypto/sha3 + category: security + technology: + - go + confidence: MEDIUM + subcategory: + - audit + likelihood: MEDIUM + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.bad_imports.insecure-module-used + shortlink: https://sg.run/l2gj + semgrep.dev: + rule: + r_id: 9113 + rv_id: 1262921 + rule_id: yyUnov + version_id: 2KTv2vJ + url: https://semgrep.dev/playground/r/2KTv2vJ/go.lang.security.audit.crypto.bad_imports.insecure-module-used + origin: community + languages: + - go + severity: WARNING + pattern-either: + - patterns: + - pattern-inside: | + import "net/http/cgi" + ... + - pattern: | + cgi.$FUNC(...) +- id: go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key + message: Disabled host key verification detected. This allows man-in-the-middle + attacks. Use the 'golang.org/x/crypto/ssh/knownhosts' package to do host key verification. + See https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ to + learn more about the problem and how to fix it. + metadata: + cwe: + - 'CWE-322: Key Exchange without Entity Authentication' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://github.com/securego/gosec + references: + - https://skarlso.github.io/2019/02/17/go-ssh-with-host-key-verification/ + - https://gist.github.com/Skarlso/34321a230cf0245018288686c9e70b2d + category: security + technology: + - go + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key + shortlink: https://sg.run/Yv6X + semgrep.dev: + rule: + r_id: 9114 + rv_id: 1262922 + rule_id: r6UrW9 + version_id: X0TzyzN + url: https://semgrep.dev/playground/r/X0TzyzN/go.lang.security.audit.crypto.insecure_ssh.avoid-ssh-insecure-ignore-host-key + origin: community + languages: + - go + severity: WARNING + pattern: ssh.InsecureIgnoreHostKey() +- id: go.lang.security.audit.crypto.math_random.math-random-used + metadata: + cwe: + - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation + category: security + technology: + - go + confidence: MEDIUM + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used + shortlink: https://sg.run/6nK6 + semgrep.dev: + rule: + r_id: 9115 + rv_id: 1262923 + rule_id: bwUwy8 + version_id: jQTn5nj + url: https://semgrep.dev/playground/r/jQTn5nj/go.lang.security.audit.crypto.math_random.math-random-used + origin: community + message: Do not use `math/rand`. Use `crypto/rand` instead. + languages: + - go + severity: WARNING + patterns: + - pattern-either: + - pattern: | + import $RAND "$MATH" + - pattern: | + import "$MATH" + - metavariable-regex: + metavariable: $MATH + regex: ^(math/rand(\/v[0-9]+)*)$ + - pattern-either: + - pattern-inside: | + ... + rand.$FUNC(...) + - pattern-inside: | + ... + $RAND.$FUNC(...) + - focus-metavariable: + - $MATH + fix: | + crypto/rand +- id: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure + message: SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, + SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls_config.go + references: + - https://golang.org/doc/go1.14#crypto/tls + - https://www.us-cert.gov/ncas/alerts/TA14-290A + category: security + technology: + - go + confidence: HIGH + subcategory: + - vuln + likelihood: MEDIUM + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure + shortlink: https://sg.run/zvE1 + semgrep.dev: + rule: + r_id: 9117 + rv_id: 1262926 + rule_id: kxUkJ2 + version_id: yeTxpxj + url: https://semgrep.dev/playground/r/yeTxpxj/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure + origin: community + languages: + - go + severity: WARNING + fix-regex: + regex: VersionSSL30 + replacement: VersionTLS13 + pattern: 'tls.Config{..., MinVersion: $TLS.VersionSSL30, ...}' +- id: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher + message: Detected an insecure CipherSuite via the 'tls' module. This suite is considered + weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. + See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other + cipher suites to use. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://github.com/securego/gosec/blob/master/rules/tls.go + references: + - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites + category: security + technology: + - go + confidence: HIGH + subcategory: + - vuln + likelihood: HIGH + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher + shortlink: https://sg.run/px8N + semgrep.dev: + rule: + r_id: 9118 + rv_id: 1262927 + rule_id: wdUJYk + version_id: rxTAKAZ + url: https://semgrep.dev/playground/r/rxTAKAZ/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher + origin: community + languages: + - go + severity: WARNING + pattern-either: + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_RC4_128_SHA, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_RSA_WITH_AES_128_CBC_SHA256, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...}} + - pattern: | + tls.Config{..., CipherSuites: []$TYPE{..., tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...}} + - pattern: | + tls.CipherSuite{..., TLS_RSA_WITH_RC4_128_SHA, ...} + - pattern: | + tls.CipherSuite{..., TLS_RSA_WITH_3DES_EDE_CBC_SHA, ...} + - pattern: | + tls.CipherSuite{..., TLS_RSA_WITH_AES_128_CBC_SHA256, ...} + - pattern: | + tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ...} + - pattern: | + tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_RC4_128_SHA, ...} + - pattern: | + tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, ...} + - pattern: | + tls.CipherSuite{..., TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...} + - pattern: | + tls.CipherSuite{..., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ...} +- id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES + message: Detected DES cipher algorithm which is insecure. The algorithm is considered + weak and has been deprecated. Use AES instead. + languages: + - go + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + source-rule-url: https://github.com/securego/gosec#available-rules + category: security + technology: + - go + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES + shortlink: https://sg.run/jREA + semgrep.dev: + rule: + r_id: 9121 + rv_id: 1262930 + rule_id: eqU8B3 + version_id: kbTzGzA + url: https://semgrep.dev/playground/r/kbTzGzA/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-DES + origin: community + patterns: + - pattern-inside: | + import "crypto/des" + ... + - pattern-either: + - pattern: | + des.NewTripleDESCipher(...) + - pattern: | + des.NewCipher(...) +- id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 + message: Detected MD5 hash algorithm which is considered insecure. MD5 is not collision + resistant and is therefore not suitable as a cryptographic signature. Use SHA256 + or SHA3 instead. + languages: + - go + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + source-rule-url: https://github.com/securego/gosec#available-rules + category: security + technology: + - go + confidence: MEDIUM + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 + shortlink: https://sg.run/2xB5 + semgrep.dev: + rule: + r_id: 9119 + rv_id: 1262928 + rule_id: x8Un6q + version_id: bZT535Y + url: https://semgrep.dev/playground/r/bZT535Y/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5 + origin: community + patterns: + - pattern-inside: | + import "crypto/md5" + ... + - pattern-either: + - pattern: | + md5.New() + - pattern: | + md5.Sum(...) +- id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 + message: Detected RC4 cipher algorithm which is insecure. The algorithm has many + known vulnerabilities. Use AES instead. + languages: + - go + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + source-rule-url: https://github.com/securego/gosec#available-rules + category: security + technology: + - go + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 + shortlink: https://sg.run/1ZAD + semgrep.dev: + rule: + r_id: 9122 + rv_id: 1262931 + rule_id: v8Unl0 + version_id: w8TRoRQ + url: https://semgrep.dev/playground/r/w8TRoRQ/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4 + origin: community + patterns: + - pattern-inside: | + import "crypto/rc4" + ... + - pattern: rc4.NewCipher(...) +- id: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 + message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not + collision resistant and is therefore not suitable as a cryptographic signature. + Use SHA256 or SHA3 instead. + languages: + - go + severity: WARNING + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + cwe: + - 'CWE-328: Use of Weak Hash' + source-rule-url: https://github.com/securego/gosec#available-rules + category: security + technology: + - go + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Insecure Hashing Algorithm + source: https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 + shortlink: https://sg.run/XBYA + semgrep.dev: + rule: + r_id: 9120 + rv_id: 1262929 + rule_id: OrU31O + version_id: NdTzyz1 + url: https://semgrep.dev/playground/r/NdTzyz1/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1 + origin: community + patterns: + - pattern-inside: | + import "crypto/sha1" + ... + - pattern-either: + - pattern: | + sha1.New() + - pattern: | + sha1.Sum(...) +- id: go.lang.security.audit.database.string-formatted-query.string-formatted-query + languages: + - go + message: String-formatted SQL query detected. This could lead to SQL injection if + the string is not sanitized properly. Audit this call to ensure the SQL is not + manipulable by external data. + severity: WARNING + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + source-rule-url: https://github.com/securego/gosec + category: security + technology: + - go + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query + shortlink: https://sg.run/ydEr + semgrep.dev: + rule: + r_id: 9124 + rv_id: 1262937 + rule_id: ZqU5bD + version_id: ZRTKA2q + url: https://semgrep.dev/playground/r/ZRTKA2q/go.lang.security.audit.database.string-formatted-query.string-formatted-query + origin: community + patterns: + - metavariable-regex: + metavariable: $OBJ + regex: (?i).*(db|database) + - pattern-not-inside: | + $VAR = "..." + "..." + ... + $OBJ.$SINK(..., $VAR, ...) + - pattern-not: $OBJ.Exec("...") + - pattern-not: $OBJ.ExecContext($CTX, "...") + - pattern-not: $OBJ.Query("...") + - pattern-not: $OBJ.QueryContext($CTX, "...") + - pattern-not: $OBJ.QueryRow("...") + - pattern-not: $OBJ.QueryRow($CTX, "...") + - pattern-not: $OBJ.QueryRowContext($CTX, "...") + - pattern-either: + - pattern: $OBJ.Exec($X + ...) + - pattern: $OBJ.ExecContext($CTX, $X + ...) + - pattern: $OBJ.Query($X + ...) + - pattern: $OBJ.QueryContext($CTX, $X + ...) + - pattern: $OBJ.QueryRow($X + ...) + - pattern: $OBJ.QueryRow($CTX, $X + ...) + - pattern: $OBJ.QueryRowContext($CTX, $X + ...) + - pattern: $OBJ.Exec(fmt.$P("...", ...)) + - pattern: $OBJ.ExecContext($CTX, fmt.$P("...", ...)) + - pattern: $OBJ.Query(fmt.$P("...", ...)) + - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...)) + - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) + - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...)) + - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) + - patterns: + - pattern-either: + - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...) + - pattern: $QUERY = fmt.Printf("$SQLSTR", ...) + - pattern: $QUERY = $X + ... + - pattern-either: + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.Query($QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.Exec($QUERY, ...) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRow($CTX, $QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRow($QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryContext($CTX, $QUERY) + ... + } + - pattern-inside: | + func $FUNC(...) { + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + ... + } +- id: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces + message: Detected a network listener listening on 0.0.0.0 or an empty string. This + could unexpectedly expose the server publicly as it binds to all available interfaces. + Instead, specify another IP address that is not 0.0.0.0 nor the empty string. + languages: + - go + severity: WARNING + metadata: + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://github.com/securego/gosec + category: security + technology: + - go + confidence: HIGH + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces + shortlink: https://sg.run/rdE0 + semgrep.dev: + rule: + r_id: 9125 + rv_id: 1262939 + rule_id: nJUz3J + version_id: ExTExoK + url: https://semgrep.dev/playground/r/ExTExoK/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces + origin: community + pattern-either: + - pattern: tls.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...) + - pattern: net.Listen($NETWORK, "=~/^0.0.0.0:.*$/", ...) + - pattern: tls.Listen($NETWORK, "=~/^:.*$/", ...) + - pattern: net.Listen($NETWORK, "=~/^:.*$/", ...) +- id: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace + message: Detected a potentially dynamic ClientTrace. This occurred because semgrep + could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous + because they deserialize function code to run when certain Request events occur, + which could lead to code being run without your knowledge. Ensure that your ClientTrace + is statically defined. + metadata: + cwe: + - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + references: + - https://github.com/returntocorp/semgrep-rules/issues/518 + category: security + technology: + - go + confidence: MEDIUM + subcategory: + - vuln + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace + shortlink: https://sg.run/kXEK + semgrep.dev: + rule: + r_id: 9128 + rv_id: 1262942 + rule_id: L1Uyjp + version_id: 8KT5rNv + url: https://semgrep.dev/playground/r/8KT5rNv/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace + origin: community + patterns: + - pattern-not-inside: | + package $PACKAGE + ... + &httptrace.ClientTrace { ... } + ... + - pattern: httptrace.WithClientTrace($ANY, $TRACE) + severity: WARNING + languages: + - go +- id: go.lang.security.audit.net.formatted-template-string.formatted-template-string + message: Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' + does not escape contents. Be absolutely sure there is no user-controlled data + in this template. If user data can reach this template, you may have a XSS vulnerability. