diff --git a/internal/services/engines/dart/rules.go b/internal/services/engines/dart/rules.go index 98dfed090..46dff2016 100644 --- a/internal/services/engines/dart/rules.go +++ b/internal/services/engines/dart/rules.go @@ -73,8 +73,10 @@ Depending on the implementation in the operating system the bioID is just a lock Basically on Android, you can ask to use the 4-digit password because of "faulty hardware" and this functionality depends on how the application uses this. There are applications that ask for 6 digit passwords and then ask for the bioID just to "automatically type" the 6 digit password which can cause an easy identification and access to your application is broken. For more information checkout the OWSAP M4:2016 (https://owasp.org/www-project-mobile-top-10/2016-risks/m4-insecure-authentication) advisory and see this example how implement good authentication (in "C" Language): https://developer.apple.com/library/archive/samplecode/KeychainTouchID/Introduction/Intro.html.`, - Severity: severities.Info.ToString(), - Confidence: confidence.Medium.ToString(), + Severity: severities.Info.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSDART3, + UnsafeExample: SampleVulnerableHSDART3, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ diff --git a/internal/services/engines/dart/rules_test.go b/internal/services/engines/dart/rules_test.go index f45c8b61b..9c37ecac1 100644 --- a/internal/services/engines/dart/rules_test.go +++ b/internal/services/engines/dart/rules_test.go @@ -116,7 +116,7 @@ func TestRulesVulnerableCode(t *testing.T) { CodeSample: "import 'package:flutter_sms/flutter_sms.dart';", SourceLocation: engine.Location{ Filename: filepath.Join(tempDir, "HS-DART-6.test"), - Line: 1, + Line: 2, Column: 28, }, }, @@ -329,7 +329,7 @@ func TestRulesSafeCode(t *testing.T) { { Name: "HS-DART-3", Rule: NewNoUseBiometricsTypeIOS(), - Src: "", + Src: SampleSafeHSDART3, Filename: filepath.Join(tempDir, "HS-DART-3.test"), }, { diff --git a/internal/services/engines/dart/sample.go b/internal/services/engines/dart/samples.go similarity index 98% rename from internal/services/engines/dart/sample.go rename to internal/services/engines/dart/samples.go index 832087ad5..92d358e3e 100644 --- a/internal/services/engines/dart/sample.go +++ b/internal/services/engines/dart/samples.go @@ -15,8 +15,6 @@ package dart const ( - SampleVulnerableHSDART6 = `import 'package:flutter_sms/flutter_sms.dart'; -` SampleVulnerableHSDART1 = ` ... final CpfExposedFromUserInput = ""; @@ -35,6 +33,22 @@ void onButtonClick() async { } ... ` + SampleSafeHSDART1 = ` +... +final CpfExposedFromUserInput = ""; +... +void onButtonClick() async { + try { + // Safe code: Because not log information sensitive and only sent to backend api. + var value = await ValidateCPFPost(CpfExposedFromUserInput) + ... + } on HttpException { + ... + } +} +... +` + SampleVulnerableHSDART2 = ` ... FirebaseMessaging _firebaseMessaging = FirebaseMessaging(); @@ -61,6 +75,25 @@ void onButtonClick() async { } ... ` + SampleSafeHSDART2 = ` +... + FirebaseMessaging _firebaseMessaging = FirebaseMessaging(); + + @override + void initState() { + ... + super.initState(); + // Safe code: Because not log information sensitive and only sent to backend api. + _firebaseMessaging.configure( + onLaunch: (Map response) async { + sendToAPI(response); + ... + }, + ); + } +... +` + SampleVulnerableHSDART3 = ` List availableBiometrics; await auth.getAvailableBiometrics(); @@ -73,11 +106,18 @@ if (Platform.isIOS) { } } ` + SampleSafeHSDART3 = `// Don't use biometric mode ` + SampleVulnerableHSDART4 = ` // Possible vulnerable code: user can pass other path in your input and causes attacks in the application. final file = new File(FileFromUserInput); final document = XmlDocument.parse(file.readAsStringSync()); ` + SampleSafeHSDART4 = ` +final file = new File('static-file.xml'); +final document = XmlDocument.parse(file.readAsStringSync()); +` + SampleVulnerableHSDART5 = ` ... static Future SentToApi( @@ -92,6 +132,22 @@ static Future SentToApi( return _HttpServer.bindSecure('http://my-api.com.br', port, context, backlog, v6Only, requestClientCertificate, shared); } ` + SampleSafeHSDART5 = ` +static Future SentToApi( + int port, + SecurityContext context, + {int backlog = 0, + bool v6Only = false, + bool requestClientCertificate = false, + bool shared = false} +) => _HttpServer.bindSecure('https://my-api.com.br', port, context, backlog, v6Only, requestClientCertificate, shared); +` + + SampleVulnerableHSDART6 = ` +import 'package:flutter_sms/flutter_sms.dart'; +` + SampleSafeHSDART6 = `// You can't use flutter_sms library` + SampleVulnerableHSDART7 = ` import 'package:sprintf/sprintf.dart'; import 'dart:html'; @@ -103,6 +159,18 @@ void RenderHTML(String content) { document.body.append(element); } ` + SampleSafeHSDART7 = ` +import 'package:sprintf/sprintf.dart'; +import 'dart:html'; +... + +void RenderHTML(String content) { + var element = new DivElement() + ..textContent = content; + document.body.append(element); +} +` + SampleVulnerableHSDART8 = ` import 'package:sprintf/sprintf.dart'; import 'package:logging/logging.dart'; @@ -117,6 +185,19 @@ void ShowUserSensitiveInformation(String identity) { sentToAPIUserIdentity(identity); } ` + SampleSafeHSDART8 = ` +import 'package:logging/logging.dart'; +... +final _logger = Logger('YourClassName'); + +void ShowUserSensitiveInformation(String identity) { + print("send identity of the user to api"); + _logger.info("send identity of the user to api"); + sentToAPIUserIdentity(identity); +} +... +` + SampleVulnerableHSDART9 = ` import 'dart:convert'; import 'package:convert/convert.dart'; @@ -131,6 +212,20 @@ generateMd5(String data) { return hex.encode(digest.bytes); } ` + SampleSafeHSDART9 = ` +import 'dart:convert'; +import 'package:convert/convert.dart'; +import 'package:crypto/crypto.dart' as crypto; + +///Generate sha256 hash +generateSha256(String data) { + var content = new Utf8Encoder().convert(data); + var sha256 = crypto.sha256; + var digest = sha256.convert(content); + return hex.encode(digest.bytes); +} +` + SampleVulnerableHSDART10 = ` final SecurityContext context = SecurityContext(withTrustedRoots: false); // Possible vulnerable code: This code is bad because if you can exposed for MITM attacks @@ -139,6 +234,13 @@ Socket socket = await Socket.connect(serverIp, port); socket = await SecureSocket.secure(socket, host: "server" , context: context, onBadCertificate: (cert) => true); ` + SampleSafeHSDART10 = ` +final SecurityContext context = SecurityContext(withTrustedRoots: false); +Socket socket = await Socket.connect(serverIp, port); +socket = await SecureSocket.secure(socket, host: "server" + , context: context, onBadCertificate: (cert) => true); +` + SampleVulnerableHSDART11 = ` try { // Possible vulnerable code: This code is bad because your authentication can be passed easy form when exists only 1 method to authenticate @@ -151,6 +253,18 @@ try { print("error using biometric auth: $e"); } ` + SampleSafeHSDART11 = ` +try { + authenticated = await auth.CheckTwoFactorAuthenticationAndAuthenticateWithBiometrics( + localizedReason: 'Touch your finger on the sensor to login', + useErrorDialogs: true, + stickyAuth: false + ); +} catch (e) { + print("error using biometric auth: $e"); +} +` + SampleVulnerableHSDART12 = ` _getFromClipboard() async { // Possible vulnerable code: Is not good idea read content from clipboard. @@ -172,159 +286,6 @@ void sendToAPIToKeepChangesInDatabase() { ... } } -` - SampleVulnerableHSDART13 = ` -Database database = await openDatabase(path, version: 1, - onCreate: (Database db, int version) async { - await db.execute('CREATE TABLE Users (id INTEGER PRIMARY KEY, username TEXT, password TEXT);'); -}); - -getCheckIfUserExists(String username) { - try { - // Possible vulnerable code: User can be pass malicious code and delete all data from your database by example. - List list = await database.rawQuery("SELECT * FROM Users WHERE username = '" + username + "';"); - ... - } on Exception { - ... - } -} -` - SampleVulnerableHSDART14 = ` -// Possible vulnerable code: If You get NSTemporaryDirectory you can get anywhere content from this directory -let temporaryDirectoryURL = URL(fileURLWithPath: NSTemporaryDirectory(), isDirectory: true); -` - SampleVulnerableHSDART15 = ` -// Possible vulnerable code: This code is bad because this type cryptography is easy of to be broken. -final encrypter = Encrypter(AES(key, mode: AESMode.cts)); -` - SampleVulnerableHSDART16 = ` -HttpServer.bind('127.0.0.1', 8080).then((server){ - server.listen((HttpRequest request){ - request.uri.queryParameters.forEach((param,val){ - print(param + '-' + val); - }); - - // Possible vulnerable code: When you allow any origin you can exposed to multiple attacks in your application - request.response.headers.add("Access-Control-Allow-Origin", "*"); - request.response.headers.add("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT,OPTIONS"); - - request.response.statusCode = HttpStatus.OK; - request.response.write("Success!"); - request.response.close(); - }); -}); -` - SampleVulnerableHSDART17 = ` -getIPFromLoggedUser (List UserParams) async { - // Possible vulnerable code: User can be inject malicious code and run others commands after this command - var result = await Process.run("netcfg", [UserParams]); - return result.stdout -} -` -) - -const ( - SampleSafeHSDART1 = ` -... -final CpfExposedFromUserInput = ""; -... -void onButtonClick() async { - try { - // Safe code: Because not log information sensitive and only sent to backend api. - var value = await ValidateCPFPost(CpfExposedFromUserInput) - ... - } on HttpException { - ... - } -} -... -` - SampleSafeHSDART2 = ` -... - FirebaseMessaging _firebaseMessaging = FirebaseMessaging(); - - @override - void initState() { - ... - super.initState(); - // Safe code: Because not log information sensitive and only sent to backend api. - _firebaseMessaging.configure( - onLaunch: (Map response) async { - sendToAPI(response); - ... - }, - ); - } -... -` - SampleSafeHSDART4 = ` -final file = new File('static-file.xml'); -final document = XmlDocument.parse(file.readAsStringSync()); -` - - SampleSafeHSDART5 = ` -static Future SentToApi( - int port, - SecurityContext context, - {int backlog = 0, - bool v6Only = false, - bool requestClientCertificate = false, - bool shared = false} -) => _HttpServer.bindSecure('https://my-api.com.br', port, context, backlog, v6Only, requestClientCertificate, shared); -` - SampleSafeHSDART6 = `// You can't use sms library` - SampleSafeHSDART7 = ` -import 'package:sprintf/sprintf.dart'; -import 'dart:html'; -... - -void RenderHTML(String content) { - var element = new DivElement() - ..textContent = content; - document.body.append(element); -} -` - SampleSafeHSDART8 = ` -import 'package:logging/logging.dart'; -... -final _logger = Logger('YourClassName'); - -void ShowUserSensitiveInformation(String identity) { - print("send identity of the user to api"); - _logger.info("send identity of the user to api"); - sentToAPIUserIdentity(identity); -} -... -` - SampleSafeHSDART9 = ` -import 'dart:convert'; -import 'package:convert/convert.dart'; -import 'package:crypto/crypto.dart' as crypto; - -///Generate sha256 hash -generateSha256(String data) { - var content = new Utf8Encoder().convert(data); - var sha256 = crypto.sha256; - var digest = sha256.convert(content); - return hex.encode(digest.bytes); -} -` - SampleSafeHSDART10 = ` -final SecurityContext context = SecurityContext(withTrustedRoots: false); -Socket socket = await Socket.connect(serverIp, port); -socket = await SecureSocket.secure(socket, host: "server" - , context: context, onBadCertificate: (cert) => true); -` - SampleSafeHSDART11 = ` -try { - authenticated = await auth.CheckTwoFactorAuthenticationAndAuthenticateWithBiometrics( - localizedReason: 'Touch your finger on the sensor to login', - useErrorDialogs: true, - stickyAuth: false - ); -} catch (e) { - print("error using biometric auth: $e"); -} ` SampleSafeHSDART12 = ` _getFromClipboard() async { @@ -347,6 +308,23 @@ void sendToAPIToKeepChangesInDatabase() { ... } } +` + + SampleVulnerableHSDART13 = ` +Database database = await openDatabase(path, version: 1, + onCreate: (Database db, int version) async { + await db.execute('CREATE TABLE Users (id INTEGER PRIMARY KEY, username TEXT, password TEXT);'); +}); + +getCheckIfUserExists(String username) { + try { + // Possible vulnerable code: User can be pass malicious code and delete all data from your database by example. + List list = await database.rawQuery("SELECT * FROM Users WHERE username = '" + username + "';"); + ... + } on Exception { + ... + } +} ` SampleSafeHSDART13 = ` Database database = await openDatabase(path, version: 1, @@ -362,12 +340,40 @@ getCheckIfUserExists(String username) { ... } } +` + + SampleVulnerableHSDART14 = ` +// Possible vulnerable code: If You get NSTemporaryDirectory you can get anywhere content from this directory +let temporaryDirectoryURL = URL(fileURLWithPath: NSTemporaryDirectory(), isDirectory: true); ` SampleSafeHSDART14 = ` let temporaryDirectoryURL = URL(fileURLWithPath: "Some/Other/Path", isDirectory: true) +` + + SampleVulnerableHSDART15 = ` +// Possible vulnerable code: This code is bad because this type cryptography is easy of to be broken. +final encrypter = Encrypter(AES(key, mode: AESMode.cts)); ` SampleSafeHSDART15 = ` final encrypter = Encrypter(AES(key, mode: AESMode.cbc)); +` + + SampleVulnerableHSDART16 = ` +HttpServer.bind('127.0.0.1', 8080).then((server){ + server.listen((HttpRequest request){ + request.uri.queryParameters.forEach((param,val){ + print(param + '-' + val); + }); + + // Possible vulnerable code: When you allow any origin you can exposed to multiple attacks in your application + request.response.headers.add("Access-Control-Allow-Origin", "*"); + request.response.headers.add("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT,OPTIONS"); + + request.response.statusCode = HttpStatus.OK; + request.response.write("Success!"); + request.response.close(); + }); +}); ` SampleSafeHSDART16 = ` HttpServer.bind('127.0.0.1', 8080).then((server){ @@ -384,6 +390,14 @@ HttpServer.bind('127.0.0.1', 8080).then((server){ request.response.close(); }); }); +` + + SampleVulnerableHSDART17 = ` +getIPFromLoggedUser (List UserParams) async { + // Possible vulnerable code: User can be inject malicious code and run others commands after this command + var result = await Process.run("netcfg", [UserParams]); + return result.stdout +} ` SampleSafeHSDART17 = ` // You can get IP using library or interact with your backend application diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go index 4814df5b2..58815f554 100644 --- a/internal/services/engines/java/rules.go +++ b/internal/services/engines/java/rules.go @@ -17,6 +17,7 @@ package java import ( + "fmt" "regexp" "github.com/ZupIT/horusec-devkit/pkg/enums/confidence" @@ -28,11 +29,13 @@ import ( func NewXMLParsingVulnerableToXXE() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-1", - Name: "XML parsing vulnerable to XXE", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-1", + SafeExample: SampleSafeHSJAVA1, + UnsafeExample: SampleVulnerableHSJAVA1, + Name: "XML parsing vulnerable to XXE", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -46,11 +49,13 @@ func NewXMLParsingVulnerableToXXE() *text.Rule { func NewXMLParsingVulnerableToXXEWithXMLInputFactory() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-2", - Name: "XML parsing vulnerable to XXE With XMLInputFactory", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-2", + SafeExample: SampleSafeHSJAVA2, + UnsafeExample: SampleVulnerableHSJAVA2, + Name: "XML parsing vulnerable to XXE With XMLInputFactory", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -63,11 +68,13 @@ func NewXMLParsingVulnerableToXXEWithXMLInputFactory() *text.Rule { func NewXMLParsingVulnerableToXXEWithDocumentBuilder() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-3", - Name: "XML parsing vulnerable to XXE With DocumentBuilder", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-3", + SafeExample: SampleSafeHSJAVA3, + UnsafeExample: SampleVulnerableHSJAVA3, + Name: "XML parsing vulnerable to XXE With DocumentBuilder", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -81,11 +88,13 @@ func NewXMLParsingVulnerableToXXEWithDocumentBuilder() *text.Rule { func NewXMLParsingVulnerableToXXEWithSAXParserFactory() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-4", - Name: "XML parsing vulnerable to XXE With SAXParserFactory", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-4", + SafeExample: SampleSafeHSJAVA4, + UnsafeExample: SampleVulnerableHSJAVA4, + Name: "XML parsing vulnerable to XXE With SAXParserFactory", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -99,11 +108,13 @@ func NewXMLParsingVulnerableToXXEWithSAXParserFactory() *text.Rule { func NewXMLParsingVulnerableToXXEWithTransformerFactory() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-5", - Name: "XML parsing vulnerable to XXE With TransformerFactory", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-5", + SafeExample: SampleSafeHSJAVA5, + UnsafeExample: SampleVulnerableHSJAVA5, + Name: "XML parsing vulnerable to XXE With TransformerFactory", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -135,11 +146,13 @@ func NewXMLParsingVulnerableToXXEWithTransformerFactory() *text.Rule { func NewXMLParsingVulnerableToXXEWithDom4j() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-7", - Name: "XML parsing vulnerable to XXE With Dom4j", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-7", + SafeExample: SampleSafeHSJAVA7, + UnsafeExample: SampleVulnerableHSJAVA7, + Name: "XML parsing vulnerable to XXE With Dom4j", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -152,11 +165,13 @@ func NewXMLParsingVulnerableToXXEWithDom4j() *text.Rule { func NewXMLParsingVulnerableToXXEWithJdom2() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-8", - Name: "XML parsing vulnerable to XXE With Jdom2", - Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-8", + SafeExample: SampleSafeHSJAVA8, + UnsafeExample: SampleVulnerableHSJAVA8, + Name: "XML parsing vulnerable to XXE With Jdom2", + Description: "XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -169,11 +184,13 @@ func NewXMLParsingVulnerableToXXEWithJdom2() *text.Rule { func NewInsecureImplementationOfSSL() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-9", - Name: "Insecure Implementation of SSL", - Description: "Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-9", + SafeExample: SampleSafeHSJAVA9, + UnsafeExample: SampleVulnerableHSJAVA9, + Name: "Insecure Implementation of SSL", + Description: "Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -186,11 +203,13 @@ func NewInsecureImplementationOfSSL() *text.Rule { func NewMessageDigestIsCustom() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-10", - Name: "Message digest is custom", - Description: "Implementing a custom MessageDigest is error-prone. NIST recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-10", + SafeExample: SampleSafeHSJAVA10, + UnsafeExample: SampleVulnerableHSJAVA10, + Name: "Message digest is custom", + Description: "Implementing a custom MessageDigest is error-prone. NIST recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -204,11 +223,13 @@ func NewMessageDigestIsCustom() *text.Rule { func NewTrustManagerThatAcceptAnyCertificatesClient() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-11", - Name: "TrustManager that accept any certificates Client", - Description: "Empty TrustManager implementations are often used to connect easily to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-11", + SafeExample: SampleSafeHSJAVA11, + UnsafeExample: SampleVulnerableHSJAVA11, + Name: "TrustManager that accept any certificates Client", + Description: "Empty TrustManager implementations are often used to connect easily to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -222,11 +243,13 @@ func NewTrustManagerThatAcceptAnyCertificatesClient() *text.Rule { func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnections() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-12", - Name: "Server hostnames should be verified during SSL/TLS connections", - Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-12", + SafeExample: SampleSafeHSJAVA12, + UnsafeExample: SampleVulnerableHSJAVA12, + Name: "Server hostnames should be verified during SSL/TLS connections", + Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -240,11 +263,13 @@ func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnections() *text.Rule { func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnectionsWithSimpleEmail() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-13", - Name: "Server hostnames should be verified during SSL/TLS connections With SimpleEmail", - Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-13", + SafeExample: SampleSafeHSJAVA13, + UnsafeExample: SampleVulnerableHSJAVA13, + Name: "Server hostnames should be verified during SSL/TLS connections With SimpleEmail", + Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -257,11 +282,13 @@ func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnectionsWithSimpleEmail() func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnectionsWithMail() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-14", - Name: "Server hostnames should be verified during SSL/TLS connections With Mail's", - Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-14", + SafeExample: SampleSafeHSJAVA14, + UnsafeExample: SampleVulnerableHSJAVA14, + Name: "Server hostnames should be verified during SSL/TLS connections With Mail's", + Description: "To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate. The certificate's hostname-specific data should match the server hostname. It's not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -334,11 +361,13 @@ func NewServerHostnamesShouldBeVerifiedDuringSSLTLSConnectionsWithMail() *text.R func NewWebViewLoadFilesFromExternalStorage() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-18", - Name: "WebView Load Files From External Storage", - Description: "WebView load files from external storage. Files in external storage can be modified by any application. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-18", + SafeExample: SampleSafeHSJAVA18, + UnsafeExample: SampleVulnerableHSJAVA18, + Name: "WebView Load Files From External Storage", + Description: "WebView load files from external storage. Files in external storage can be modified by any application. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -351,11 +380,13 @@ func NewWebViewLoadFilesFromExternalStorage() *text.Rule { func NewInsecureWebViewImplementation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-19", - Name: "Insecure Web View Implementation", - Description: "Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole. For more information checkout the CWE-749 (https://cwe.mitre.org/data/definitions/749.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-19", + SafeExample: SampleSafeHSJAVA19, + UnsafeExample: SampleVulnerableHSJAVA19, + Name: "Insecure Web View Implementation", + Description: "Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole. For more information checkout the CWE-749 (https://cwe.mitre.org/data/definitions/749.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -410,11 +441,13 @@ func NewInsecureWebViewImplementation() *text.Rule { func NewNoUseWebviewDebuggingEnable() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-22", - Name: "No Use Webview Debugging Enable", - Description: "Remote WebView debugging is enabled. For more information checkout the CWE-215 (https://cwe.mitre.org/data/definitions/215.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-22", + SafeExample: SampleSafeHSJAVA22, + UnsafeExample: SampleVulnerableHSJAVA22, + Name: "No Use Webview Debugging Enable", + Description: "Remote WebView debugging is enabled. For more information checkout the CWE-215 (https://cwe.mitre.org/data/definitions/215.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -427,11 +460,13 @@ func NewNoUseWebviewDebuggingEnable() *text.Rule { func NewNoListenToClipboard() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-23", - Name: "No Listen To Clipboard", - Description: "ClipboardManager is a system service that allows you to register a listener for when the clipboard changes and some malwares also listen to Clipboard changes.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-23", + SafeExample: SampleSafeHSJAVA23, + UnsafeExample: SampleVulnerableHSJAVA23, + Name: "No Listen To Clipboard", + Description: "ClipboardManager is a system service that allows you to register a listener for when the clipboard changes and some malwares also listen to Clipboard changes.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -444,11 +479,13 @@ func NewNoListenToClipboard() *text.Rule { func NewNoCopyContentToClipboard() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-24", - Name: "No copy content to clipboard", - Description: "This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-24", + SafeExample: SampleSafeHSJAVA24, + UnsafeExample: SampleVulnerableHSJAVA24, + Name: "No copy content to clipboard", + Description: "This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -461,11 +498,13 @@ func NewNoCopyContentToClipboard() *text.Rule { func NewNoUseWebviewIgnoringSSL() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-25", - Name: "No Use Webview Ignoring SSL", - Description: "Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-25", + SafeExample: SampleSafeHSJAVA25, + UnsafeExample: SampleVulnerableHSJAVA25, + Name: "No Use Webview Ignoring SSL", + Description: "Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -479,11 +518,13 @@ func NewNoUseWebviewIgnoringSSL() *text.Rule { func NewSQLInjectionWithSqlUtil() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-26", - Name: "SQL Injection With SqlUtil", - Description: "The method identified is susceptible to injection. The input should be validated and properly escaped. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-26", + SafeExample: SampleSafeHSJAVA26, + UnsafeExample: SampleVulnerableHSJAVA26, + Name: "SQL Injection With SqlUtil", + Description: "The method identified is susceptible to injection. The input should be validated and properly escaped. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -496,11 +537,13 @@ func NewSQLInjectionWithSqlUtil() *text.Rule { func NewNoUseFridaServer() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-27", - Name: "No Use Frida Server", - Description: "This App detects frida server.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-27", + SafeExample: SampleSafeHSJAVA27, + UnsafeExample: SampleVulnerableHSJAVA27, + Name: "No Use Frida Server", + Description: "This App detects frida server.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -514,11 +557,13 @@ func NewNoUseFridaServer() *text.Rule { func NewNoUseSSLPinningLib() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-28", - Name: "No Use SSL Pinning Lib", - Description: "This App uses an SSL Pinning Library (org.thoughtcrime.ssl.pinning) to prevent MITM attacks in secure communication channel.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-28", + SafeExample: SampleSafeHSJAVA28, + UnsafeExample: SampleVulnerableHSJAVA28, + Name: "No Use SSL Pinning Lib", + Description: "This App uses an SSL Pinning Library (org.thoughtcrime.ssl.pinning) to prevent MITM attacks in secure communication channel.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -531,11 +576,13 @@ func NewNoUseSSLPinningLib() *text.Rule { func NewNoUseDexGuardAppDebuggable() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-29", - Name: "DexGuard Debug Detection", - Description: "DexGuard Debug Detection code to detect whatever an App is debuggable or not is identified.