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://golang.org/pkg/html/template/#HTML + category: security + technology: + - go + confidence: MEDIUM + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string + shortlink: https://sg.run/weE0 + semgrep.dev: + rule: + r_id: 9129 + rv_id: 1262943 + rule_id: 8GUjDW + version_id: gETB7Pe + url: https://semgrep.dev/playground/r/gETB7Pe/go.lang.security.audit.net.formatted-template-string.formatted-template-string + origin: community + languages: + - go + severity: WARNING + patterns: + - pattern-not: template.HTML("..." + "...") + - pattern-either: + - pattern: template.HTML($T + $X, ...) + - pattern: template.HTML(fmt.$P("...", ...), ...) + - pattern: | + $T = "..." + ... + $T = $FXN(..., $T, ...) + ... + template.HTML($T, ...) + - pattern: | + $T = fmt.$P("...", ...) + ... + template.HTML($T, ...) + - pattern: | + $T, $ERR = fmt.$P("...", ...) + ... + template.HTML($T, ...) + - pattern: | + $T = $X + $Y + ... + template.HTML($T, ...) + - pattern: |- + $T = "..." + ... + $OTHER, $ERR = fmt.$P(..., $T, ...) + ... + template.HTML($OTHER, ...) +- id: go.lang.security.audit.net.pprof.pprof-debug-exposure + metadata: + cwe: + - 'CWE-489: Active Debug Code' + owasp: A06:2017 - Security Misconfiguration + source-rule-url: https://github.com/securego/gosec#available-rules + references: + - https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ + category: security + technology: + - go + confidence: LOW + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Active Debug Code + source: https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure + shortlink: https://sg.run/x1Ep + semgrep.dev: + rule: + r_id: 9130 + rv_id: 945583 + rule_id: gxU1Kp + version_id: 9lTy168 + url: https://semgrep.dev/playground/r/9lTy168/go.lang.security.audit.net.pprof.pprof-debug-exposure + origin: community + message: The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. + This could leak information about the server. Instead, use `import "net/http/pprof"`. + See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ + for more information and mitigation. + languages: + - go + severity: WARNING + patterns: + - pattern-inside: | + import _ "net/http/pprof" + ... + - pattern-inside: | + func $ANY(...) { + ... + } + - pattern-not-inside: | + $MUX = http.NewServeMux(...) + ... + http.ListenAndServe($ADDR, $MUX) + - pattern-not: http.ListenAndServe("=~/^localhost.*/", ...) + - pattern-not: http.ListenAndServe("=~/^127[.]0[.]0[.]1.*/", ...) + - pattern: http.ListenAndServe(...) +- id: go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr + message: Found a formatted template string passed to 'template. HTMLAttr()'. 'template.HTMLAttr()' + does not escape contents. Be absolutely sure there is no user-controlled data + in this template or validate and sanitize the data before passing it into the + template. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://golang.org/pkg/html/template/#HTMLAttr + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr + shortlink: https://sg.run/OPRp + semgrep.dev: + rule: + r_id: 9131 + rv_id: 1262945 + rule_id: QrUz9R + version_id: 3ZT4XRr + url: https://semgrep.dev/playground/r/3ZT4XRr/go.lang.security.audit.net.unescaped-data-in-htmlattr.unescaped-data-in-htmlattr + origin: community + languages: + - go + severity: WARNING + pattern-either: + - pattern: template.HTMLAttr($T + $X, ...) + - pattern: template.HTMLAttr(fmt.$P("...", ...), ...) + - pattern: | + $T = "..." + ... + $T = $FXN(..., $T, ...) + ... + template.HTMLAttr($T, ...) + - pattern: | + $T = fmt.$P("...", ...) + ... + template.HTMLAttr($T, ...) + - pattern: | + $T, $ERR = fmt.$P("...", ...) + ... + template.HTMLAttr($T, ...) + - pattern: | + $T = $X + $Y + ... + template.HTMLAttr($T, ...) + - pattern: |- + $T = "..." + ... + $OTHER, $ERR = fmt.$P(..., $T, ...) + ... + template.HTMLAttr($OTHER, ...) +- id: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js + message: Found a formatted template string passed to 'template.JS()'. 'template.JS()' + does not escape contents. Be absolutely sure there is no user-controlled data + in this template. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://golang.org/pkg/html/template/#JS + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js + shortlink: https://sg.run/eLNl + semgrep.dev: + rule: + r_id: 9132 + rv_id: 1262946 + rule_id: 3qUP8K + version_id: 44TEj9E + url: https://semgrep.dev/playground/r/44TEj9E/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js + origin: community + languages: + - go + severity: WARNING + pattern-either: + - pattern: template.JS($T + $X, ...) + - pattern: template.JS(fmt.$P("...", ...), ...) + - pattern: | + $T = "..." + ... + $T = $FXN(..., $T, ...) + ... + template.JS($T, ...) + - pattern: | + $T = fmt.$P("...", ...) + ... + template.JS($T, ...) + - pattern: | + $T, $ERR = fmt.$P("...", ...) + ... + template.JS($T, ...) + - pattern: | + $T = $X + $Y + ... + template.JS($T, ...) + - pattern: | + $T = "..." + ... + $OTHER, $ERR = fmt.$P(..., $T, ...) + ... + template.JS($OTHER, ...) +- id: go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url + message: Found a formatted template string passed to 'template.URL()'. 'template.URL()' + does not escape contents, and this could result in XSS (cross-site scripting) + and therefore confidential data being stolen. Sanitize data coming into this function + or make sure that no user-controlled input is coming into the function. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://golang.org/pkg/html/template/#URL + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url + shortlink: https://sg.run/vzE4 + semgrep.dev: + rule: + r_id: 9133 + rv_id: 1262947 + rule_id: 4bUkDW + version_id: PkTR3zz + url: https://semgrep.dev/playground/r/PkTR3zz/go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url + origin: community + languages: + - go + severity: WARNING + pattern-either: + - pattern: template.URL($T + $X, ...) + - pattern: template.URL(fmt.$P("...", ...), ...) + - pattern: | + $T = "..." + ... + $T = $FXN(..., $T, ...) + ... + template.URL($T, ...) + - pattern: | + $T = fmt.$P("...", ...) + ... + template.URL($T, ...) + - pattern: | + $T, $ERR = fmt.$P("...", ...) + ... + template.URL($T, ...) + - pattern: | + $T = $X + $Y + ... + template.URL($T, ...) + - pattern: |- + $T = "..." + ... + $OTHER, $ERR = fmt.$P(..., $T, ...) + ... + template.URL($OTHER, ...) +- id: go.lang.security.audit.net.use-tls.use-tls + pattern: http.ListenAndServe($ADDR, $HANDLER) + fix: http.ListenAndServeTLS($ADDR, certFile, keyFile, $HANDLER) + metadata: + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + references: + - https://golang.org/pkg/net/http/#ListenAndServeTLS + category: security + technology: + - go + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls + shortlink: https://sg.run/dKbY + semgrep.dev: + rule: + r_id: 9134 + rv_id: 1262948 + rule_id: PeUZ8X + version_id: JdTzxkn + url: https://semgrep.dev/playground/r/JdTzxkn/go.lang.security.audit.net.use-tls.use-tls + origin: community + message: Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. + See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information. + languages: + - go + severity: WARNING +- id: go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf + patterns: + - pattern-inside: | + func $FUNC(..., $W http.ResponseWriter, ...) { + ... + var $TEMPLATE = "..." + ... + $W.Write([]byte(fmt.$PRINTF($TEMPLATE, ...)), ...) + ... + } + - pattern-either: + - pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $INTERM = $ANYTHING(..., $DATA, ...) + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $INTERM = $DATA[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - pattern: | + $DATA, $ERR := r.URL.Query()[...] + ... + $INTERM = $DATA[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - pattern: | + $DATA, $ERR := r.URL.Query()[...] + ... + $INTERM = $ANYTHING(..., $DATA, ...) + ... + $W.Write([]byte(fmt.$PRINTF(..., $INTERM, ...))) + - pattern: | + $PARAMS = r.URL.Query() + ... + $DATA, $ERR := $PARAMS[...] + ... + $W.Write([]byte(fmt.$PRINTF(..., $DATA, ...))) + message: Found data going from url query parameters into formatted data written + to ResponseWriter. This could be XSS and should not be done. If you must do this, + ensure your data is sanitized or escaped. + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + category: security + technology: + - go + confidence: MEDIUM + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf + shortlink: https://sg.run/Zvon + semgrep.dev: + rule: + r_id: 9135 + rv_id: 1262949 + rule_id: JDUyXB + version_id: 5PTo1qr + url: https://semgrep.dev/playground/r/5PTo1qr/go.lang.security.audit.net.wip-xss-using-responsewriter-and-printf.wip-xss-using-responsewriter-and-printf + origin: community + severity: WARNING + languages: + - go +- id: go.lang.security.audit.reflect-makefunc.reflect-makefunc + message: '''reflect.MakeFunc'' detected. This will sidestep protections that are + normally afforded by Go''s type system. Audit this call and be sure that user + input cannot be used to affect the code generated by MakeFunc; otherwise, you + will have a serious security vulnerability.' + metadata: + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + cwe: + - 'CWE-913: Improper Control of Dynamically-Managed Code Resources' + category: security + technology: + - go + confidence: LOW + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc + shortlink: https://sg.run/KlPd + semgrep.dev: + rule: + r_id: 9111 + rv_id: 1262950 + rule_id: 10UKGb + version_id: GxTkeqB + url: https://semgrep.dev/playground/r/GxTkeqB/go.lang.security.audit.reflect-makefunc.reflect-makefunc + origin: community + severity: ERROR + pattern: reflect.MakeFunc(...) + languages: + - go +- id: go.lang.security.audit.unsafe.use-of-unsafe-block + message: Using the unsafe package in Go gives you low-level memory management and + many of the strengths of the C language, but also steps around the type safety + of Go and can lead to buffer overflows and possible arbitrary code execution by + an attacker. Only use this package if you absolutely know what you're doing. + languages: + - go + severity: WARNING + metadata: + cwe: + - 'CWE-242: Use of Inherently Dangerous Function' + source_rule_url: https://github.com/securego/gosec/blob/master/rules/unsafe.go + category: security + technology: + - go + confidence: LOW + references: + - https://cwe.mitre.org/data/definitions/242.html + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Dangerous Method or Function + source: https://semgrep.dev/r/go.lang.security.audit.unsafe.use-of-unsafe-block + shortlink: https://sg.run/qxEx + semgrep.dev: + rule: + r_id: 9112 + rv_id: 945595 + rule_id: 9AU1p1 + version_id: ZRT35Wd + url: https://semgrep.dev/playground/r/ZRT35Wd/go.lang.security.audit.unsafe.use-of-unsafe-block + origin: community + pattern: unsafe.$FUNC(...) +- id: go.lang.security.bad_tmp.bad-tmp-file-creation + message: File creation in shared tmp directory without using `io.CreateTemp`. + languages: + - go + severity: WARNING + metadata: + cwe: + - 'CWE-377: Insecure Temporary File' + source-rule-url: https://github.com/securego/gosec + category: security + technology: + - go + confidence: LOW + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + - https://pkg.go.dev/io/ioutil#TempFile + - https://pkg.go.dev/os#CreateTemp + - https://github.com/securego/gosec/blob/5fd2a370447223541cddb35da8d1bc707b7bb153/rules/tempfiles.go#L67 + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Other + source: https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation + shortlink: https://sg.run/Gejn + semgrep.dev: + rule: + r_id: 9104 + rv_id: 1262965 + rule_id: 6JUjnL + version_id: 2KTv2pJ + url: https://semgrep.dev/playground/r/2KTv2pJ/go.lang.security.bad_tmp.bad-tmp-file-creation + origin: community + pattern-either: + - pattern: ioutil.WriteFile("=~//tmp/.*$/", ...) + - pattern: os.Create("=~//tmp/.*$/", ...) + - pattern: os.WriteFile("=~//tmp/.*$/", ...) +- id: go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb + message: 'Detected a possible denial-of-service via a zip bomb attack. By limiting + the max bytes read, you can mitigate this attack. `io.CopyN()` can specify a size. ' + severity: WARNING + languages: + - go + patterns: + - pattern-either: + - pattern: io.Copy(...) + - pattern: io.CopyBuffer(...) + - pattern-either: + - pattern-inside: | + gzip.NewReader(...) + ... + - pattern-inside: | + zlib.NewReader(...) + ... + - pattern-inside: | + zlib.NewReaderDict(...) + ... + - pattern-inside: | + bzip2.NewReader(...) + ... + - pattern-inside: | + flate.NewReader(...) + ... + - pattern-inside: | + flate.NewReaderDict(...) + ... + - pattern-inside: | + lzw.NewReader(...) + ... + - pattern-inside: | + tar.NewReader(...) + ... + - pattern-inside: | + zip.NewReader(...) + ... + - pattern-inside: | + zip.OpenReader(...) + ... + fix-regex: + regex: (.*)(Copy|CopyBuffer)\((.*?),(.*?)(\)|,.*\)) + replacement: \1CopyN(\3, \4, 1024*1024*256) + metadata: + cwe: + - 'CWE-400: Uncontrolled Resource Consumption' + source-rule-url: https://github.com/securego/gosec + references: + - https://golang.org/pkg/io/#CopyN + - https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go + category: security + technology: + - go + confidence: LOW + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Denial-of-Service (DoS) + source: https://semgrep.dev/r/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb + shortlink: https://sg.run/RodK + semgrep.dev: + rule: + r_id: 9105 + rv_id: 945606 + rule_id: oqUeqn + version_id: JdTDye5 + url: https://semgrep.dev/playground/r/JdTDye5/go.lang.security.decompression_bomb.potential-dos-via-decompression-bomb + origin: community +- id: go.lang.security.zip.path-traversal-inside-zip-extraction + message: File traversal when extracting zip archive + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + source_rule_url: https://github.com/securego/gosec/issues/205 + category: security + technology: + - go + confidence: LOW + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/go.lang.security.zip.path-traversal-inside-zip-extraction + shortlink: https://sg.run/Av64 + semgrep.dev: + rule: + r_id: 9106 + rv_id: 1262971 + rule_id: zdUkoR + version_id: rxTAK1Z + url: https://semgrep.dev/playground/r/rxTAK1Z/go.lang.security.zip.path-traversal-inside-zip-extraction + origin: community + languages: + - go + severity: WARNING + pattern: | + reader, $ERR := zip.OpenReader($ARCHIVE) + ... + for _, $FILE := range reader.File { + ... + path := filepath.Join($TARGET, $FILE.Name) + ... + } +- id: go.otto.security.audit.dangerous-execution.dangerous-execution + message: Detected non-static script inside otto VM. Audit the input to 'VM.Run'. + If unverified user data can reach this call site, this is a code injection vulnerability. + A malicious actor can inject a malicious script to execute arbitrary code. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + category: security + technology: + - otto + - vm + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/go.otto.security.audit.dangerous-execution.dangerous-execution + shortlink: https://sg.run/4xWE + semgrep.dev: + rule: + r_id: 9144 + rv_id: 1262972 + rule_id: KxUbxk + version_id: bZT53ZY + url: https://semgrep.dev/playground/r/bZT53ZY/go.otto.security.audit.dangerous-execution.dangerous-execution + origin: community + severity: ERROR + patterns: + - pattern-inside: | + $VM = otto.New(...) + ... + - pattern-not: $VM.Run("...", ...) + - pattern: $VM.Run(...) + languages: + - go +- id: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + metadata: + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN + references: + - https://www.owasp.org/index.php/Path_Traversal + category: security + technology: + - jax-rs + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + shortlink: https://sg.run/DoWj + semgrep.dev: + rule: + r_id: 9152 + rv_id: 1262984 + rule_id: 2ZUb9l + version_id: 7ZTE3KW + url: https://semgrep.dev/playground/r/7ZTE3KW/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal + origin: community + message: Detected a potential path traversal. A malicious actor could control the + location of this file, to include going backwards in the directory with '../'. + To address this, ensure that user-controlled variables in file paths are sanitized. + You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) + to only retrieve the file name from the path. + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $RETURNTYPE $FUNC (..., @PathParam(...) $TYPE $VAR, ...) { + ... + new File(..., $VAR, ...); + ... + } + - pattern: |- + $RETURNTYPE $FUNC (..., @javax.ws.rs.PathParam(...) $TYPE $VAR, ...) { + ... + new File(..., $VAR, ...); + ... + } +- id: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + metadata: + cwe: + - 'CWE-287: Improper Authentication' + owasp: + - A02:2017 - Broken Authentication + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + shortlink: https://sg.run/jR6A + semgrep.dev: + rule: + r_id: 9165 + rv_id: 1262988 + rule_id: eqU8J3 + version_id: QkTGqE0 + url: https://semgrep.dev/playground/r/QkTGqE0/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind + origin: community + message: Detected anonymous LDAP bind. This permits anonymous users to execute LDAP + statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html + for more information. + severity: WARNING + pattern: | + $ENV.put($CTX.SECURITY_AUTHENTICATION, "none"); + ... + $DCTX = new InitialDirContext($ENV, ...); + languages: + - java +- id: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + metadata: + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + owasp: A03:2017 - Sensitive Data Exposure + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION + category: security + technology: + - java + references: + - https://cwe.mitre.org/data/definitions/704.html + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + shortlink: https://sg.run/1Z7D + semgrep.dev: + rule: + r_id: 9166 + rv_id: 945646 + rule_id: v8Uny0 + version_id: QkTZzgy + url: https://semgrep.dev/playground/r/QkTZzgy/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion + origin: community + message: '''Integer.toHexString()'' strips leading zeroes from each byte if read + byte-by-byte. This mistake weakens the hash value computed since it introduces + more collisions. Use ''String.format("%02X", ...)'' instead.' + severity: WARNING + languages: + - java + pattern: |- + $X $METHOD(...) { + ... + MessageDigest $MD = ...; + ... + $MD.digest(...); + ... + Integer.toHexString(...); + } +- id: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + message: Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A + malicious actor could discern the difference between plaintext with valid or invalid + padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' + instead. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE + references: + - https://capec.mitre.org/data/definitions/463.html + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes + - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY + category: security + technology: + - java + subcategory: + - audit + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + shortlink: https://sg.run/ydxr + semgrep.dev: + rule: + r_id: 9168 + rv_id: 1262990 + rule_id: ZqU5oD + version_id: 44TEjbE + url: https://semgrep.dev/playground/r/44TEjbE/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle + origin: community + severity: WARNING + fix: | + "AES/GCM/NoPadding" + languages: + - java + patterns: + - pattern-inside: Cipher.getInstance("=~/.*\/CBC\/PKCS5Padding/") + - pattern: | + "=~/.*\/CBC\/PKCS5Padding/" +- id: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + patterns: + - metavariable-pattern: + metavariable: $RUNTIME + patterns: + - pattern-either: + - pattern: (java.lang.Runtime $R) + - pattern: java.lang.Runtime.getRuntime(...) + - pattern-either: + - pattern: $RUNTIME.exec($X + $Y); + - pattern: $RUNTIME.exec(String.format(...)); + - pattern: $RUNTIME.loadLibrary($X + $Y); + - pattern: $RUNTIME.loadLibrary(String.format(...)); + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", $ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...) + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec($CMD,"-c",$ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList($CMD,"-c",$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{$CMD,"-c",$ARG,...},...) + - pattern-inside: | + $CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/"; + ... + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec($CMD, $EXECUTE, $ARG, ...) + - pattern-inside: | + $CMD = new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/", ...}; + ... + - patterns: + - pattern-either: + - pattern: | + $RUNTIME.exec("=~/(sh|bash|ksh|csh|tcsh|zsh)/", $BASH, $ARG,...) + - pattern: | + $RUNTIME.exec(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...),...) + - pattern: | + $RUNTIME.exec(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/",$BASH,$ARG,...},...) + - pattern-inside: | + $BASH = new String[]{"=~/(-c)/", ...}; + ... + - pattern-not-inside: | + $ARG = "..."; + ... + - pattern-not: | + $RUNTIME.exec("...","...","...",...) + - pattern-not: | + $RUNTIME.exec(new String[]{"...","...","...",...},...) + - pattern-not: | + $RUNTIME.exec(Arrays.asList("...","...","...",...),...) + message: A formatted or concatenated string was detected as input to a java.lang.Runtime + call. This is dangerous if a variable is controlled by user input and could result + in a command injection. Ensure your variables are not controlled by users or sufficiently + sanitized. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION. + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + shortlink: https://sg.run/rd90 + semgrep.dev: + rule: + r_id: 9169 + rv_id: 1262991 + rule_id: nJUzvJ + version_id: PkTR3ez + url: https://semgrep.dev/playground/r/PkTR3ez/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call + origin: community + severity: ERROR + languages: + - java +- id: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + metadata: + cwe: + - 'CWE-1004: Sensitive Cookie Without ''HttpOnly'' Flag' + owasp: + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.4.2 Missing Cookie Attribute + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + shortlink: https://sg.run/b7Be + semgrep.dev: + rule: + r_id: 9170 + rv_id: 1262993 + rule_id: EwU2z6 + version_id: 5PTo17r + url: https://semgrep.dev/playground/r/5PTo17r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly + origin: community + message: A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' + flag for cookies instructs the browser to forbid client-side scripts from reading + the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);' + severity: WARNING + languages: + - java + patterns: + - pattern-not-inside: $COOKIE.setValue(""); ... + - pattern-either: + - pattern: $COOKIE.setHttpOnly(false); + - patterns: + - pattern-not-inside: $COOKIE.setHttpOnly(...); ... + - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... + - pattern: $RESPONSE.addCookie($COOKIE); +- id: java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + metadata: + cwe: + - 'CWE-614: Sensitive Cookie in HTTPS Session Without ''Secure'' Attribute' + owasp: + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.4.1 Missing Cookie Attribute + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cookie Security + source: https://semgrep.dev/r/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + shortlink: https://sg.run/kXoK + semgrep.dev: + rule: + r_id: 9172 + rv_id: 1262994 + rule_id: L1Uyvp + version_id: GxTkelB + url: https://semgrep.dev/playground/r/GxTkelB/java.lang.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag + origin: community + message: A cookie was detected without setting the 'secure' flag. The 'secure' flag + for cookies prevents the client from transmitting the cookie over insecure channels + such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);' + severity: WARNING + languages: + - java + patterns: + - pattern-not-inside: $COOKIE.setValue(""); ... + - pattern-either: + - pattern: $COOKIE.setSecure(false); + - patterns: + - pattern-not-inside: $COOKIE.setSecure(...); ... + - pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ... + - pattern: $RESPONSE.addCookie($COOKIE); +- id: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + message: When data from an untrusted source is put into a logger and not neutralized + correctly, an attacker could forge log entries or include malicious content. + metadata: + cwe: + - 'CWE-93: Improper Neutralization of CRLF Sequences (''CRLF Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + shortlink: https://sg.run/wek0 + semgrep.dev: + rule: + r_id: 9173 + rv_id: 1262995 + rule_id: 8GUjwW + version_id: RGT0LEr + url: https://semgrep.dev/playground/r/RGT0LEr/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - patterns: + - pattern-inside: | + class $CLASS { + ... + Logger $LOG = ...; + ... + } + - pattern-either: + - pattern-inside: | + $X $METHOD(...,HttpServletRequest $REQ,...) { + ... + } + - pattern-inside: | + $X $METHOD(...,ServletRequest $REQ,...) { + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + HttpServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + Logger $LOG = ...; + ... + HttpServletRequest $REQ = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + Logger $LOG = ...; + ... + ServletRequest $REQ = ...; + ... + } + - pattern-either: + - pattern: | + String $VAL = $REQ.getParameter(...); + ... + $LOG.$LEVEL(<... $VAL ...>); + - pattern: | + String $VAL = $REQ.getParameter(...); + ... + $LOG.log($LEVEL,<... $VAL ...>); + - pattern: | + $LOG.$LEVEL(<... $REQ.getParameter(...) ...>); + - pattern: | + $LOG.log($LEVEL,<... $REQ.getParameter(...) ...>); +- id: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + message: DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. + metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DES_USAGE + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + shortlink: https://sg.run/5Q73 + semgrep.dev: + rule: + r_id: 9191 + rv_id: 1262996 + rule_id: PeUZNg + version_id: A8TgdEn + url: https://semgrep.dev/playground/r/A8TgdEn/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern-inside: $CIPHER.getInstance("=~/DES/.