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-29", + SafeExample: SampleSafeHSJAVA29, + UnsafeExample: SampleVulnerableHSJAVA29, + Name: "DexGuard Debug Detection", + Description: "DexGuard Debug Detection code to detect whatever an App is debuggable or not is identified.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -548,11 +595,13 @@ func NewNoUseDexGuardAppDebuggable() *text.Rule { func NewNoUseDexGuardDebuggerConnected() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-30", - Name: "No Use DexGuard Debugger Connected", - Description: "DexGuard Debugger Detection code is identified.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-30", + SafeExample: SampleSafeHSJAVA30, + UnsafeExample: SampleVulnerableHSJAVA30, + Name: "No Use DexGuard Debugger Connected", + Description: "DexGuard Debugger Detection code is identified.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -565,11 +614,13 @@ func NewNoUseDexGuardDebuggerConnected() *text.Rule { func NewNoUseDexGuardEmulatorDetection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-31", - Name: "No Use DexGuard Emulator Detection", - Description: "DexGuard Emulator Detection code is identified.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-31", + SafeExample: SampleSafeHSJAVA31, + UnsafeExample: SampleVulnerableHSJAVA31, + Name: "No Use DexGuard Emulator Detection", + Description: "DexGuard Emulator Detection code is identified.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -582,11 +633,13 @@ func NewNoUseDexGuardEmulatorDetection() *text.Rule { func NewNoUseDexGuardWithDebugKey() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-32", - Name: "No Use DexGuard With Debug Key", - Description: "DexGuard code to detect wheather the App is signed with a debug key or not is identified.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-32", + SafeExample: SampleSafeHSJAVA32, + UnsafeExample: SampleVulnerableHSJAVA32, + Name: "No Use DexGuard With Debug Key", + Description: "DexGuard code to detect wheather the App is signed with a debug key or not is identified.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -599,11 +652,13 @@ func NewNoUseDexGuardWithDebugKey() *text.Rule { func NewNoUseDexGuardRoot() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-33", - Name: "No Use DexGuard Root", - Description: "DexGuard Root Detection code is identified", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-33", + SafeExample: SampleSafeHSJAVA33, + UnsafeExample: SampleVulnerableHSJAVA33, + Name: "No Use DexGuard Root", + Description: "DexGuard Root Detection code is identified", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -616,11 +671,13 @@ func NewNoUseDexGuardRoot() *text.Rule { func NewNoUseDexGuard() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-34", - Name: "No Use DexGuard", - Description: "DexGuard App Tamper Detection code is identified", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-34", + SafeExample: SampleSafeHSJAVA34, + UnsafeExample: SampleVulnerableHSJAVA34, + Name: "No Use DexGuard", + Description: "DexGuard App Tamper Detection code is identified", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -633,11 +690,13 @@ func NewNoUseDexGuard() *text.Rule { func NewNoUseDexGuardInSigner() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-35", - Name: "No Use DexGuard in signer", - Description: "DexGuard Signer Certificate Tamper Detection code is identified", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-35", + SafeExample: SampleSafeHSJAVA35, + UnsafeExample: SampleVulnerableHSJAVA35, + Name: "No Use DexGuard in signer", + Description: "DexGuard Signer Certificate Tamper Detection code is identified", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -650,11 +709,13 @@ func NewNoUseDexGuardInSigner() *text.Rule { func NewNoUsePackageWithTamperDetection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-36", - Name: "No use package with tamper detection.", - Description: "The App may use package signature for tamper detection.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-36", + SafeExample: SampleSafeHSJAVA36, + UnsafeExample: SampleVulnerableHSJAVA36, + Name: "No use package with tamper detection.", + Description: "The App may use package signature for tamper detection.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -667,11 +728,13 @@ func NewNoUsePackageWithTamperDetection() *text.Rule { func NewLoadAndManipulateDexFiles() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-37", - Name: "Load and Manipulate Dex Files", - Description: "Load and Manipulate Dex Files", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-37", + SafeExample: SampleSafeHSJAVA37, + UnsafeExample: SampleVulnerableHSJAVA37, + Name: "Load and Manipulate Dex Files", + Description: "Load and Manipulate Dex Files", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -684,11 +747,13 @@ func NewLoadAndManipulateDexFiles() *text.Rule { func NewObfuscation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-38", - Name: "Obfuscation", - Description: "Obfuscation", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-38", + SafeExample: SampleSafeHSJAVA38, + UnsafeExample: SampleVulnerableHSJAVA38, + Name: "Obfuscation", + Description: "Obfuscation", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -701,11 +766,13 @@ func NewObfuscation() *text.Rule { func NewExecuteOSCommand() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-39", - Name: "Execute OS Command", - Description: "Execute OS Command. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-39", + SafeExample: SampleSafeHSJAVA39, + UnsafeExample: SampleVulnerableHSJAVA39, + Name: "Execute OS Command", + Description: "Execute OS Command. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -719,11 +786,13 @@ func NewExecuteOSCommand() *text.Rule { func NewTCPServerSocket() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-40", - Name: "TCP Server Socket", - Description: "TCP Server Socket", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-40", + SafeExample: SampleSafeHSJAVA40, + UnsafeExample: SampleVulnerableHSJAVA40, + Name: "TCP Server Socket", + Description: "TCP Server Socket", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -736,11 +805,13 @@ func NewTCPServerSocket() *text.Rule { func NewTCPSocket() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-41", - Name: "TCP Socket", - Description: "TCP Socket", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-41", + SafeExample: SampleSafeHSJAVA41, + UnsafeExample: SampleVulnerableHSJAVA41, + Name: "TCP Socket", + Description: "TCP Socket", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -753,11 +824,13 @@ func NewTCPSocket() *text.Rule { func NewUDPDatagramPacket() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-42", - Name: "UDP Datagram Packet", - Description: "UDP Datagram Packet", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-42", + SafeExample: SampleSafeHSJAVA42, + UnsafeExample: SampleVulnerableHSJAVA42, + Name: "UDP Datagram Packet", + Description: "UDP Datagram Packet", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -770,11 +843,13 @@ func NewUDPDatagramPacket() *text.Rule { func NewUDPDatagramSocket() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-43", - Name: "UDP Datagram Socket", - Description: "UDP Datagram Socket", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-43", + SafeExample: SampleSafeHSJAVA43, + UnsafeExample: SampleVulnerableHSJAVA43, + Name: "UDP Datagram Socket", + Description: "UDP Datagram Socket", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -787,11 +862,13 @@ func NewUDPDatagramSocket() *text.Rule { func NewWebViewScriptInterface() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-44", - Name: "WebView Script Interface", - Description: "WebView Script Interface", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-44", + SafeExample: SampleSafeHSJAVA44, + UnsafeExample: SampleVulnerableHSJAVA44, + Name: "WebView Script Interface", + Description: "WebView Script Interface", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -804,11 +881,13 @@ func NewWebViewScriptInterface() *text.Rule { func NewGetCellInformation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-45", - Name: "Get Cell Information", - Description: "Get Cell Information", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-45", + SafeExample: SampleSafeHSJAVA45, + UnsafeExample: SampleVulnerableHSJAVA45, + Name: "Get Cell Information", + Description: "Get Cell Information", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -821,11 +900,13 @@ func NewGetCellInformation() *text.Rule { func NewGetCellLocation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-46", - Name: "Get Cell Location", - Description: "Get Cell Location", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-46", + SafeExample: SampleSafeHSJAVA46, + UnsafeExample: SampleVulnerableHSJAVA46, + Name: "Get Cell Location", + Description: "Get Cell Location", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -838,11 +919,13 @@ func NewGetCellLocation() *text.Rule { func NewGetSubscriberID() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-47", - Name: "Get Subscriber ID", - Description: "Get Subscriber ID", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-47", + SafeExample: SampleSafeHSJAVA47, + UnsafeExample: SampleVulnerableHSJAVA47, + Name: "Get Subscriber ID", + Description: "Get Subscriber ID", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -855,11 +938,13 @@ func NewGetSubscriberID() *text.Rule { func NewGetDeviceID() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-48", - Name: "Get Device ID", - Description: "Get Device ID", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-48", + SafeExample: SampleSafeHSJAVA48, + UnsafeExample: SampleVulnerableHSJAVA48, + Name: "Get Device ID", + Description: "Get Device ID", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -872,11 +957,13 @@ func NewGetDeviceID() *text.Rule { func NewGetSoftwareVersion() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-49", - Name: "Get Software Version, IMEI/SV etc", - Description: "Get Software Version, IMEI/SV etc", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-49", + SafeExample: SampleSafeHSJAVA49, + UnsafeExample: SampleVulnerableHSJAVA49, + Name: "Get Software Version, IMEI/SV etc", + Description: "Get Software Version, IMEI/SV etc", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -889,11 +976,13 @@ func NewGetSoftwareVersion() *text.Rule { func NewGetSIMSerialNumber() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-50", - Name: "Get SIM Serial Number", - Description: "Get SIM Serial Number", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-50", + SafeExample: SampleSafeHSJAVA50, + UnsafeExample: SampleVulnerableHSJAVA50, + Name: "Get SIM Serial Number", + Description: "Get SIM Serial Number", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -906,11 +995,13 @@ func NewGetSIMSerialNumber() *text.Rule { func NewGetSIMProviderDetails() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-51", - Name: "Get SIM Provider Details", - Description: "Get SIM Provider Details", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-51", + SafeExample: SampleSafeHSJAVA51, + UnsafeExample: SampleVulnerableHSJAVA51, + Name: "Get SIM Provider Details", + Description: "Get SIM Provider Details", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -923,11 +1014,13 @@ func NewGetSIMProviderDetails() *text.Rule { func NewGetSIMOperatorName() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-52", - Name: "Get SIM Operator Name", - Description: "Get SIM Operator Name", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-52", + SafeExample: SampleSafeHSJAVA52, + UnsafeExample: SampleVulnerableHSJAVA52, + Name: "Get SIM Operator Name", + Description: "Get SIM Operator Name", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -940,11 +1033,13 @@ func NewGetSIMOperatorName() *text.Rule { func NewQueryDatabaseOfSMSContacts() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-53", - Name: "Query Database of SMS, Contacts etc.", - Description: "Query Database of SMS, Contacts etc.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-53", + SafeExample: SampleSafeHSJAVA53, + UnsafeExample: SampleVulnerableHSJAVA53, + Name: "Query Database of SMS, Contacts etc.", + Description: "Query Database of SMS, Contacts etc.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -958,11 +1053,13 @@ func NewQueryDatabaseOfSMSContacts() *text.Rule { func NewPotentialPathTraversal() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-54", - Name: "Potential Path Traversal (file read)", - Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. Please consider use this example: "new File("resources/images/", FilenameUtils.getName(value_received_in_params))". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-54", + SafeExample: SampleSafeHSJAVA54, + UnsafeExample: SampleVulnerableHSJAVA54, + Name: "Potential Path Traversal (file read)", + Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. Please consider use this example: "new File("resources/images/", FilenameUtils.getName(value_received_in_params))". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -975,11 +1072,13 @@ func NewPotentialPathTraversal() *text.Rule { func NewJakartaAndPotentialPathTraversal() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-55", - Name: "Potential Path Traversal (file read)", - Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. Please consider use this example: "new File("resources/images/", FilenameUtils.getName(value_received_in_params))". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-55", + SafeExample: SampleSafeHSJAVA55, + UnsafeExample: SampleVulnerableHSJAVA55, + Name: "Potential Path Traversal (file read)", + Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. Please consider use this example: "new File("resources/images/", FilenameUtils.getName(value_received_in_params))". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -992,11 +1091,13 @@ func NewJakartaAndPotentialPathTraversal() *text.Rule { func NewPotentialPathTraversalUsingScalaAPI() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-56", - Name: "Potential Path Traversal Using scala API (file read)", - Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. Please consider use this example: "val result = Source.fromFile("public/lists/" + FilenameUtils.getName(value_received_in_params)).getLines().mkString". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-56", + SafeExample: SampleSafeHSJAVA56, + UnsafeExample: SampleVulnerableHSJAVA56, + Name: "Potential Path Traversal Using scala API (file read)", + Description: `A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. Please consider use this example: "val result = Source.fromFile("public/lists/" + FilenameUtils.getName(value_received_in_params)).getLines().mkString". For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.`, + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1008,11 +1109,13 @@ func NewPotentialPathTraversalUsingScalaAPI() *text.Rule { func NewSMTPHeaderInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-57", - Name: "SMTP Header Injection", - Description: "If user input is place in a header line, the application should remove or replace new line characters (CR / LF). For more information checkout the CWE-93 (https://cwe.mitre.org/data/definitions/93.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-57", + SafeExample: SampleSafeHSJAVA57, + UnsafeExample: SampleVulnerableHSJAVA57, + Name: "SMTP Header Injection", + Description: "If user input is place in a header line, the application should remove or replace new line characters (CR / LF). For more information checkout the CWE-93 (https://cwe.mitre.org/data/definitions/93.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1026,11 +1129,13 @@ func NewSMTPHeaderInjection() *text.Rule { func NewInsecureSMTPSSLConnection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-58", - Name: "Insecure SMTP SSL connection", - Description: "Some email libraries that enable SSL connections do not verify the server certificate by default. This is equivalent to trusting all certificates. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-58", + SafeExample: SampleSafeHSJAVA58, + UnsafeExample: SampleVulnerableHSJAVA58, + Name: "Insecure SMTP SSL connection", + Description: "Some email libraries that enable SSL connections do not verify the server certificate by default. This is equivalent to trusting all certificates. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1043,11 +1148,13 @@ func NewInsecureSMTPSSLConnection() *text.Rule { func NewPersistentCookieUsage() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-59", - Name: "Persistent Cookie Usage", - Description: "Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise. For more information checkout the CWE-539 (https://cwe.mitre.org/data/definitions/539.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-59", + SafeExample: SampleSafeHSJAVA59, + UnsafeExample: SampleVulnerableHSJAVA59, + Name: "Persistent Cookie Usage", + Description: "Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise. For more information checkout the CWE-539 (https://cwe.mitre.org/data/definitions/539.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1060,11 +1167,13 @@ func NewPersistentCookieUsage() *text.Rule { func NewAnonymousLDAPBind() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-60", - Name: "Anonymous LDAP bind", - Description: "All LDAP queries executed against the context will be performed without authentication and access control. For more information checkout the (https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-60", + SafeExample: SampleSafeHSJAVA60, + UnsafeExample: SampleVulnerableHSJAVA60, + Name: "Anonymous LDAP bind", + Description: "All LDAP queries executed against the context will be performed without authentication and access control. For more information checkout the (https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1077,11 +1186,13 @@ func NewAnonymousLDAPBind() *text.Rule { func NewLDAPEntryPoisoning() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-61", - Name: "LDAP Entry Poisoning", - Description: "If certain attributes are presented, the deserialization of object will be made in the application querying the directory. Object deserialization should be consider a risky operation that can lead to remote code execution. For more information checkout the (https://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-61", + SafeExample: SampleSafeHSJAVA61, + UnsafeExample: SampleVulnerableHSJAVA61, + Name: "LDAP Entry Poisoning", + Description: "If certain attributes are presented, the deserialization of object will be made in the application querying the directory. Object deserialization should be consider a risky operation that can lead to remote code execution. For more information checkout the (https://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1094,11 +1205,13 @@ func NewLDAPEntryPoisoning() *text.Rule { func NewIgnoringXMLCommentsInSAML() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-62", - Name: "Ignoring XML comments in SAML", - Description: "Security Assertion Markup Language (SAML) is a single sign-on protocol that that used XML. The SAMLResponse message include statements that describe the authenticated user. If a user manage to place XML comments (), it may caused issue in the way the parser extract literal value. For more information checkout the (https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-62", + SafeExample: SampleSafeHSJAVA62, + UnsafeExample: SampleVulnerableHSJAVA62, + Name: "Ignoring XML comments in SAML", + Description: "Security Assertion Markup Language (SAML) is a single sign-on protocol that that used XML. The SAMLResponse message include statements that describe the authenticated user. If a user manage to place XML comments (), it may caused issue in the way the parser extract literal value. For more information checkout the (https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1111,11 +1224,13 @@ func NewIgnoringXMLCommentsInSAML() *text.Rule { func NewInformationExposureThroughAnErrorMessage() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-63", - Name: "Information Exposure Through An Error Message", - Description: "The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-63", + SafeExample: SampleSafeHSJAVA63, + UnsafeExample: SampleVulnerableHSJAVA63, + Name: "Information Exposure Through An Error Message", + Description: "The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1128,11 +1243,13 @@ func NewInformationExposureThroughAnErrorMessage() *text.Rule { func NewHTTPParameterPollution() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-64", - Name: "HTTP Parameter Pollution", - Description: "Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. For more information checkout the CAPEC-460 (https://capec.mitre.org/data/definitions/460.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-64", + SafeExample: SampleSafeHSJAVA64, + UnsafeExample: SampleVulnerableHSJAVA64, + Name: "HTTP Parameter Pollution", + Description: "Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. For more information checkout the CAPEC-460 (https://capec.mitre.org/data/definitions/460.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1145,11 +1262,13 @@ func NewHTTPParameterPollution() *text.Rule { func NewAWSQueryInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-65", - Name: "AWS Query Injection", - Description: "Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. For more information checkout the CWE-943 (https://cwe.mitre.org/data/definitions/943.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-65", + SafeExample: SampleSafeHSJAVA65, + UnsafeExample: SampleVulnerableHSJAVA65, + Name: "AWS Query Injection", + Description: "Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. For more information checkout the CWE-943 (https://cwe.mitre.org/data/definitions/943.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1164,11 +1283,13 @@ func NewAWSQueryInjection() *text.Rule { func NewPotentialTemplateInjectionPebble() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-66", - Name: "Potential template injection with Pebble ", - Description: "A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-66", + SafeExample: SampleSafeHSJAVA66, + UnsafeExample: SampleVulnerableHSJAVA66, + Name: "Potential template injection with Pebble ", + Description: "A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1182,11 +1303,13 @@ func NewPotentialTemplateInjectionPebble() *text.Rule { func NewPotentialTemplateInjectionFreemarker() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-67", - Name: "Potential template injection with Freemarker ", - Description: "A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-67", + SafeExample: SampleSafeHSJAVA67, + UnsafeExample: SampleVulnerableHSJAVA67, + Name: "Potential template injection with Freemarker ", + Description: "A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1200,11 +1323,13 @@ func NewPotentialTemplateInjectionFreemarker() *text.Rule { func NewRequestDispatcherFileDisclosure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-68", - Name: "Request Dispatcher File Disclosure", - Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-68", + SafeExample: SampleSafeHSJAVA68, + UnsafeExample: SampleVulnerableHSJAVA68, + Name: "Request Dispatcher File Disclosure", + Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1217,11 +1342,13 @@ func NewRequestDispatcherFileDisclosure() *text.Rule { func NewSpringFileDisclosure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-69", - Name: "Spring File Disclosure ", - Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-69", + SafeExample: SampleSafeHSJAVA69, + UnsafeExample: SampleVulnerableHSJAVA69, + Name: "Spring File Disclosure ", + Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1234,11 +1361,13 @@ func NewSpringFileDisclosure() *text.Rule { func NewPotentialCodeScriptInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-70", - Name: "Potential code injection when using Script Engine", - Description: "Dynamic code is being evaluate. A careful analysis of the code construction should be made. Malicious code execution could lead to data leakage or operating system compromised. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-70", + SafeExample: SampleSafeHSJAVA70, + UnsafeExample: SampleVulnerableHSJAVA70, + Name: "Potential code injection when using Script Engine", + Description: "Dynamic code is being evaluate. A careful analysis of the code construction should be made. Malicious code execution could lead to data leakage or operating system compromised. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1252,11 +1381,13 @@ func NewPotentialCodeScriptInjection() *text.Rule { func NewStrutsFileDisclosure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-71", - Name: "Struts File Disclosure ", - Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-71", + SafeExample: SampleSafeHSJAVA71, + UnsafeExample: SampleVulnerableHSJAVA71, + Name: "Struts File Disclosure ", + Description: "Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1269,11 +1400,13 @@ func NewStrutsFileDisclosure() *text.Rule { func NewUnsafeJacksonDeserializationConfiguration() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-72", - Name: "Unsafe Jackson deserialization configuration ", - Description: "When the Jackson databind library is used incorrectly the deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-72", + SafeExample: SampleSafeHSJAVA72, + UnsafeExample: SampleVulnerableHSJAVA72, + Name: "Unsafe Jackson deserialization configuration ", + Description: "When the Jackson databind library is used incorrectly the deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1287,11 +1420,13 @@ func NewUnsafeJacksonDeserializationConfiguration() *text.Rule { func NewObjectDeserializationUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-73", - Name: "Object deserialization is used", - Description: "Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-73", + SafeExample: SampleSafeHSJAVA73, + UnsafeExample: SampleVulnerableHSJAVA73, + Name: "Object deserialization is used", + Description: "Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1306,11 +1441,13 @@ func NewObjectDeserializationUsed() *text.Rule { func NewPotentialCodeScriptInjectionWithSpringExpression() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-74", - Name: "Potential code injection when using Spring Expression", - Description: "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-74", + SafeExample: SampleSafeHSJAVA74, + UnsafeExample: SampleVulnerableHSJAVA74, + Name: "Potential code injection when using Spring Expression", + Description: "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1323,11 +1460,13 @@ func NewPotentialCodeScriptInjectionWithSpringExpression() *text.Rule { func NewCookieWithoutTheHttpOnlyFlag() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-75", - Name: "Cookie without the HttpOnly flag ", - Description: "A new cookie is created without the HttpOnly flag set. For more information checkout the (https://owasp.org/www-community/HttpOnly) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-75", + SafeExample: SampleSafeHSJAVA75, + UnsafeExample: SampleVulnerableHSJAVA75, + Name: "Cookie without the HttpOnly flag ", + Description: "A new cookie is created without the HttpOnly flag set. For more information checkout the (https://owasp.org/www-community/HttpOnly) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1340,11 +1479,13 @@ func NewCookieWithoutTheHttpOnlyFlag() *text.Rule { func NewWebViewWithGeolocationActivated() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-76", - Name: "WebView with geolocation activated", - Description: "It is suggested to ask the user for a confirmation about obtaining its geolocation.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-76", + SafeExample: SampleSafeHSJAVA76, + UnsafeExample: SampleVulnerableHSJAVA76, + Name: "WebView with geolocation activated", + Description: "It is suggested to ask the user for a confirmation about obtaining its geolocation.