*/") + - pattern-inside: $CIPHER.getInstance("DES") + - pattern-either: + - pattern: | + "=~/DES/.*/" + - pattern: | + "DES" + fix: | + "AES/GCM/NoPadding" + languages: + - java + - kt +- id: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + message: Triple DES (3DES or DESede) is considered deprecated. AES is the recommended + cipher. Upgrade to use AES. + metadata: + functional-categories: + - crypto::search::symmetric-algorithm::javax.crypto + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE + references: + - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + shortlink: https://sg.run/Geqn + semgrep.dev: + rule: + r_id: 9192 + rv_id: 1262997 + rule_id: JDUy8J + version_id: BjTkZyQ + url: https://semgrep.dev/playground/r/BjTkZyQ/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated + origin: community + severity: WARNING + patterns: + - pattern-either: + - pattern: | + $CIPHER.getInstance("=~/DESede.*/") + - pattern: | + $CRYPTO.KeyGenerator.getInstance("DES") + languages: + - java + - kt +- id: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + patterns: + - pattern-either: + - pattern: new NullCipher(...); + - pattern: new javax.crypto.NullCipher(...); + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + shortlink: https://sg.run/AvA4 + semgrep.dev: + rule: + r_id: 9194 + rv_id: 1263001 + rule_id: GdU7pw + version_id: K3TKkgB + url: https://semgrep.dev/playground/r/K3TKkgB/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher + origin: community + message: 'NullCipher was detected. This will not encrypt anything; the cipher text + will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). + See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for + more information.' + severity: WARNING + languages: + - java +- id: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + message: Initialization Vectors (IVs) for block ciphers should be randomly generated + each time they are used. Using a static IV means the same plaintext encrypts to + the same ciphertext every time, weakening the strength of the encryption. + metadata: + cwe: + - 'CWE-329: Generation of Predictable IV with CBC Mode' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#STATIC_IV + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + references: + - https://cwe.mitre.org/data/definitions/329.html + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + shortlink: https://sg.run/BkB5 + semgrep.dev: + rule: + r_id: 9195 + rv_id: 1263002 + rule_id: ReUgj1 + version_id: qkTR7vP + url: https://semgrep.dev/playground/r/qkTR7vP/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + byte[] $IV = { + ... + }; + ... + new IvParameterSpec($IV, ...); + - pattern: | + class $CLASS { + byte[] $IV = { + ... + }; + ... + $METHOD(...) { + ... + new IvParameterSpec($IV, ...); + ... + } + } +- id: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + metadata: + functional-categories: + - crypto::search::mode::javax.crypto + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING + references: + - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + - kotlin + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + shortlink: https://sg.run/DoOj + semgrep.dev: + rule: + r_id: 9196 + rv_id: 1263003 + rule_id: AbUzoj + version_id: l4TJRpK + url: https://semgrep.dev/playground/r/l4TJRpK/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding + origin: community + message: Using RSA without OAEP mode weakens the encryption. + severity: WARNING + languages: + - java + - kt + pattern: $CIPHER.getInstance("=~/RSA/[Nn][Oo][Nn][Ee]/NoPadding/") +- id: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT + asvs: + section: V9 Communications Verification Requirements + control_id: 9.1.3 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v91-client-communications-security-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + shortlink: https://sg.run/J9Gj + semgrep.dev: + rule: + r_id: 9202 + rv_id: 1263005 + rule_id: qNUj8b + version_id: JdTzxnb + url: https://semgrep.dev/playground/r/JdTzxnb/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated + origin: community + message: DefaultHttpClient is deprecated. Further, it does not support connections + using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder + instead. + severity: WARNING + languages: + - java + pattern: new DefaultHttpClient(...); + fix-regex: + regex: DefaultHttpClient + replacement: HttpClientBuilder +- id: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + message: Insecure HostnameVerifier implementation detected. This will accept any + SSL certificate with any hostname, which creates the possibility for man-in-the-middle + attacks. + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER + asvs: + section: V9 Communications Verification Requirements + control_id: 9.2.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + shortlink: https://sg.run/5QoD + semgrep.dev: + rule: + r_id: 9203 + rv_id: 1263006 + rule_id: lBU9n8 + version_id: 5PTo17W + url: https://semgrep.dev/playground/r/5PTo17W/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + class $CLASS implements HostnameVerifier { + ... + public boolean verify(...) { return true; } + } + - pattern: |- + new HostnameVerifier(...){ + public boolean verify(...) { + return true; + } + } + - pattern: import org.apache.http.conn.ssl.NoopHostnameVerifier; +- id: java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + metadata: + cwe: + - 'CWE-295: Improper Certificate Validation' + owasp: + - A03:2017 - Sensitive Data Exposure + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER + asvs: + section: V9 Communications Verification Requirements + control_id: 9.2.1 Weak TLS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements + version: '4' + references: + - https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + shortlink: https://sg.run/GePy + semgrep.dev: + rule: + r_id: 9204 + rv_id: 1263007 + rule_id: YGUR9A + version_id: GxTkel1 + url: https://semgrep.dev/playground/r/GxTkel1/java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager + origin: community + message: Detected empty trust manager implementations. This is dangerous because + it accepts any certificate, enabling man-in-the-middle attacks. Consider using + a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https + for more information. + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS implements X509TrustManager { + ... + } + - pattern-inside: | + new X509TrustManager() { + ... + } + - pattern-inside: | + class $CLASS implements X509ExtendedTrustManager { + ... + } + - pattern-inside: | + new X509ExtendedTrustManager() { + ... + } + - pattern-not: public void checkClientTrusted(...) { $SOMETHING; } + - pattern-not: public void checkServerTrusted(...) { $SOMETHING; } + - pattern-either: + - pattern: public void checkClientTrusted(...) {} + - pattern: public void checkServerTrusted(...) {} + - pattern: public X509Certificate[] getAcceptedIssuers(...) { return null; } +- id: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + metadata: + functional-categories: + - net::search::crypto-config::java.net + cwe: + - 'CWE-319: Cleartext Transmission of Sensitive Information' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET + asvs: + section: V6 Stored Cryptography Verification Requirements + control_id: 6.2.5 Insecure Algorithm + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + shortlink: https://sg.run/W8zA + semgrep.dev: + rule: + r_id: 9197 + rv_id: 1263008 + rule_id: BYUN3X + version_id: RGT0LEj + url: https://semgrep.dev/playground/r/RGT0LEj/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket + origin: community + message: Detected use of a Java socket that is not encrypted. As a result, the traffic + could be read by an attacker intercepting the network traffic. Use an SSLSocket + created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead. + severity: WARNING + languages: + - java + pattern-either: + - pattern: new ServerSocket(...) + - pattern: new Socket(...) +- id: java.lang.security.audit.el-injection.el-injection + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection + shortlink: https://sg.run/x1wp + semgrep.dev: + rule: + r_id: 9174 + rv_id: 1263021 + rule_id: gxU1Np + version_id: pZT03e1 + url: https://semgrep.dev/playground/r/pZT03e1/java.lang.security.audit.el-injection.el-injection + origin: community + message: An expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF; + ... + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF = ...; + ... + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + $X $METHOD(...) { + ... + ExpressionFactory $EF = ...; + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ExpressionFactory $EF,...) { + ... + $EF.createValueExpression($CTX,$INPUT,...); + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF; + ... + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + class $CLASS { + ... + ExpressionFactory $EF = ...; + ... + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + ... + } + - pattern: | + $X $METHOD(...) { + ... + ExpressionFactory $EF = ...; + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(...,ExpressionFactory $EF,...) { + ... + $EF.createMethodExpression($CTX,$INPUT,...); + ... + } + - pattern: | + $X $METHOD(String $INPUT, ...) { + ... + $OBJECT.buildConstraintViolationWithTemplate($INPUT, ...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $EF.createValueExpression($CTX,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $EF.createValueExpression($CTX,$S,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $EF.createMethodExpression($CTX,"...",...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $EF.createMethodExpression($CTX,$S,...); + ... + } +- id: java.lang.security.audit.formatted-sql-string.formatted-sql-string + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.5 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + - https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps + - https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string + shortlink: https://sg.run/OPXp + semgrep.dev: + rule: + r_id: 9175 + rv_id: 1409389 + rule_id: QrUzxR + version_id: ExTeyBP + url: https://semgrep.dev/playground/r/ExTeyBP/java.lang.security.audit.formatted-sql-string.formatted-sql-string + origin: community + options: + taint_assume_safe_numbers: true + taint_assume_safe_booleans: true + message: Detected a formatted string in a SQL statement. This could lead to SQL + injection if variables in the SQL statement are not properly sanitized. Use a + prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement + using 'connection.prepareStatement'. + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: + - pattern-inside: | + $ANNOT $FUNC (..., $INPUT, ...) { + ... + } + - pattern: (String $INPUT) + - focus-metavariable: $INPUT + label: INPUT + - patterns: + - pattern-either: + - pattern: $X + $INPUT + - pattern: $X += $INPUT + - pattern: String.format(..., $INPUT, ...) + - pattern: String.join(..., $INPUT, ...) + - pattern: (String $STR).concat($INPUT) + - pattern: $INPUT.concat(...) + - patterns: + - pattern-either: + - pattern: $STRB.append($INPUT) + - pattern: new $STRB(..., $INPUT, ...) + - metavariable-type: + metavariable: $STRB + type: StringBuilder + label: CONCAT + requires: INPUT + pattern-propagators: + - pattern: (StringBuffer $S).append($X) + from: $X + to: $S + - pattern: (StringBuilder $S).append($X) + from: $X + to: $S + pattern-sinks: + - patterns: + - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE *$/" ...>) + - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE %s$/" ...>) + - pattern-either: + - pattern: (Statement $S).$SQLFUNC(...) + - pattern: (PreparedStatement $P).$SQLFUNC(...) + - pattern: (Connection $C).createStatement(...).$SQLFUNC(...) + - pattern: (Connection $C).prepareStatement(...).$SQLFUNC(...) + - pattern: (EntityManager $EM).$SQLFUNC(...) + - metavariable-regex: + metavariable: $SQLFUNC + regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare + requires: CONCAT + pattern-sanitizers: + - patterns: + - pattern: (CriteriaBuilder $CB).$ANY(...) + severity: ERROR + languages: + - java +- id: java.lang.security.audit.http-response-splitting.http-response-splitting + metadata: + cwe: + - 'CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (''HTTP + Request/Response Splitting'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING + references: + - https://www.owasp.org/index.php/HTTP_Response_Splitting + category: security + technology: + - java + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting + shortlink: https://sg.run/eL0l + semgrep.dev: + rule: + r_id: 9176 + rv_id: 1263023 + rule_id: 3qUPyK + version_id: X0Tzykw + url: https://semgrep.dev/playground/r/X0Tzykw/java.lang.security.audit.http-response-splitting.http-response-splitting + origin: community + message: Older Java application servers are vulnerable to HTTP response splitting, + which may occur if an HTTP request can be injected with CRLF characters. This + finding is reported for completeness; it is recommended to ensure your environment + is not affected by testing this yourself. + severity: INFO + languages: + - java + pattern-either: + - pattern: | + $VAR = $REQ.getParameter(...); + ... + $COOKIE = new Cookie(..., $VAR, ...); + ... + $RESP.addCookie($COOKIE, ...); + - patterns: + - pattern-inside: | + $RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) { + ... + } + - pattern: | + $COOKIE = new Cookie(..., $VAR, ...); + ... + $RESP.addCookie($COOKIE, ...); +- id: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + metadata: + cwe: + - 'CWE-297: Improper Validation of Certificate with Host Mismatch' + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL + category: security + technology: + - java + references: + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authentication + source: https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + shortlink: https://sg.run/vzN4 + semgrep.dev: + rule: + r_id: 9177 + rv_id: 1263024 + rule_id: 4bUkrW + version_id: jQTn5Dv + url: https://semgrep.dev/playground/r/jQTn5Dv/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection + origin: community + message: Insecure SMTP connection detected. This connection will trust any SSL certificate. + Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'. + severity: WARNING + patterns: + - pattern-not-inside: | + $EMAIL.setSSLCheckServerIdentity(true); + ... + - pattern-inside: | + $EMAIL = new SimpleEmail(...); + ... + - pattern: $EMAIL.send(...); + languages: + - java +- id: java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + metadata: + cwe: + - 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command + (''SQL Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.5 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - jdbc + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - SQL Injection + source: https://semgrep.dev/r/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + shortlink: https://sg.run/dKWY + semgrep.dev: + rule: + r_id: 9178 + rv_id: 1263026 + rule_id: PeUZNX + version_id: 9lT4bqk + url: https://semgrep.dev/playground/r/9lT4bqk/java.lang.security.audit.jdbc-sql-formatted-string.jdbc-sql-formatted-string + origin: community + message: 'Possible JDBC injection detected. Use the parameterized query feature + available in queryForObject instead of concatenating or formatting strings: ''jdbc.queryForObject("select + * from table where name = ?", Integer.class, parameterName);''' + patterns: + - pattern-inside: | + $JDBC = new JdbcTemplate(...); + ... + - pattern-either: + - pattern: $JDBC.queryForObject($STR + $VAR, ...); + - pattern: $JDBC.queryForObject(String.format(...), ...); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.queryForObject($Q, ...); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.queryForObject($Q, ...); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.queryForObject($Q, ...); + - pattern: $JDBC.queryForList($STR + $VAR); + - pattern: $JDBC.queryForList(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.queryForList($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.queryForList($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.queryForList($Q, ...); + - pattern: $JDBC.update($STR + $VAR); + - pattern: $JDBC.update(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.update($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.update($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.update($Q, ...); + - pattern: $JDBC.execute($STR + $VAR); + - pattern: $JDBC.execute(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.execute($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.execute($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.execute($Q, ...); + - pattern: $JDBC.insert($STR + $VAR); + - pattern: $JDBC.insert(String.format(...)); + - pattern: | + String $Q = $STR + $VAR; + ... + $JDBC.insert($Q); + - pattern: | + String $Q = String.format(...); + ... + $JDBC.insert($Q); + - pattern: | + StringBuilder $Q = new StringBuilder(...); + ... + $Q.append($STR + $VAR); + ... + $JDBC.insert($Q, ...); + severity: WARNING + languages: + - java +- id: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + metadata: + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + cwe: + - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP + Injection'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.7 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + references: + - https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf + - https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - LDAP Injection + source: https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + shortlink: https://sg.run/ZvOn + semgrep.dev: + rule: + r_id: 9179 + rv_id: 1263027 + rule_id: JDUy8B + version_id: yeTxpGP + url: https://semgrep.dev/playground/r/yeTxpGP/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning + origin: community + message: An object-returning LDAP search will allow attackers to control the LDAP + response. This could lead to Remote Code Execution. + severity: WARNING + pattern-either: + - pattern: | + new SearchControls($S, $CL, $TL, $AT, true, $DEREF) + - pattern: | + SearchControls $VAR = new SearchControls(); + ... + $VAR.setReturningObjFlag(true); + languages: + - java +- id: java.lang.security.audit.ldap-injection.ldap-injection + message: Detected non-constant data passed into an LDAP query. If this data can + be controlled by an external user, this is an LDAP injection. Ensure data passed + to an LDAP query is not controllable; or properly sanitize the data. + metadata: + cwe: + - 'CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (''LDAP + Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.3.7 Injection + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - LDAP Injection + source: https://semgrep.dev/r/java.lang.security.audit.ldap-injection.ldap-injection + shortlink: https://sg.run/nd2O + semgrep.dev: + rule: + r_id: 9180 + rv_id: 1263028 + rule_id: 5rUObQ + version_id: rxTAKl2 + url: https://semgrep.dev/playground/r/rxTAKl2/java.lang.security.audit.ldap-injection.ldap-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + $X $METHOD(...) { + ... + InitialDirContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + DirContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + InitialLdapContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + LdapContext $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + LdapCtx $CTX = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + EventDirContext $CTX = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $CTX.search($Y,$INPUT,...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $CTX.search($Y,"...",...); + ... + } +- id: java.lang.security.audit.object-deserialization.object-deserialization + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION + references: + - https://www.owasp.org/index.php/Deserialization_of_untrusted_data + - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8 + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization + shortlink: https://sg.run/Ek0A + semgrep.dev: + rule: + r_id: 9181 + rv_id: 1263030 + rule_id: GdU7py + version_id: NdTzyGe + url: https://semgrep.dev/playground/r/NdTzyGe/java.lang.security.audit.object-deserialization.object-deserialization + origin: community + message: Found object deserialization using ObjectInputStream. Deserializing entire + Java objects is dangerous because malicious actors can create Java object streams + with unintended consequences. Ensure that the objects being deserialized are not + user-controlled. If this must be done, consider using HMACs to sign the data stream + to make sure it is not tampered with, or consider only transmitting object fields + and populating a new object. + severity: WARNING + languages: + - java + pattern: new ObjectInputStream(...); +- id: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + message: Detected file permissions that are overly permissive (read, write, and + execute). It is generally a bad practices to set overly permissive file permission + such as read+write+exec for all users. If the file affected is a configuration, + a binary, a script or sensitive data, it can lead to privilege escalation or information + leakage. Instead, follow the principle of least privilege and give users only + the permissions they need. + severity: WARNING + languages: + - java + metadata: + cwe: + - 'CWE-276: Incorrect Default Permissions' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Authorization + source: https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + shortlink: https://sg.run/LwzJ + semgrep.dev: + rule: + r_id: 9183 + rv_id: 1263032 + rule_id: AbUzwB + version_id: w8TRoNn + url: https://semgrep.dev/playground/r/w8TRoNn/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission + origin: community + pattern-either: + - pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/")); + - pattern: | + $TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: | + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: | + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); + - pattern: |- + $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE); + ... + java.nio.file.Files.setPosixFilePermissions($FILE, $P); +- id: java.lang.security.audit.permissive-cors.permissive-cors + message: https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS + policy will allow a malicious application to communicate with the victim application + in an inappropriate way, leading to spoofing, data theft, relay and other attacks. + metadata: + cwe: + - 'CWE-183: Permissive List of Allowed Inputs' + asvs: + section: 'V14: Configuration Verification Requirements' + control_id: 14.4.8 Permissive CORS + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements + version: '4' + category: security + technology: + - java + owasp: + - A04:2021 - Insecure Design + - A06:2025 - Insecure Design + references: + - https://owasp.org/Top10/A04_2021-Insecure_Design + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Validation + source: https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors + shortlink: https://sg.run/8y77 + semgrep.dev: + rule: + r_id: 9184 + rv_id: 1263033 + rule_id: BYUN66 + version_id: xyTjz0p + url: https://semgrep.dev/playground/r/xyTjz0p/java.lang.security.audit.permissive-cors.permissive-cors + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + HttpServletResponse $RES = ...; + ... + $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + HttpServletResponse $RES = ...; + ... + $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + ServerHttpResponse $RES = ...; + ... + $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + HttpHeaders $HEADERS = ...; + ... + $HEADERS.set("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + - pattern: | + ServerWebExchange $SWE = ...; + ... + $SWE.getResponse().getHeaders().add("Access-Control-Allow-Origin", "*"); + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,ServerHttpResponse $RES,...) { + ... + $RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: | + $X $METHOD(...,ServerWebExchange $SWE,...) { + ... + $SWE.getResponse().getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i"); + ... + } + - pattern: ResponseEntity.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") + - pattern: ServerResponse.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i") +- id: java.lang.security.audit.script-engine-injection.script-engine-injection + message: Detected potential code injection using ScriptEngine. Ensure user-controlled + data cannot enter '.eval()', otherwise, this is a code injection vulnerability. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection + shortlink: https://sg.run/gLqn + semgrep.dev: + rule: + r_id: 9185 + rv_id: 1263034 + rule_id: DbUpAr + version_id: O9TpxEp + url: https://semgrep.dev/playground/r/O9TpxEp/java.lang.security.audit.script-engine-injection.script-engine-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS { + ... + ScriptEngine $SE; + ... + } + - pattern-inside: | + class $CLASS { + ... + ScriptEngine $SE = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ScriptEngine $SE = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $SE.eval(...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $SE.eval("..."); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $SE.eval($S); + ... + } +- id: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect + message: Application redirects to a destination URL specified by a user-supplied + parameter that is not validated. This could direct users to malicious locations. + Consider using an allowlist to validate URLs. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT + asvs: + section: 'V5: Validation, Sanitization and Encoding Verification Requirements' + control_id: 5.1.5 Open Redirect + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements + version: '4' + category: security + technology: + - java + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + impact: LOW + likelihood: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect + shortlink: https://sg.run/Q51P + semgrep.dev: + rule: + r_id: 9186 + rv_id: 1263048 + rule_id: WAUo0p + version_id: PkTR329 + url: https://semgrep.dev/playground/r/PkTR329/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) { + ... + $RES.sendRedirect($URL); + ... + } + - pattern: | + $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) { + ... + $RES.sendRedirect($URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { + ... + String $URL = $REQ.getParameter(...); + ... + $RES.sendRedirect($URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { + ... + String $URL = $REQ.getParameter(...); + ... + $RES.sendRedirect($URL); + ... + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.sendRedirect($URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { + ... + $RES.sendRedirect($REQ.getParameter(...)); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { + ... + $RES.sendRedirect($REQ.getParameter(...)); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) { + ... + $RES.addHeader("Location",$URL); + ... + } + - pattern: | + $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) { + ... + $RES.addHeader("Location",$URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { + ... + String $URL = $REQ.getParameter(...); + ... + $RES.addHeader("Location",$URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { + ... + String $URL = $REQ.getParameter(...); + ... + $RES.addHeader("Location",$URL); + ... + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.addHeader("Location",$URL); + ... + } + - pattern: | + $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) { + ... + $RES.addHeader("Location",$REQ.getParameter(...)); + ... + } + - pattern: |- + $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) { + ... + $RES.addHeader("Location",$REQ.getParameter(...)); + ... + } +- id: java.lang.security.audit.url-rewriting.url-rewriting + message: URL rewriting has significant security risks. Since session ID appears + in the URL, it may be easily seen by third parties. + metadata: + cwe: + - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING + category: security + technology: + - java + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Mishandled Sensitive Information + source: https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting + shortlink: https://sg.run/3x7b + semgrep.dev: + rule: + r_id: 9187 + rv_id: 1263049 + rule_id: 0oU5j3 + version_id: JdTzxGb + url: https://semgrep.dev/playground/r/JdTzxGb/java.lang.security.audit.url-rewriting.url-rewriting + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.encodeURL(...); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.encodeUrl(...); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.encodeRedirectURL(...); + ... + } + - pattern: | + $X $METHOD(...,HttpServletResponse $RES,...) { + ... + $RES.encodeRedirectUrl(...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.encodeURL(...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.encodeUrl(...); + ... + } + - pattern: | + $X $METHOD(...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.encodeRedirectURL(...); + ... + } + - pattern: |- + $X $METHOD(...) { + ... + HttpServletResponse $RES = ...; + ... + $RES.encodeRedirectUrl(...); + ... + } +- id: java.lang.security.audit.weak-ssl-context.weak-ssl-context + metadata: + cwe: + - 'CWE-326: Inadequate Encryption Strength' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT + references: + - https://tools.ietf.org/html/rfc7568 + - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html + category: security + technology: + - java + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context + shortlink: https://sg.run/4x7E + semgrep.dev: + rule: + r_id: 9188 + rv_id: 1263050 + rule_id: KxUb1k + version_id: 5PTo1rW + url: https://semgrep.dev/playground/r/5PTo1rW/java.lang.security.audit.weak-ssl-context.weak-ssl-context + origin: community + message: An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL + versions are considered weak encryption and are deprecated. Use SSLContext.getInstance("TLSv1.2") + for the best security. + severity: WARNING + languages: + - java + patterns: + - pattern-not: SSLContext.getInstance("TLSv1.3") + - pattern-not: SSLContext.getInstance("TLSv1.2") + - pattern: SSLContext.getInstance("...") + fix-regex: + regex: (.*?)\.getInstance\(.*?\) + replacement: \1.getInstance("TLSv1.2") +- id: java.lang.security.audit.xml-decoder.xml-decoder + message: XMLDecoder should not be used to parse untrusted data. Deserializing user + input can lead to arbitrary code execution. Use an alternative and explicitly + disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + for alternatives and vulnerability prevention. + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder + shortlink: https://sg.run/PJjq + semgrep.dev: + rule: + r_id: 9189 + rv_id: 1263051 + rule_id: qNUj3y + version_id: GxTkeY1 + url: https://semgrep.dev/playground/r/GxTkeY1/java.lang.security.audit.xml-decoder.xml-decoder + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern: | + $X $METHOD(...) { + ... + new XMLDecoder(...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + new XMLDecoder("..."); + ... + } + - pattern-not: |- + $X $METHOD(...) { + ... + String $STR = "..."; + ... + new XMLDecoder($STR); + ... + } +- id: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + metadata: + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + shortlink: https://sg.run/J96Q + semgrep.dev: + rule: + r_id: 9190 + rv_id: 1263056 + rule_id: lBU9Gj + version_id: WrTqKGK + url: https://semgrep.dev/playground/r/WrTqKGK/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure + origin: community + message: It looks like you're using an implementation of XSSRequestWrapper from + dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) + The XSS filtering in this code is not secure and can be bypassed by malicious + actors. It is recommended to use a stack that automatically escapes in your view + or templates instead of filtering yourself. + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + class XSSRequestWrapper extends HttpServletRequestWrapper { + ... + } + - pattern: |- + $P = $X.compile("", $X.CASE_INSENSITIVE); + $V = $P.matcher(...).replaceAll(""); +- id: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + metadata: + cwe: + - 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path + Traversal'')' + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN + references: + - https://www.owasp.org/index.php/Path_Traversal + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Path Traversal + source: https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + shortlink: https://sg.run/oxXN + semgrep.dev: + rule: + r_id: 9160 + rv_id: 1263064 + rule_id: NbUk7X + version_id: zyTb2rq + url: https://semgrep.dev/playground/r/zyTb2rq/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal + origin: community + message: Detected a potential path traversal. A malicious actor could control the + location of this file, to include going backwards in the directory with '../'. + To address this, ensure that user-controlled variables in file paths are sanitized. + You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) + to only retrieve the file name from the path. + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: + - pattern-inside: | + (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); + ... + for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { + ... + } + - pattern: | + $COOKIE.getValue(...) + - patterns: + - pattern-inside: | + $TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(...); + ... + - pattern: | + $PARAM = $VALS[$INDEX]; + pattern-sanitizers: + - pattern: org.apache.commons.io.FilenameUtils.getName(...) + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + (java.io.File $FILE) = ... + - pattern: | + (java.io.FileOutputStream $FOS) = ... + - pattern: | + new java.io.FileInputStream(...) + severity: ERROR + languages: + - java +- id: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + message: 'Cross-site scripting detected in HttpServletResponse writer with variable + ''$VAR''. User input was detected going directly from the HttpServletRequest into + output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: + ''Encode.forHtml($VAR)''.' + metadata: + cwe: + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET + category: security + technology: + - java + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site-Scripting (XSS) + source: https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + shortlink: https://sg.run/pxjN + semgrep.dev: + rule: + r_id: 9162 + rv_id: 1263066 + rule_id: wdUJOk + version_id: 2KTv2EG + url: https://semgrep.dev/playground/r/2KTv2EG/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss + origin: community + severity: ERROR + patterns: + - pattern-inside: $TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... } + - pattern-inside: $VAR = $REQ.getParameter(...); ... + - pattern-either: + - pattern: $RESP.getWriter(...).write(..., $VAR, ...); + - pattern: | + $WRITER = $RESP.getWriter(...); + ... + $WRITER.write(..., $VAR, ...); + languages: + - java +- id: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + severity: ERROR + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + shortlink: https://sg.run/2x75 + semgrep.dev: + rule: + r_id: 9163 + rv_id: 1263068 + rule_id: x8Unkq + version_id: jQTn5Jv + url: https://semgrep.dev/playground/r/jQTn5Jv/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled + origin: community + message: XML external entities are enabled for this XMLInputFactory. This is vulnerable + to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" + to false. + patterns: + - pattern-either: + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", + true); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, + true); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, + true); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", + Boolean.TRUE); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, + Boolean.TRUE); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, + Boolean.TRUE); + languages: + - java +- id: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + severity: WARNING + metadata: + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + references: + - https://semgrep.dev/blog/2022/xml-security-in-java + - https://semgrep.dev/docs/cheat-sheets/java-xxe/ + - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf + - https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser + category: security + technology: + - java + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: HIGH + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + shortlink: https://sg.run/XBwA + semgrep.dev: + rule: + r_id: 9164 + rv_id: 1263069 + rule_id: OrU35O + version_id: 1QTypQZ + url: https://semgrep.dev/playground/r/1QTypQZ/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe + origin: community + message: XML external entities are not explicitly disabled for this XMLInputFactory. + This could be vulnerable to XML external entity vulnerabilities. Explicitly disable + external entities by setting "javax.xml.stream.isSupportingExternalEntities" to + false. + patterns: + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); + ... + } + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + ... + } + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE); + ... + } + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); + ... + } + - pattern-either: + - pattern: javax.xml.stream.XMLInputFactory.newFactory(...) + - pattern: new XMLInputFactory(...) + languages: + - java +- id: java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + severity: ERROR + metadata: + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures + references: + - https://frohoff.github.io/appseccali-marshalling-pickles/ + - https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi + - https://youtu.be/t_aw1mDNhzI + - https://github.com/qtc-de/remote-method-guesser + - https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331 + category: security + technology: + - rmi + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + shortlink: https://sg.run/zvnl + semgrep.dev: + rule: + r_id: 9217 + rv_id: 1263072 + rule_id: NbUkw5 + version_id: rxTAKN2 + url: https://semgrep.dev/playground/r/rxTAKN2/java.rmi.security.server-dangerous-object-deserialization.server-dangerous-object-deserialization + origin: community + message: Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure + deserialization vulnerability. This object can be manipulated by a malicious actor + allowing them to execute code on your system. Instead, use an integer ID to look + up your object, or consider alternative serialization schemes such as JSON. + languages: + - java + patterns: + - pattern: | + interface $INTERFACE extends Remote { + $RETURNTYPE $METHOD($PARAMTYPE $PARAM) throws RemoteException; + } + - metavariable-pattern: + metavariable: $PARAMTYPE + language: generic + patterns: + - pattern-not: String + - pattern-not: java.lang.String + - pattern-not: boolean + - pattern-not: Boolean + - pattern-not: java.lang.Boolean + - pattern-not: byte + - pattern-not: Byte + - pattern-not: java.lang.Byte + - pattern-not: char + - pattern-not: Character + - pattern-not: java.lang.Character + - pattern-not: double + - pattern-not: Double + - pattern-not: java.lang.Double + - pattern-not: float + - pattern-not: Float + - pattern-not: java.lang.Float + - pattern-not: int + - pattern-not: Integer + - pattern-not: java.lang.Integer + - pattern-not: long + - pattern-not: Long + - pattern-not: java.lang.Long + - pattern-not: short + - pattern-not: Short + - pattern-not: java.lang.Short +- id: java.spring.security.audit.spel-injection.spel-injection + message: A Spring expression is built with a dynamic value. The source of the value(s) + should be verified to avoid that unfiltered values fall into this risky code evaluation. + metadata: + cwe: + - 'CWE-94: Improper Control of Generation of Code (''Code Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/java.spring.security.audit.spel-injection.spel-injection + shortlink: https://sg.run/XBp4 + semgrep.dev: + rule: + r_id: 9220 + rv_id: 1263075 + rule_id: x8Un7b + version_id: kbTzG5Y + url: https://semgrep.dev/playground/r/kbTzG5Y/java.spring.security.audit.spel-injection.spel-injection + origin: community + severity: WARNING + languages: + - java + patterns: + - pattern-either: + - pattern-inside: | + class $CLASS { + ... + ExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + ExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + ExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + class $CLASS { + ... + SpelExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + SpelExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + SpelExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + class $CLASS { + ... + TemplateAwareExpressionParser $PARSER; + ... + } + - pattern-inside: | + class $CLASS { + ... + TemplateAwareExpressionParser $PARSER = ...; + ... + } + - pattern-inside: | + $X $METHOD(...) { + ... + TemplateAwareExpressionParser $PARSER = ...; + ... + } + - pattern: | + $X $METHOD(...) { + ... + $PARSER.parseExpression(...); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + $PARSER.parseExpression("..."); + ... + } + - pattern-not: | + $X $METHOD(...) { + ... + String $S = "..."; + ... + $PARSER.parseExpression($S); + ... + } +- id: java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + message: CSRF protection is disabled for this configuration. This is a security + risk. + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED + asvs: + section: V4 Access Control + control_id: 4.2.2 CSRF + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v42-operation-level-access-control + version: '4' + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + shortlink: https://sg.run/jRnl + semgrep.dev: + rule: + r_id: 9221 + rv_id: 1263080 + rule_id: OrU3gK + version_id: vdT06dL + url: https://semgrep.dev/playground/r/vdT06dL/java.spring.security.audit.spring-csrf-disabled.spring-csrf-disabled + origin: community + severity: WARNING + languages: + - java + pattern: $OBJ.csrf(...).disable(...) +- id: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + message: Application redirects a user to a destination URL specified by a user supplied + parameter that is not validated. + metadata: + cwe: + - 'CWE-601: URL Redirection to Untrusted Site (''Open Redirect'')' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT + category: security + technology: + - spring + references: + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Open Redirect + source: https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + shortlink: https://sg.run/9oXz + semgrep.dev: + rule: + r_id: 9223 + rv_id: 1263083 + rule_id: v8Un7w + version_id: nWT2Lk0 + url: https://semgrep.dev/playground/r/nWT2Lk0/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect + origin: community + severity: WARNING + languages: + - java + pattern-either: + - pattern: | + $X $METHOD(...,String $URL,...) { + return "redirect:" + $URL; + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + String $REDIR = "redirect:" + $URL; + ... + return $REDIR; + ... + } + - pattern: | + $X $METHOD(...,String $URL,...) { + ... + new ModelAndView("redirect:" + $URL); + ... + } + - pattern: |- + $X $METHOD(...,String $URL,...) { + ... + String $REDIR = "redirect:" + $URL; + ... + new ModelAndView($REDIR); + ... + } +- id: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + patterns: + - pattern-inside: | + @RequestMapping(...) + $RETURNTYPE $METHOD(...) { ... } + - pattern-not-inside: | + @RequestMapping(..., method = $X, ...) + $RETURNTYPE $METHOD(...) { ... } + - pattern: | + RequestMapping + message: Detected a method annotated with 'RequestMapping' that does not specify + the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, + and by default all HTTP methods are allowed when the HTTP method is not explicitly + specified. This means that a method that performs state changes could be vulnerable + to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method + (such as 'RequestMethod.POST'). + severity: WARNING + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + owasp: + - A01:2021 - Broken Access Control + - A01:2025 - Broken Access Control + source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING + references: + - https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING + category: security + technology: + - spring + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + shortlink: https://sg.run/2xlq + semgrep.dev: + rule: + r_id: 9219 + rv_id: 1263089 + rule_id: wdUJ7q + version_id: QkTGq2l + url: https://semgrep.dev/playground/r/QkTGq2l/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping + origin: community + languages: + - java +- id: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection + message: Found an insecure gRPC connection. This creates a connection without encryption + to a gRPC client/server. A malicious attacker could tamper with the gRPC message, + which could compromise the machine. + metadata: + owasp: + - A08:2017 - Insecure Deserialization + - A08:2021 - Software and Data Integrity Failures + - A08:2025 - Software or Data Integrity Failures + cwe: + - 'CWE-502: Deserialization of Untrusted Data' + category: security + technology: + - grpc + references: + - https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - 'Insecure Deserialization ' + source: https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection + shortlink: https://sg.run/5QkD + semgrep.dev: + rule: + r_id: 9291 + rv_id: 1263180 + rule_id: lBU9D8 + version_id: e1TyjAl + url: https://semgrep.dev/playground/r/e1TyjAl/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection + origin: community + languages: + - javascript + - typescript + severity: ERROR + pattern-either: + - pattern: | + require('grpc'); + ... + $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...); + - pattern: | + require('grpc'); + ... + new $GRPC($ADDR,...,$CREDENTIALS.createInsecure(),...); + - pattern: |- + require('grpc'); + ... + $CREDS = <... $CREDENTIALS.createInsecure() ...>; + ... + $GRPC($ADDR,...,$CREDS,...); + - pattern: |- + require('grpc'); + ... + $CREDS = <... $CREDENTIALS.createInsecure() ...>; + ... + new $GRPC($ADDR,...,$CREDS,...); +- id: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + interfile: true + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.2 Static API keys or secret + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jose + - jwt + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + shortlink: https://sg.run/Ro1g + semgrep.dev: + rule: + r_id: 9293 + rv_id: 1263182 + rule_id: JDUyRl + version_id: d6TyxbX + url: https://semgrep.dev/playground/r/d6TyxbX/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-inside: | + $JOSE = require("jose"); + ... + - pattern-either: + - pattern-inside: | + var {JWT} = $JOSE; + ... + - pattern-inside: | + var {JWK, JWT} = $JOSE; + ... + - pattern-inside: | + const {JWT} = $JOSE; + ... + - pattern-inside: | + const {JWK, JWT} = $JOSE; + ... + - pattern-inside: | + let {JWT} = $JOSE; + ... + - pattern-inside: | + let {JWK, JWT} = $JOSE; + ... + - pattern-either: + - pattern: | + JWT.verify($P, "...", ...); + - pattern: | + JWT.sign($P, "...", ...); + - pattern: "JWT.verify($P, JWK.asKey(\"...\"), ...); \n" + - pattern: | + $JWT.sign($P, JWK.asKey("..."), ...); + options: + symbolic_propagation: true + interfile: true +- id: javascript.jose.security.jwt-none-alg.jwt-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.3 Insecue Stateless Session Tokens + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jose + - jwt + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg + shortlink: https://sg.run/AvRL + semgrep.dev: + rule: + r_id: 9294 + rv_id: 1263183 + rule_id: 5rUOGN + version_id: ZRTKAyb + url: https://semgrep.dev/playground/r/ZRTKAyb/javascript.jose.security.jwt-none-alg.jwt-none-alg + origin: community + languages: + - javascript + - typescript + severity: ERROR + pattern-either: + - pattern: | + var $JOSE = require("jose"); + ... + var { JWK, JWT } = $JOSE; + ... + var $T = JWT.verify($P, JWK.None,...); + - pattern: | + var $JOSE = require("jose"); + ... + var { JWK, JWT } = $JOSE; + ... + $T = JWT.verify($P, JWK.None,...); + - pattern: | + var $JOSE = require("jose"); + ... + var { JWK, JWT } = $JOSE; + ... + JWT.verify($P, JWK.None,...); +- id: javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + message: A hard-coded credential was detected. It is not recommended to store credentials + in source-code, as this risks secrets being leaked and used by either an internal + or external malicious adversary. It is recommended to use environment variables + to securely provide credentials or retrieve credentials from a secure vault or + HSM (Hardware Security Module). + metadata: + cwe: + - 'CWE-798: Use of Hard-coded Credentials' + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + owasp: + - A07:2021 - Identification and Authentication Failures + - A07:2025 - Authentication Failures + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.2 Static API keys or secret + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jwt + - javascript + - secrets + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: HIGH + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Hard-coded Secrets + source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + shortlink: https://sg.run/4xN9 + semgrep.dev: + rule: + r_id: 9300 + rv_id: 1263189 + rule_id: WAUon7 + version_id: gETB75D + url: https://semgrep.dev/playground/r/gETB75D/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern: "$X = '...' \n" + - pattern: "$X = '$Y' \n" + - patterns: + - pattern-either: + - pattern-inside: | + $JWT.sign($DATA,"...",...); + - pattern-inside: | + $JWT.verify($DATA,"...",...); + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $JWT = require("jsonwebtoken") + ... + - pattern-inside: | + import $JWT from "jsonwebtoken" + ... + - pattern-inside: | + import * as $JWT from "jsonwebtoken" + ... + - pattern-inside: | + import {...,$JWT,...} from "jsonwebtoken" + ... + - pattern-either: + - pattern-inside: | + $JWT.sign($DATA,$VALUE,...); + - pattern-inside: | + $JWT.verify($DATA,$VALUE,...); + - focus-metavariable: $VALUE +- id: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg + message: Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm + assumes the integrity of the token has already been verified. This would allow + a malicious actor to forge a JWT token that will automatically be verified. Do + not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'. + metadata: + cwe: + - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/ + asvs: + section: 'V3: Session Management Verification Requirements' + control_id: 3.5.3 Insecue Stateless Session Tokens + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management + version: '4' + category: security + technology: + - jwt + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg + shortlink: https://sg.run/PJXv + semgrep.dev: + rule: + r_id: 9301 + rv_id: 1263190 + rule_id: 0oU53g + version_id: QkTGqQo + url: https://semgrep.dev/playground/r/QkTGqQo/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern-inside: | + $JWT = require("jsonwebtoken"); + ... + - pattern: $JWT.verify($P, $X, {algorithms:[...,'none',...]},...) +- id: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + message: Detected usage of noassert in Buffer API, which allows the offset the be + beyond the end of the buffer. This could result in writing or reading beyond the + end of the buffer. + metadata: + cwe: + - 'CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer' + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-buffer-noassert.js + category: security + technology: + - javascript + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + references: + - https://cwe.mitre.org/data/definitions/119.html + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Memory Issues + source: https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + shortlink: https://sg.run/qxpO + semgrep.dev: + rule: + r_id: 9312 + rv_id: 945886 + rule_id: j2Uvj8 + version_id: 9lTy1Y6 + url: https://semgrep.dev/playground/r/9lTy1Y6/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern: $OBJ.$API(..., true) + - metavariable-regex: + metavariable: $API + regex: (read|write)(U?Int8|(U?Int(16|32)|Float|Double)(LE|BE)) +- id: javascript.lang.security.detect-child-process.detect-child-process + message: 'Detected calls to child_process from a function argument `$FUNC`. This + could lead to a command injection if the input is user controllable. Try to avoid + calls to child_process, and if it is needed ensure user input is correctly sanitized + or sandboxed. ' + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-child-process.js + category: security + technology: + - javascript + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: HIGH + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.lang.security.detect-child-process.detect-child-process + shortlink: https://sg.run/l2lo + semgrep.dev: + rule: + r_id: 9313 + rv_id: 1409399 + rule_id: 10UKNB + version_id: 5PT7KnG + url: https://semgrep.dev/playground/r/5PT7KnG/javascript.lang.security.detect-child-process.detect-child-process + origin: community + languages: + - javascript + - typescript + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-inside: | + function ... (...,$FUNC,...) { + ... + } + - focus-metavariable: $FUNC + pattern-sinks: + - patterns: + - pattern-either: + - pattern-inside: | + $CP = require('child_process') + ... + - pattern-inside: | + import * as $CP from 'child_process' + ... + - pattern-inside: | + import $CP from 'child_process' + ... + - pattern-either: + - pattern: $CP.exec($CMD,...) + - pattern: $CP.execSync($CMD,...) + - pattern: $CP.spawn($CMD,...) + - pattern: $CP.spawnSync($CMD,...) + - pattern-not-inside: $CP.