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1358,11 +1499,13 @@ func NewWebViewWithGeolocationActivated() *text.Rule { func NewUseOfESAPIEncryptor() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-77", - Name: "Use of ESAPI Encryptor", - Description: "The ESAPI has a small history of vulnerabilities within the cryptography component. Here is a quick validation list to make sure the Authenticated Encryption is working as expected. For more information checkout the CWE-310 (https://cwe.mitre.org/data/definitions/310.html) advisory", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-77", + SafeExample: SampleSafeHSJAVA77, + UnsafeExample: SampleVulnerableHSJAVA77, + Name: "Use of ESAPI Encryptor", + Description: "The ESAPI has a small history of vulnerabilities within the cryptography component. Here is a quick validation list to make sure the Authenticated Encryption is working as expected. For more information checkout the CWE-310 (https://cwe.mitre.org/data/definitions/310.html) advisory", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1377,11 +1520,13 @@ func NewUseOfESAPIEncryptor() *text.Rule { func NewStaticIV() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-78", - Name: "Static IV", - Description: "Initialization vector must be regenerated for each message to be encrypted. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-78", + SafeExample: SampleSafeHSJAVA78, + UnsafeExample: SampleVulnerableHSJAVA78, + Name: "Static IV", + Description: "Initialization vector must be regenerated for each message to be encrypted. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1394,11 +1539,13 @@ func NewStaticIV() *text.Rule { func NewXMLDecoderUsage() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-79", - Name: "XML Decoder usage", - Description: "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-79", + SafeExample: SampleSafeHSJAVA79, + UnsafeExample: SampleVulnerableHSJAVA79, + Name: "XML Decoder usage", + Description: "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1411,11 +1558,13 @@ func NewXMLDecoderUsage() *text.Rule { func NewPotentialXSSInServlet() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-80", - Name: "Potential XSS in Servlet", - Description: "A potential XSS was found. It could be used to execute unwanted Script in a client's browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-80", + SafeExample: SampleSafeHSJAVA80, + UnsafeExample: SampleVulnerableHSJAVA80, + Name: "Potential XSS in Servlet", + Description: "A potential XSS was found. It could be used to execute unwanted Script in a client's browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1429,11 +1578,13 @@ func NewPotentialXSSInServlet() *text.Rule { func NewEscapingOfSpecialXMLCharactersIsDisabled() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-81", - Name: "Escaping of special XML characters is disabled", - Description: "A potential XSS was found. It could be used to execute unwanted Script in a client's browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory", - Severity: severities.Medium.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-81", + SafeExample: SampleSafeHSJAVA81, + UnsafeExample: SampleVulnerableHSJAVA81, + Name: "Escaping of special XML characters is disabled", + Description: "A potential XSS was found. It could be used to execute unwanted Script in a client's browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory", + Severity: severities.Medium.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1446,11 +1597,13 @@ func NewEscapingOfSpecialXMLCharactersIsDisabled() *text.Rule { func NewDynamicVariableInSpringExpression() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-82", - Name: "Dynamic variable in Spring expression", - Description: "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-82", + SafeExample: SampleSafeHSJAVA82, + UnsafeExample: SampleVulnerableHSJAVA82, + Name: "Dynamic variable in Spring expression", + Description: "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1463,11 +1616,13 @@ func NewDynamicVariableInSpringExpression() *text.Rule { func NewRSAUsageWithShortKey() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-83", - Name: "RSA usage with short key", - Description: "The NIST recommends the use of 2048 bits and higher keys for the RSA algorithm. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-83", + SafeExample: SampleSafeHSJAVA83, + UnsafeExample: SampleVulnerableHSJAVA83, + Name: "RSA usage with short key", + Description: "The NIST recommends the use of 2048 bits and higher keys for the RSA algorithm. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1480,11 +1635,13 @@ func NewRSAUsageWithShortKey() *text.Rule { func NewBlowfishUsageWithShortKey() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-84", - Name: "Blowfish usage with short key", - Description: "The Blowfish cipher supports key sizes from 32 bits to 448 bits. A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-84", + SafeExample: SampleSafeHSJAVA84, + UnsafeExample: SampleVulnerableHSJAVA84, + Name: "Blowfish usage with short key", + Description: "The Blowfish cipher supports key sizes from 32 bits to 448 bits. A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1497,11 +1654,13 @@ func NewBlowfishUsageWithShortKey() *text.Rule { func NewClassesShouldNotBeLoadedDynamically() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-85", - Name: "Classes should not be loaded dynamically", - Description: "Dynamically loaded classes could contain malicious code executed by a static class initializer. I.E. you wouldn't even have to instantiate or explicitly invoke methods on such classes to be vulnerable to an attack. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-85", + SafeExample: SampleSafeHSJAVA85, + UnsafeExample: SampleVulnerableHSJAVA85, + Name: "Classes should not be loaded dynamically", + Description: "Dynamically loaded classes could contain malicious code executed by a static class initializer. I.E. you wouldn't even have to instantiate or explicitly invoke methods on such classes to be vulnerable to an attack. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1534,11 +1693,13 @@ func NewClassesShouldNotBeLoadedDynamically() *text.Rule { func NewXPathExpressionsShouldNotBeVulnerableToInjectionAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-87", - Name: "XPath expressions should not be vulnerable to injection attacks", - Description: "User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. For more information checkout the CWE-643 (https://cwe.mitre.org/data/definitions/643.html) advisory", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-87", + SafeExample: SampleSafeHSJAVA87, + UnsafeExample: SampleVulnerableHSJAVA87, + Name: "XPath expressions should not be vulnerable to injection attacks", + Description: "User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. For more information checkout the CWE-643 (https://cwe.mitre.org/data/definitions/643.html) advisory", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1551,11 +1712,13 @@ func NewXPathExpressionsShouldNotBeVulnerableToInjectionAttacks() *text.Rule { func NewExceptionsShouldNotBeThrownFromServletMethods() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-88", - Name: "Exceptions should not be thrown from servlet methods", - Description: "Even though the signatures for methods in a servlet include throws IOException, ServletException, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state. For more information checkout the CWE-600 (https://cwe.mitre.org/data/definitions/600.html) advisory", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-88", + SafeExample: SampleSafeHSJAVA88, + UnsafeExample: SampleVulnerableHSJAVA88, + Name: "Exceptions should not be thrown from servlet methods", + Description: "Even though the signatures for methods in a servlet include throws IOException, ServletException, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state. For more information checkout the CWE-600 (https://cwe.mitre.org/data/definitions/600.html) advisory", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1569,8 +1732,10 @@ func NewExceptionsShouldNotBeThrownFromServletMethods() *text.Rule { func NewFunctionCallsShouldNotBeVulnerableToPathInjectionAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-89", - Name: "I/O function calls should not be vulnerable to path injection attacks", + ID: "HS-JAVA-89", + SafeExample: SampleSafeHSJAVA89, + UnsafeExample: SampleVulnerableHSJAVA89, + Name: "I/O function calls should not be vulnerable to path injection attacks", Description: `User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing file system paths directly from tainted data could enable an attacker to inject specially crafted values, such as '../', that change the initial path and, when accessed, resolve to a path on the filesystem where the user should normally not have access. A successful attack might give an attacker the ability to read, modify, or delete sensitive information from the file system and sometimes even execute arbitrary operating system commands. This is often referred to as a "path traversal" or "directory traversal" attack. For more information checkout the CWE-99 (https://cwe.mitre.org/data/definitions/99.html) advisory and checkout the (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection)`, @@ -1589,11 +1754,13 @@ A successful attack might give an attacker the ability to read, modify, or delet func NewActiveMQConnectionFactoryVulnerableToMaliciousCodeDeserialization() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-90", - Name: "ActiveMQConnectionFactory should not be vulnerable to malicious code deserialization", - Description: "Internally, ActiveMQ relies on serialization mechanism for marshaling/unmashaling of the message payload. Deserialization based on data supplied by the user could lead to remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory", - Severity: severities.Low.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JAVA-90", + SafeExample: SampleSafeHSJAVA90, + UnsafeExample: SampleVulnerableHSJAVA90, + Name: "ActiveMQConnectionFactory should not be vulnerable to malicious code deserialization", + Description: "Internally, ActiveMQ relies on serialization mechanism for marshaling/unmashaling of the message payload. Deserialization based on data supplied by the user could lead to remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory", + Severity: severities.Low.ToString(), + Confidence: confidence.High.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1606,11 +1773,13 @@ func NewActiveMQConnectionFactoryVulnerableToMaliciousCodeDeserialization() *tex func NewHTTPResponseHeadersShouldNotBeVulnerableToInjectionAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-91", - Name: "HTTP response headers should not be vulnerable to injection attacks", - Description: "User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to change security sensitive headers like Cross-Origin Resource Sharing headers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Web application frameworks and servers might also allow attackers to inject new line characters in headers to craft malformed HTTP response. In this case the application would be vulnerable to a larger range of attacks like HTTP Response Splitting/Smuggling. Most of the time this type of attack is mitigated by default modern web application frameworks but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory and checkout (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)).", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-91", + SafeExample: SampleSafeHSJAVA91, + UnsafeExample: SampleVulnerableHSJAVA91, + Name: "HTTP response headers should not be vulnerable to injection attacks", + Description: "User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to change security sensitive headers like Cross-Origin Resource Sharing headers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Web application frameworks and servers might also allow attackers to inject new line characters in headers to craft malformed HTTP response. In this case the application would be vulnerable to a larger range of attacks like HTTP Response Splitting/Smuggling. Most of the time this type of attack is mitigated by default modern web application frameworks but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory and checkout (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)).", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1624,11 +1793,13 @@ func NewHTTPResponseHeadersShouldNotBeVulnerableToInjectionAttacks() *text.Rule func NewOpenSAML2ShouldBeConfiguredToPreventAuthenticationBypass() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-92", - Name: "OpenSAML2 should be configured to prevent authentication bypass", - Description: "From a specially crafted file, an attacker having already access to the SAML system with his own account can bypass the authentication mechanism and be authenticated as another user. This is due to the fact that SAML protocol rely on XML format and how the underlying XML parser interprets XML comments. If an attacker manage to change the field identifying the authenticated user with XML comments, he can exploit the vulnerability. For more information checkout the OWASP (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-92", + SafeExample: SampleSafeHSJAVA92, + UnsafeExample: SampleVulnerableHSJAVA92, + Name: "OpenSAML2 should be configured to prevent authentication bypass", + Description: "From a specially crafted file, an attacker having already access to the SAML system with his own account can bypass the authentication mechanism and be authenticated as another user. This is due to the fact that SAML protocol rely on XML format and how the underlying XML parser interprets XML comments. If an attacker manage to change the