$EXEC("...",...) + - pattern-not-inside: $CP.$EXEC(["...",...],...) + - pattern-not-inside: | + $CMD = "..." + ... + - pattern-not-inside: | + $CMD = ["...",...] + ... + - focus-metavariable: $CMD + - patterns: + - pattern-either: + - pattern: child_process.exec($CMD,...) + - pattern: child_process.execSync($CMD,...) + - pattern: child_process.spawn($CMD,...) + - pattern: child_process.spawnSync($CMD,...) + - pattern-not-inside: child_process.$EXEC("...",...) + - pattern-not-inside: child_process.$EXEC(["...",...],...) + - pattern-not-inside: | + $CMD = "..." + ... + - pattern-not-inside: | + $CMD = ["...",...] + ... + - focus-metavariable: $CMD +- id: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape + message: Markup escaping disabled. This can be used with some template engines to + escape disabling of HTML entities, which can lead to XSS attacks. + metadata: + cwe: + - 'CWE-116: Improper Encoding or Escaping of Output' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-disable-mustache-escape.js + category: security + technology: + - mustache + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Improper Encoding + source: https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape + shortlink: https://sg.run/Yvwd + semgrep.dev: + rule: + r_id: 9314 + rv_id: 1263213 + rule_id: 9AU17r + version_id: DkTRb3X + url: https://semgrep.dev/playground/r/DkTRb3X/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern: $OBJ.escapeMarkup = false +- id: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression + message: Detected use of dynamic execution of JavaScript which may come from user-input, + which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input + in functions which dynamically execute user-input. + metadata: + cwe: + - 'CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code + (''Eval Injection'')' + owasp: + - A03:2021 - Injection + - A05:2025 - Injection + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-eval-with-expression.js + references: + - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval! + category: security + technology: + - javascript + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Code Injection + source: https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression + shortlink: https://sg.run/6nwK + semgrep.dev: + rule: + r_id: 9315 + rv_id: 1263214 + rule_id: yyUngo + version_id: WrTqKkJ + url: https://semgrep.dev/playground/r/WrTqKkJ/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression + origin: community + languages: + - javascript + - typescript + severity: WARNING + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern-inside: | + $PROP = new URLSearchParams($WINDOW. ... .location.search).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams(location.search).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams($WINDOW. ... .location.hash.substring(1)).get('...') + ... + - pattern-inside: | + $PROP = new URLSearchParams(location.hash.substring(1)).get('...') + ... + - focus-metavariable: $PROP + - patterns: + - pattern-either: + - pattern-inside: | + $PROPS = new URLSearchParams($WINDOW. ... .location.search) + ... + - pattern-inside: | + $PROPS = new URLSearchParams(location.search) + ... + - pattern-inside: | + $PROPS = new + URLSearchParams($WINDOW. ... .location.hash.substring(1)) + ... + - pattern-inside: | + $PROPS = new URLSearchParams(location.hash.substring(1)) + ... + - pattern: $PROPS.get('...') + - focus-metavariable: $PROPS + - patterns: + - pattern-either: + - pattern: location.href + - pattern: location.hash + - pattern: location.search + - pattern: $WINDOW. ... .location.href + - pattern: $WINDOW. ... .location.hash + - pattern: $WINDOW. ... .location.search + pattern-sinks: + - patterns: + - pattern-either: + - pattern: eval(<... $SINK ...>) + - pattern: window.eval(<... $SINK ...>) + - pattern: new Function(<... $SINK ...>) + - pattern: new Function(<... $SINK ...>)(...) + - pattern: setTimeout(<... $SINK ...>,...) + - pattern: setInterval(<... $SINK ...>,...) + - focus-metavariable: $SINK + pattern-sanitizers: + - patterns: + - pattern-either: + - pattern: location.href = $FUNC(...) + - pattern: location.hash = $FUNC(...) + - pattern: location.search = $FUNC(...) + - pattern: $WINDOW. ... .location.href = $FUNC(...) + - pattern: $WINDOW. ... .location.hash = $FUNC(...) + - pattern: $WINDOW. ... .location.search = $FUNC(...) +- id: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override + message: Detected use of express.csrf() middleware before express.methodOverride(). + This can allow GET requests (which are not checked by csrf) to turn into POST + requests later. + metadata: + cwe: + - 'CWE-352: Cross-Site Request Forgery (CSRF)' + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-no-csrf-before-method-override.js + references: + - https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md + category: security + technology: + - javascript + owasp: + - A01:2021 - Broken Access Control + - A05:2017 - Broken Access Control + - A01:2025 - Broken Access Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cross-Site Request Forgery (CSRF) + source: https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override + shortlink: https://sg.run/oxoX + semgrep.dev: + rule: + r_id: 9316 + rv_id: 1263216 + rule_id: r6UrvQ + version_id: K3TKkPO + url: https://semgrep.dev/playground/r/K3TKkPO/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern: | + express.csrf(); + ... + express.methodOverride(); +- id: javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes + message: Detected usage of crypto.pseudoRandomBytes, which does not produce secure + random numbers. + metadata: + cwe: + - 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' + owasp: + - A02:2021 - Cryptographic Failures + - A04:2025 - Cryptographic Failures + source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-pseudoRandomBytes.js + asvs: + section: 'V6: Stored Cryptography Verification Requirements' + control_id: 6.3.1 Insecure Randomness + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v63-random-values + version: '4' + category: security + technology: + - javascript + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Cryptographic Issues + source: https://semgrep.dev/r/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes + shortlink: https://sg.run/pxze + semgrep.dev: + rule: + r_id: 9318 + rv_id: 1263217 + rule_id: NbUkR2 + version_id: qkTR799 + url: https://semgrep.dev/playground/r/qkTR799/javascript.lang.security.detect-pseudorandombytes.detect-pseudoRandomBytes + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern: crypto.pseudoRandomBytes +- id: javascript.lang.security.spawn-git-clone.spawn-git-clone + message: Git allows shell commands to be specified in ext URLs for remote repositories. + For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command + to try to connect to a remote repository. Make sure that the URL is not controlled + by external input. + metadata: + cwe: + - 'CWE-78: Improper Neutralization of Special Elements used in an OS Command (''OS + Command Injection'')' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + - A05:2025 - Injection + category: security + technology: + - git + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A03_2021-Injection + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - Command Injection + source: https://semgrep.dev/r/javascript.lang.security.spawn-git-clone.spawn-git-clone + shortlink: https://sg.run/2xrr + semgrep.dev: + rule: + r_id: 9319 + rv_id: 1263220 + rule_id: kxUkPP + version_id: 6xT29A7 + url: https://semgrep.dev/playground/r/6xT29A7/javascript.lang.security.spawn-git-clone.spawn-git-clone + origin: community + languages: + - javascript + - typescript + severity: ERROR + patterns: + - pattern-either: + - pattern: spawn('git', ['clone',...,$F]) + - pattern: $X.spawn('git', ['clone',...,$F]) + - pattern: spawn('git', ['clone',...,$P,$F]) + - pattern: $X.spawn('git', ['clone',...,$P,$F]) + - pattern-not: spawn('git', ['clone',...,"..."]) + - pattern-not: $X.spawn('git', ['clone',...,"..."]) + - pattern-not: spawn('git', ['clone',...,"...","..."]) + - pattern-not: $X.spawn('git', ['clone',...,"...","..."]) +- id: javascript.node-expat.security.audit.expat-xxe.expat-xxe + message: If unverified user data can reach the XML Parser it can result in XML External + or Internal Entity (XXE) Processing vulnerabilities + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + category: security + technology: + - node-expat + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: MEDIUM + confidence: LOW + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe + shortlink: https://sg.run/eLdL + semgrep.dev: + rule: + r_id: 9332 + rv_id: 1263224 + rule_id: gxU171 + version_id: 2KTv2AZ + url: https://semgrep.dev/playground/r/2KTv2AZ/javascript.node-expat.security.audit.expat-xxe.expat-xxe + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern-either: + - pattern: | + var $EXPAT = require('node-expat'); + ... + new $EXPAT.Parser(...); + ... + $PARSER.parse(...); + - pattern: | + var $EXPAT = require('node-expat'); + ... + new $EXPAT.Parser(...); + ... + $PARSER.write(...); + - pattern: | + require('node-expat'); + ... + new Parser(...); + ... + $PARSER.parse(...); + - pattern: | + require('node-expat'); + ... + new Parser(...); + ... + $PARSER.write(...); + - pattern-not: | + var $EXPAT = require('node-expat'); + ... + new $EXPAT.Parser(...); + ... + $PARSER.parse("..."); + - pattern-not: | + var $EXPAT = require('node-expat'); + ... + new $EXPAT.Parser(...); + ... + $PARSER.write("..."); + - pattern-not: | + require('node-expat'); + ... + new Parser(...); + ... + $PARSER.parse("..."); + - pattern-not: | + require('node-expat'); + ... + new Parser(...); + ... + $PARSER.write("..."); + - pattern-not: | + $X = "..."; + ... + $PARSER.parse($X); + - pattern-not: |- + $X = "..."; + ... + $PARSER.write($X); +- id: javascript.sax.security.audit.sax-xxe.sax-xxe + message: Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do + anything with custom DTD entity definitions. If you're implementing a custom DTD + entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, + or be absolutely sure that external entities received from a trusted source while + processing XML. + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + references: + - https://github.com/Leonidas-from-XIV/node-xml2js/issues/415 + - https://github.com/isaacs/sax-js + category: security + technology: + - sax + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.sax.security.audit.sax-xxe.sax-xxe + shortlink: https://sg.run/5QEj + semgrep.dev: + rule: + r_id: 9347 + rv_id: 1263239 + rule_id: qNUj7e + version_id: d6Tyxn9 + url: https://semgrep.dev/playground/r/d6Tyxn9/javascript.sax.security.audit.sax-xxe.sax-xxe + origin: community + languages: + - javascript + - typescript + severity: WARNING + pattern-either: + - pattern: | + require('sax'); + ... + $PARSER.ondoctype = ...; + - pattern: |- + require('sax'); + ... + $PARSER.on('doctype',...); +- id: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe + message: If unverified user data can reach the XML Parser it can result in XML External + or Internal Entity (XXE) Processing vulnerabilities + metadata: + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + - A02:2025 - Security Misconfiguration + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + asvs: + section: V5 Validation, Sanitization and Encoding + control_id: 5.5.2 Insecue XML Deserialization + control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention + version: '4' + category: security + technology: + - xml2json + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: LOW + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + license: Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license + vulnerability_class: + - XML Injection + source: https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe + shortlink: https://sg.run/l27o + semgrep.dev: + rule: + r_id: 9357 + rv_id: 1263253 + rule_id: 10UKpB + version_id: GxTkeg8 + url: https://semgrep.dev/playground/r/GxTkeg8/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe + origin: community + languages: + - javascript + - typescript + severity: WARNING + patterns: + - pattern: | + var $XML = require('xml2json'); + ... + $XML.toJson(...); + - pattern-not: | + var $XML = require('xml2json'); + ... + $XML.toJson("...",...); + - pattern-not: |- + var $XML = require('xml2json'); + ... + var $S = "..."; + ... + $XML.toJson($S,...); +- id: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag + message: Cannot determine what '$UNK' is and it is used with a ' + - pattern-not-inside: "; @@ -62,9 +62,10 @@ class XssPentestTest { private static HttpClient http; @BeforeAll - static void startServer() { + static void startServer() throws Exception { + testPort = findFreePort(); app = UserAnalyticsController.createApp(); - app.start(TEST_PORT); + app.start(testPort); http = HttpClient.newHttpClient(); } @@ -187,9 +188,15 @@ private static String enc(String value) { private HttpResponse send(String method, String path) throws Exception { HttpRequest request = HttpRequest.newBuilder() - .uri(URI.create(BASE_URL + path)) + .uri(URI.create("http://localhost:" + testPort + path)) .method(method, HttpRequest.BodyPublishers.noBody()) .build(); return http.send(request, HttpResponse.BodyHandlers.ofString()); } + + private static int findFreePort() throws Exception { + try (ServerSocket socket = new ServerSocket(0)) { + return socket.getLocalPort(); + } + } }