field identifying the authenticated user with XML comments, he can exploit the vulnerability. For more information checkout the OWASP (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1642,11 +1813,13 @@ func NewOpenSAML2ShouldBeConfiguredToPreventAuthenticationBypass() *text.Rule { func NewHttpServletRequestGetRequestedSessionIdShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-93", - Name: "HttpServletRequest.getRequestedSessionId should not be used", - Description: "Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. For more information checkout the CWE-807 (https://cwe.mitre.org/data/definitions/807) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-93", + SafeExample: SampleSafeHSJAVA93, + UnsafeExample: SampleVulnerableHSJAVA93, + Name: "HttpServletRequest.getRequestedSessionId should not be used", + Description: "Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. For more information checkout the CWE-807 (https://cwe.mitre.org/data/definitions/807) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1659,11 +1832,13 @@ func NewHttpServletRequestGetRequestedSessionIdShouldNotBeUsed() *text.Rule { func NewJakartaAndHttpServletRequestGetRequestedSessionIdShouldNotBeUsed() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-94", - Name: "HttpServletRequest.getRequestedSessionId should not be used", - Description: "Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. For more information checkout the CWE-807 (https://cwe.mitre.org/data/definitions/807) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-94", + SafeExample: SampleSafeHSJAVA94, + UnsafeExample: SampleVulnerableHSJAVA94, + Name: "HttpServletRequest.getRequestedSessionId should not be used", + Description: "Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. For more information checkout the CWE-807 (https://cwe.mitre.org/data/definitions/807) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1676,11 +1851,13 @@ func NewJakartaAndHttpServletRequestGetRequestedSessionIdShouldNotBeUsed() *text func NewLDAPAuthenticatedAnalyzeYourCode() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-95", - Name: "LDAP authenticated Analyze your code", - Description: `An LDAP client authenticates to an LDAP server with a "bind request" which provides, among other, a simple authentication method. Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore strongly discouraged. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication).`, - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-95", + SafeExample: SampleSafeHSJAVA95, + UnsafeExample: SampleVulnerableHSJAVA95, + Name: "LDAP authenticated Analyze your code", + Description: `An LDAP client authenticates to an LDAP server with a "bind request" which provides, among other, a simple authentication method. Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore strongly discouraged. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication).`, + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1694,11 +1871,13 @@ func NewLDAPAuthenticatedAnalyzeYourCode() *text.Rule { func NewWebApplicationsShouldHotHaveAMainMethod() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-96", - Name: "Web applications should not have a main method", - Description: "Having a main method in a web application opens a door to the application logic that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be present. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-96", + SafeExample: SampleSafeHSJAVA96, + UnsafeExample: SampleVulnerableHSJAVA96, + Name: "Web applications should not have a main method", + Description: "Having a main method in a web application opens a door to the application logic that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be present. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1711,11 +1890,13 @@ func NewWebApplicationsShouldHotHaveAMainMethod() *text.Rule { func NewJakartaAndWebApplicationsShouldHotHaveAMainMethod() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-97", - Name: "Web applications should not have a main method", - Description: "Having a main method in a web application opens a door to the application logic that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be present. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-97", + SafeExample: SampleSafeHSJAVA97, + UnsafeExample: SampleVulnerableHSJAVA97, + Name: "Web applications should not have a main method", + Description: "Having a main method in a web application opens a door to the application logic that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be present. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1728,11 +1909,13 @@ func NewJakartaAndWebApplicationsShouldHotHaveAMainMethod() *text.Rule { func NewSecureRandomSeedsShouldNotBePredictable() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-98", - Name: "SecureRandom seeds should not be predictable", - Description: "The java.security.SecureRandom class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the SecureRandom implementation. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration).", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-98", + SafeExample: SampleSafeHSJAVA98, + UnsafeExample: SampleVulnerableHSJAVA98, + Name: "SecureRandom seeds should not be predictable", + Description: "The java.security.SecureRandom class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the SecureRandom implementation. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration).", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -1745,11 +1928,13 @@ func NewSecureRandomSeedsShouldNotBePredictable() *text.Rule { func NewFileIsWorldReadable() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-99", - Name: "File Is World Readable", - Description: "The file is World Readable. Any App can read from the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-99", + SafeExample: SampleSafeHSJAVA99, + UnsafeExample: SampleVulnerableHSJAVA99, + Name: "File Is World Readable", + Description: "The file is World Readable. Any App can read from the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1762,11 +1947,13 @@ func NewFileIsWorldReadable() *text.Rule { func NewFileIsWorldWritable() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-100", - Name: "File Is World Writable", - Description: "The file is World Writable. Any App can write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-100", + SafeExample: SampleSafeHSJAVA100, + UnsafeExample: SampleVulnerableHSJAVA100, + Name: "File Is World Writable", + Description: "The file is World Writable. Any App can write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1779,11 +1966,13 @@ func NewFileIsWorldWritable() *text.Rule { func NewNoWriteExternalContent() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-101", - Name: "No Write External Content", - Description: "App can read/write to External Storage. Any App can read data written to External Storage. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-101", + SafeExample: SampleSafeHSJAVA101, + UnsafeExample: SampleVulnerableHSJAVA101, + Name: "No Write External Content", + Description: "App can read/write to External Storage. Any App can read data written to External Storage. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1796,11 +1985,13 @@ func NewNoWriteExternalContent() *text.Rule { func NewNoUseIVsWeak() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-102", - Name: "No use IVs weak", - Description: `The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-102", + SafeExample: SampleSafeHSJAVA102, + UnsafeExample: SampleVulnerableHSJAVA102, + Name: "No use IVs weak", + Description: `The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory.`, + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1813,11 +2004,13 @@ func NewNoUseIVsWeak() *text.Rule { func NewRootDetectionCapabilities() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-103", - Name: "This App may have root detection capabilities.", - Description: "This App may have root detection capabilities.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-103", + SafeExample: SampleSafeHSJAVA103, + UnsafeExample: SampleVulnerableHSJAVA103, + Name: "This App may have root detection capabilities.", + Description: "This App may have root detection capabilities.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1835,11 +2028,13 @@ func NewRootDetectionCapabilities() *text.Rule { func NewJARURLConnection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-104", - Name: "JAR URL Connection", - Description: "JAR URL Connection", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-104", + SafeExample: SampleSafeHSJAVA104, + UnsafeExample: SampleVulnerableHSJAVA104, + Name: "JAR URL Connection", + Description: "JAR URL Connection", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1893,11 +2088,13 @@ func NewJARURLConnection() *text.Rule { func NewOverlyPermissiveFilePermission() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-107", - Name: "Overly permissive file permission", - Description: "It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. For more information checkout the CWE-732 (https://cwe.mitre.org/data/definitions/732.html) advisory.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-107", + SafeExample: SampleSafeHSJAVA107, + UnsafeExample: SampleVulnerableHSJAVA107, + Name: "Overly permissive file permission", + Description: "It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. For more information checkout the CWE-732 (https://cwe.mitre.org/data/definitions/732.html) advisory.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1912,11 +2109,13 @@ func NewOverlyPermissiveFilePermission() *text.Rule { func NewCipherGetInstanceInsecure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-108", - Name: "DES, DESede, RSA is insecure", - Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-108", + SafeExample: SampleSafeHSJAVA108, + UnsafeExample: SampleVulnerableHSJAVA108, + Name: "DES, DESede, RSA is insecure", + Description: "DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -1933,11 +2132,13 @@ func NewCipherGetInstanceInsecure() *text.Rule { func NewHiddenElements() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-109", - Name: "Hidden elements", - Description: "Hidden elements in view can be used to hide data from user. But this data can be leaked. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-109", + SafeExample: SampleSafeHSJAVA109, + UnsafeExample: SampleVulnerableHSJAVA109, + Name: "Hidden elements", + Description: "Hidden elements in view can be used to hide data from user. But this data can be leaked. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -1949,11 +2150,13 @@ func NewHiddenElements() *text.Rule { func NewWeakCypherBlockMode() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-110", - Name: "Weak block mode for Cryptographic Hash Function", - Description: "A weak ECB, (a.k.a 'block mode') was found in one of your Ciphers. Always use a strong, high entropy hash, for example the SHA-512 with salt options. For more information check CWE-327 (https://cwe.mitre.org/data/definitions/327.html), CWE-719 (https://cwe.mitre.org/data/definitions/719.html), CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-780 (https://cwe.mitre.org/data/definitions/780.html) for deeper details on how to fix it.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-110", + SafeExample: SampleSafeHSJAVA110, + UnsafeExample: SampleVulnerableHSJAVA110, + Name: "Weak block mode for Cryptographic Hash Function", + Description: "A weak ECB, (a.k.a 'block mode') was found in one of your Ciphers. Always use a strong, high entropy hash, for example the SHA-512 with salt options. For more information check CWE-327 (https://cwe.mitre.org/data/definitions/327.html), CWE-719 (https://cwe.mitre.org/data/definitions/719.html), CWE-326 (https://cwe.mitre.org/data/definitions/326.html) and CWE-780 (https://cwe.mitre.org/data/definitions/780.html) for deeper details on how to fix it.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -1969,11 +2172,13 @@ func NewWeakCypherBlockMode() *text.Rule { func NewWeakHash() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-111", - Name: "Weak Cryptographic Hash Function used", - Description: "Using a weak CHF pose a threat to your application security since it can be vulnerable to a number of attacks that could lead to data leaking, improper access of features and resources of your infrastructure and even rogue sessions. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-111", + SafeExample: SampleSafeHSJAVA111, + UnsafeExample: SampleVulnerableHSJAVA111, + Name: "Weak Cryptographic Hash Function used", + Description: "Using a weak CHF pose a threat to your application security since it can be vulnerable to a number of attacks that could lead to data leaking, improper access of features and resources of your infrastructure and even rogue sessions. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -1989,11 +2194,13 @@ func NewWeakHash() *text.Rule { func NewPossibleFileWithVulnerabilityWhenOpen() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-112", - Name: "Possible File With Vulnerability When Open", - Description: "The file is World Readable and Writable. Any App can read/write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-112", + SafeExample: SampleSafeHSJAVA112, + UnsafeExample: SampleVulnerableHSJAVA112, + Name: "Possible File With Vulnerability When Open", + Description: "The file is World Readable and Writable. Any App can read/write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2005,11 +2212,13 @@ func NewPossibleFileWithVulnerabilityWhenOpen() *text.Rule { func NewSensitiveInformationNotEncrypted() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-113", - Name: "Sensitive Information Not Encrypted", - Description: "App can write to App Directory. Sensitive Information should be encrypted. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-113", + SafeExample: SampleSafeHSJAVA113, + UnsafeExample: SampleVulnerableHSJAVA113, + Name: "Sensitive Information Not Encrypted", + Description: "App can write to App Directory. Sensitive Information should be encrypted. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2021,11 +2230,13 @@ func NewSensitiveInformationNotEncrypted() *text.Rule { func NewInsecureRandomNumberGenerator() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-114", - Name: "Insecure Random Number Generator", - Description: "The App uses an insecure Random Number Generator. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-114", + SafeExample: SampleSafeHSJAVA114, + UnsafeExample: SampleVulnerableHSJAVA114, + Name: "Insecure Random Number Generator", + Description: "The App uses an insecure Random Number Generator. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2038,11 +2249,13 @@ func NewInsecureRandomNumberGenerator() *text.Rule { func NewNoDefaultHash() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-115", - Name: "No Default Hash", - Description: `This App uses Hash Code. It"s a weak hash function and should never be used in Secure Crypto Implementation. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.`, - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-115", + SafeExample: SampleSafeHSJAVA115, + UnsafeExample: SampleVulnerableHSJAVA115, + Name: "No Default Hash", + Description: `This App uses Hash Code. It"s a weak hash function and should never be used in Secure Crypto Implementation. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.`, + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2054,11 +2267,13 @@ func NewNoDefaultHash() *text.Rule { func NewLayoutParamsFlagSecure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-116", - Name: "Layout Params Flag Secure", - Description: "These activities prevent screenshot when they go to background.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-116", + SafeExample: SampleSafeHSJAVA116, + UnsafeExample: SampleVulnerableHSJAVA116, + Name: "Layout Params Flag Secure", + Description: "These activities prevent screenshot when they go to background.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2070,11 +2285,13 @@ func NewLayoutParamsFlagSecure() *text.Rule { func NewNoUseSQLCipher() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-117", - Name: "No use SQL Cipher", - Description: "This App uses SQL Cipher. But the secret may be hardcoded. For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-117", + SafeExample: SampleSafeHSJAVA117, + UnsafeExample: SampleVulnerableHSJAVA117, + Name: "No use SQL Cipher", + Description: "This App uses SQL Cipher. But the secret may be hardcoded. For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2086,11 +2303,13 @@ func NewNoUseSQLCipher() *text.Rule { func NewPreventTapJackingAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-118", - Name: "Prevent Tap Jacking Attacks", - Description: "This app has capabilities to prevent tapjacking attacks. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-118", + SafeExample: SampleSafeHSJAVA118, + UnsafeExample: SampleVulnerableHSJAVA118, + Name: "Prevent Tap Jacking Attacks", + Description: "This app has capabilities to prevent tapjacking attacks. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2102,11 +2321,13 @@ func NewPreventTapJackingAttacks() *text.Rule { func NewPreventWriteSensitiveInformationInTmpFile() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-119", - Name: "Prevent Write sensitive information in tmp file", - Description: "App creates temp file. Sensitive information should never be written into a temp file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-119", + SafeExample: SampleSafeHSJAVA119, + UnsafeExample: SampleVulnerableHSJAVA119, + Name: "Prevent Write sensitive information in tmp file", + Description: "App creates temp file. Sensitive information should never be written into a temp file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2118,11 +2339,13 @@ func NewPreventWriteSensitiveInformationInTmpFile() *text.Rule { func NewGetWindowFlagSecure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-120", - Name: "Get Window Flag Secure", - Description: "This App has capabilities to prevent against Screenshots from Recent Task History/Now On Tap etc.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-120", + SafeExample: SampleSafeHSJAVA120, + UnsafeExample: SampleVulnerableHSJAVA120, + Name: "Get Window Flag Secure", + Description: "This App has capabilities to prevent against Screenshots from Recent Task History/Now On Tap etc.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2134,11 +2357,13 @@ func NewGetWindowFlagSecure() *text.Rule { func NewLoadingNativeCode() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-121", - Name: "Loading Native Code", - Description: "Loading Native Code (Shared Library)", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-121", + SafeExample: SampleSafeHSJAVA121, + UnsafeExample: SampleVulnerableHSJAVA121, + Name: "Loading Native Code", + Description: "Loading Native Code (Shared Library)", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2150,11 +2375,13 @@ func NewLoadingNativeCode() *text.Rule { func NewDynamicClassAndDexloading() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-122", - Name: "Dynamic Class and Dexloading", - Description: "Dynamic Class and Dexloading", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-122", + SafeExample: SampleSafeHSJAVA122, + UnsafeExample: SampleVulnerableHSJAVA122, + Name: "Dynamic Class and Dexloading", + Description: "Dynamic Class and Dexloading", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2166,11 +2393,13 @@ func NewDynamicClassAndDexloading() *text.Rule { func NewCryptoImport() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-123", - Name: " Crypto import", - Description: " Crypto import", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-123", + SafeExample: SampleSafeHSJAVA123, + UnsafeExample: SampleVulnerableHSJAVA123, + Name: " Crypto import", + Description: " Crypto import", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2182,11 +2411,13 @@ func NewCryptoImport() *text.Rule { func NewStartingService() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-124", - Name: "Starting Service", - Description: "Starting Service", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-124", + SafeExample: SampleSafeHSJAVA124, + UnsafeExample: SampleVulnerableHSJAVA124, + Name: "Starting Service", + Description: "Starting Service", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2198,11 +2429,13 @@ func NewStartingService() *text.Rule { func NewSendingBroadcast() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-125", - Name: "Sending Broadcast", - Description: "Sending Broadcast", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-125", + SafeExample: SampleSafeHSJAVA125, + UnsafeExample: SampleVulnerableHSJAVA125, + Name: "Sending Broadcast", + Description: "Sending Broadcast", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2214,11 +2447,13 @@ func NewSendingBroadcast() *text.Rule { func NewLocalFileOperations() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-126", - Name: "Local File I/O Operations", - Description: "Local File I/O Operations", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-126", + SafeExample: SampleSafeHSJAVA126, + UnsafeExample: SampleVulnerableHSJAVA126, + Name: "Local File I/O Operations", + Description: "Local File I/O Operations", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2230,11 +2465,13 @@ func NewLocalFileOperations() *text.Rule { func NewInterProcessCommunication() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-127", - Name: "Inter Process Communication", - Description: "Inter Process Communication", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-127", + SafeExample: SampleSafeHSJAVA127, + UnsafeExample: SampleVulnerableHSJAVA127, + Name: "Inter Process Communication", + Description: "Inter Process Communication", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2246,11 +2483,13 @@ func NewInterProcessCommunication() *text.Rule { func NewDefaultHttpClient() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-128", - Name: "DefaultHttpClient with default constructor is not compatible with TLS 1.2", - Description: "Upgrade your implementation to use one of the recommended constructs and configure https.protocols JVM option to include TLSv1.2. Use SystemDefaultHttpClient instead. For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https)", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-128", + SafeExample: SampleSafeHSJAVA128, + UnsafeExample: SampleVulnerableHSJAVA128, + Name: "DefaultHttpClient with default constructor is not compatible with TLS 1.2", + Description: "Upgrade your implementation to use one of the recommended constructs and configure https.protocols JVM option to include TLSv1.2. Use SystemDefaultHttpClient instead. For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https)", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2262,11 +2501,13 @@ func NewDefaultHttpClient() *text.Rule { func NewWeakSSLContext() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-129", - Name: "Weak SSLContext", - Description: `Upgrade your implementation to the following, and configure https.protocols JVM option to include TLSv1.2:. Use SSLContext.getInstance("TLS"). For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https)`, - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-129", + SafeExample: SampleSafeHSJAVA129, + UnsafeExample: SampleVulnerableHSJAVA129, + Name: "Weak SSLContext", + Description: `Upgrade your implementation to the following, and configure https.protocols JVM option to include TLSv1.2:. Use SSLContext.getInstance("TLS"). For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https)`, + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2278,11 +2519,13 @@ func NewWeakSSLContext() *text.Rule { func NewHostnameVerifierThatAcceptAnySignedCertificates() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-130", - Name: "HostnameVerifier that accept any signed certificates", - Description: "A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-130", + SafeExample: SampleSafeHSJAVA130, + UnsafeExample: SampleVulnerableHSJAVA130, + Name: "HostnameVerifier that accept any signed certificates", + Description: "A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2294,11 +2537,13 @@ func NewHostnameVerifierThatAcceptAnySignedCertificates() *text.Rule { func NewURLRewritingMethod() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-131", - Name: "URL rewriting method", - Description: "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties. Session ID in the URL can be disclosed in many ways. For more information checkout the (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-131", + SafeExample: SampleSafeHSJAVA131, + UnsafeExample: SampleVulnerableHSJAVA131, + Name: "URL rewriting method", + Description: "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties. Session ID in the URL can be disclosed in many ways. For more information checkout the (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2310,11 +2555,13 @@ func NewURLRewritingMethod() *text.Rule { func NewDisablingHTMLEscaping() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-132", - Name: "Disabling HTML escaping", - Description: "Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-132", + SafeExample: SampleSafeHSJAVA132, + UnsafeExample: SampleVulnerableHSJAVA132, + Name: "Disabling HTML escaping", + Description: "Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2326,11 +2573,13 @@ func NewDisablingHTMLEscaping() *text.Rule { func NewOverlyPermissiveCORSPolicy() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-133", - Name: "Overly permissive CORS policy", - Description: "A web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. For more information checkout the (https://fetch.spec.whatwg.org/) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-133", + SafeExample: SampleSafeHSJAVA133, + UnsafeExample: SampleVulnerableHSJAVA133, + Name: "Overly permissive CORS policy", + Description: "A web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. For more information checkout the (https://fetch.spec.whatwg.org/) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2342,11 +2591,13 @@ func NewOverlyPermissiveCORSPolicy() *text.Rule { func NewSQLInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-134", - Name: "SQL Injection", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-134", + SafeExample: SampleSafeHSJAVA134, + UnsafeExample: SampleVulnerableHSJAVA134, + Name: "SQL Injection", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2358,11 +2609,13 @@ func NewSQLInjection() *text.Rule { func NewSQLInjectionWithTurbine() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-135", - Name: "SQL Injection With Turbine", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Turbine API provide a DSL to build query with code. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-135", + SafeExample: SampleSafeHSJAVA135, + UnsafeExample: SampleVulnerableHSJAVA135, + Name: "SQL Injection With Turbine", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Turbine API provide a DSL to build query with code. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2374,11 +2627,13 @@ func NewSQLInjectionWithTurbine() *text.Rule { func NewSQLInjectionWithHibernate() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-136", - Name: "SQL Injection With Hibernate", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, Hibernate Criteria can be used. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and checkout the CWE-564 (https://cwe.mitre.org/data/definitions/564.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-136", + SafeExample: SampleSafeHSJAVA136, + UnsafeExample: SampleVulnerableHSJAVA136, + Name: "SQL Injection With Hibernate", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, Hibernate Criteria can be used. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and checkout the CWE-564 (https://cwe.mitre.org/data/definitions/564.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2390,11 +2645,13 @@ func NewSQLInjectionWithHibernate() *text.Rule { func NewSQLInjectionWithJDO() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-137", - Name: "SQL Injection With JDO", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-137", + SafeExample: SampleSafeHSJAVA137, + UnsafeExample: SampleVulnerableHSJAVA137, + Name: "SQL Injection With JDO", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2406,11 +2663,13 @@ func NewSQLInjectionWithJDO() *text.Rule { func NewSQLInjectionWithJPA() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-138", - Name: "SQL Injection With JPA", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-138", + SafeExample: SampleSafeHSJAVA138, + UnsafeExample: SampleVulnerableHSJAVA138, + Name: "SQL Injection With JPA", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2422,11 +2681,13 @@ func NewSQLInjectionWithJPA() *text.Rule { func NewSQLInjectionWithSpringJDBC() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-139", - Name: "SQL Injection Spring JDBC", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-139", + SafeExample: SampleSafeHSJAVA139, + UnsafeExample: SampleVulnerableHSJAVA139, + Name: "SQL Injection Spring JDBC", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2438,11 +2699,13 @@ func NewSQLInjectionWithSpringJDBC() *text.Rule { func NewSQLInjectionWithJDBC() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-140", - Name: "SQL Injection JDBC", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-140", + SafeExample: SampleSafeHSJAVA140, + UnsafeExample: SampleVulnerableHSJAVA140, + Name: "SQL Injection JDBC", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2454,11 +2717,13 @@ func NewSQLInjectionWithJDBC() *text.Rule { func NewLDAPInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-141", - Name: "Potential LDAP Injection", - Description: "Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. For more information checkout the CWE-90 (https://cwe.mitre.org/data/definitions/90.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-141", + SafeExample: SampleSafeHSJAVA141, + UnsafeExample: SampleVulnerableHSJAVA141, + Name: "Potential LDAP Injection", + Description: "Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn't have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. For more information checkout the CWE-90 (https://cwe.mitre.org/data/definitions/90.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2470,11 +2735,13 @@ func NewLDAPInjection() *text.Rule { func NewPotentialExternalControl() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-142", - Name: "Potential external control of configuration", - Description: "Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. For more information checkout the CWE-15 (https://cwe.mitre.org/data/definitions/15.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-142", + SafeExample: SampleSafeHSJAVA142, + UnsafeExample: SampleVulnerableHSJAVA142, + Name: "Potential external control of configuration", + Description: "Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. For more information checkout the CWE-15 (https://cwe.mitre.org/data/definitions/15.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2486,11 +2753,13 @@ func NewPotentialExternalControl() *text.Rule { func NewBadHexadecimalConcatenation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-143", - Name: "Bad hexadecimal concatenation", - Description: "When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. The following sample illustrates the use of the method Integer.toHexString() which will trim any leading zeroes from each byte of the computed hash value. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-143", + SafeExample: SampleSafeHSJAVA143, + UnsafeExample: SampleVulnerableHSJAVA143, + Name: "Bad hexadecimal concatenation", + Description: "When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. The following sample illustrates the use of the method Integer.toHexString() which will trim any leading zeroes from each byte of the computed hash value. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2502,11 +2771,13 @@ func NewBadHexadecimalConcatenation() *text.Rule { func NewNullCipherInsecure() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-144", - Name: "NullCipher is insecure", - Description: "The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-144", + SafeExample: SampleSafeHSJAVA144, + UnsafeExample: SampleVulnerableHSJAVA144, + Name: "NullCipher is insecure", + Description: "The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2518,11 +2789,13 @@ func NewNullCipherInsecure() *text.Rule { func NewUnsafeHashEquals() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-145", - Name: "Unsafe hash equals", - Description: "An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-145", + SafeExample: SampleSafeHSJAVA145, + UnsafeExample: SampleVulnerableHSJAVA145, + Name: "Unsafe hash equals", + Description: "An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2534,11 +2807,13 @@ func NewUnsafeHashEquals() *text.Rule { func NewUnvalidatedRedirect() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-146", - Name: "Unvalidated Redirect", - Description: "Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. For more information checkout the CWE-601 (https://cwe.mitre.org/data/definitions/601.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JAVA-146", + SafeExample: SampleSafeHSJAVA146, + UnsafeExample: SampleVulnerableHSJAVA146, + Name: "Unvalidated Redirect", + Description: "Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. For more information checkout the CWE-601 (https://cwe.mitre.org/data/definitions/601.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2550,11 +2825,13 @@ func NewUnvalidatedRedirect() *text.Rule { func NewRequestMappingMethodsNotPublic() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-147", - Name: "@RequestMapping methods should be public", - Description: "A method with a @RequestMapping annotation part of a class annotated with @Controller (directly or indirectly through a meta annotation - @RestController from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is private, because Spring invokes such methods via reflection, without checking visibility. For more information checkout the OWASAP:A6 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration) advisory", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-147", + SafeExample: SampleSafeHSJAVA147, + UnsafeExample: SampleVulnerableHSJAVA147, + Name: "@RequestMapping methods should be public", + Description: "A method with a @RequestMapping annotation part of a class annotated with @Controller (directly or indirectly through a meta annotation - @RestController from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is private, because Spring invokes such methods via reflection, without checking visibility. For more information checkout the OWASAP:A6 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration) advisory", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2566,11 +2843,13 @@ func NewRequestMappingMethodsNotPublic() *text.Rule { func NewLDAPDeserializationNotDisabled() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-148", - Name: "LDAP deserialization should be disabled", - Description: "JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution. This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-148", + SafeExample: SampleSafeHSJAVA148, + UnsafeExample: SampleVulnerableHSJAVA148, + Name: "LDAP deserialization should be disabled", + Description: "JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution. This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2582,11 +2861,13 @@ func NewLDAPDeserializationNotDisabled() *text.Rule { func NewDatabasesPasswordNotProtected() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-149", - Name: "Databases should be password-protected", - Description: "Databases should always be password protected. The use of a database connection with an empty password is a clear indication of a database that is not protected. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JAVA-149", + SafeExample: SampleSafeHSJAVA149, + UnsafeExample: SampleVulnerableHSJAVA149, + Name: "Databases should be password-protected", + Description: "Databases should always be password protected. The use of a database connection with an empty password is a clear indication of a database that is not protected. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.Low.ToString(), }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -2598,7 +2879,25 @@ func NewDatabasesPasswordNotProtected() *text.Rule { func NewVulnerableRemoteCodeInjectionApacheLog4j() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JAVA-150", + ID: "HS-JAVA-150", + SafeExample: fmt.Sprintf(`Maven Example: +%s + +Gradle Example: +%s + +Ivy Example: +%s +`, SampleMavenSafeHSJAVA150, Sample2GradleSafeHSJAVA150, Sample4IvySafeHSJAVA150), + UnsafeExample: fmt.Sprintf(`Maven Example: +%s + +Gradle Example: +%s + +Ivy Example: +%s +`, SampleMavenVulnerableHSJAVA150, Sample2GradleVulnerableHSJAVA150, Sample4IvyVulnerableHSJAVA150), Name: "Remote code injection Apache Log4j", Description: "Log4j versions prior to 2.17.1 are subject to a remote code execution vulnerability via the ldap JNDI parser, uncontrolled recursion from self-referential lookups and some other vulnerabilities. For more information checkout the CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046), CVE-2021-45105 (https://nvd.nist.gov/vuln/detail/CVE-2021-45105) and CVE-2021-44832 (https://nvd.nist.gov/vuln/detail/CVE-2021-44832) advisories.", Severity: severities.Critical.ToString(), diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go index afcc2f465..b50119657 100644 --- a/internal/services/engines/java/rules_test.go +++ b/internal/services/engines/java/rules_test.go @@ -917,6 +917,12 @@ func TestRulesSafeCode(t *testing.T) { Src: SampleSafeHSJAVA134, Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-134", ".test")), }, + { + Name: "HS-JAVA-144", + Rule: NewNullCipherInsecure(), + Src: SampleSafeHSJAVA144, + Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-134", ".test")), + }, { Name: "HS-JAVA-145", Rule: NewUnsafeHashEquals(), diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/samples.go similarity index 82% rename from internal/services/engines/java/sample_test.go rename to internal/services/engines/java/samples.go index 2b6005ab3..1305f2f87 100644 --- a/internal/services/engines/java/sample_test.go +++ b/internal/services/engines/java/samples.go @@ -22,8 +22,7 @@ public class Foo { reader.parse(input) } } - ` - +` SampleSafeHSJAVA1 = ` public class Foo { void bar() { @@ -47,7 +46,6 @@ public class Foo { } } ` - SampleVulnerableHSJAVA2 = ` public class Foo { public void parseXML(InputStream input) throws XMLStreamException { @@ -56,7 +54,6 @@ public class Foo { } } ` - SampleSafeHSJAVA2 = ` public class Foo { public void parseXML(InputStream input) throws XMLStreamException { @@ -185,6 +182,9 @@ public class Foo { } ` + SampleVulnerableHSJAVA6 = `` + SampleSafeHSJAVA6 = `` + SampleVulnerableHSJAVA7 = ` public class Foo { public void Bar() { @@ -413,6 +413,17 @@ public class Foo { } ` + // Deprecated: Repeated vulnerability, same as HS-JAVA-14 + // + //SampleVulnerableHSJAVA15 = `` + //SampleSafeHSJAVA15 = `` + // + //SampleVulnerableHSJAVA16 = `` + //SampleSafeHSJAVA16 = `` + // + //SampleVulnerableHSJAVA17 = `` + //SampleSafeHSJAVA17 = `` + SampleVulnerableHSJAVA18 = ` import android.webkit.WebView; @@ -478,6 +489,20 @@ public class MainActivity extends AppCompatActivity { } ` + // Deprecated: Simply using SQL Cipher does not appear to be a vulnerability, to this becomes a vulnerability will + // depend on what is stored, how it was stored and the sql cipher version, removed to avoid false positives. + // reference: https://www.zetetic.net/blog/2019/08/14/defcon-sqlite-attacks/ + // + //SampleVulnerableHSJAVA20 = `` + //SampleSafeHSJAVA20 = `` + + // Deprecated: This vulnerability should search for a hardcoded secret, the actual implemented way + // will only lead to false positives, leaks engine already does a search for hardcoded credentials. + // reference: https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-6301?search=realm + // + //SampleVulnerableHSJAVA21 = `` + //SampleSafeHSJAVA21 = `` + SampleVulnerableHSJAVA22 = ` public class Foo { Java.perform(function() { @@ -606,6 +631,9 @@ public void findUser() { } ` + SampleVulnerableHSJAVA27 = `` + SampleSafeHSJAVA27 = `` + SampleVulnerableHSJAVA28 = ` package org.thoughtcrime.ssl.pinning; @@ -656,6 +684,258 @@ package org.thoughtcrime.ssl.pinning; } ` + SampleVulnerableHSJAVA29 = `` + SampleSafeHSJAVA29 = `` + + SampleVulnerableHSJAVA30 = `` + SampleSafeHSJAVA30 = `` + + SampleVulnerableHSJAVA31 = `` + SampleSafeHSJAVA31 = `` + + SampleVulnerableHSJAVA32 = `` + SampleSafeHSJAVA32 = `` + + SampleVulnerableHSJAVA33 = `` + SampleSafeHSJAVA33 = `` + + SampleVulnerableHSJAVA34 = `` + SampleSafeHSJAVA34 = `` + + SampleVulnerableHSJAVA35 = `` + SampleSafeHSJAVA35 = `` + + SampleVulnerableHSJAVA36 = `` + SampleSafeHSJAVA36 = `` + + SampleVulnerableHSJAVA37 = `` + SampleSafeHSJAVA37 = `` + + SampleVulnerableHSJAVA38 = `` + SampleSafeHSJAVA38 = `` + + SampleVulnerableHSJAVA39 = `` + SampleSafeHSJAVA39 = `` + + SampleVulnerableHSJAVA40 = `` + SampleSafeHSJAVA40 = `` + + SampleVulnerableHSJAVA41 = `` + SampleSafeHSJAVA41 = `` + + SampleVulnerableHSJAVA42 = `` + SampleSafeHSJAVA42 = `` + + SampleVulnerableHSJAVA43 = `` + SampleSafeHSJAVA43 = `` + + SampleVulnerableHSJAVA44 = `` + SampleSafeHSJAVA44 = `` + + SampleVulnerableHSJAVA45 = `` + SampleSafeHSJAVA45 = `` + + SampleVulnerableHSJAVA46 = `` + SampleSafeHSJAVA46 = `` + + SampleVulnerableHSJAVA47 = `` + SampleSafeHSJAVA47 = `` + + SampleVulnerableHSJAVA48 = `` + SampleSafeHSJAVA48 = `` + + SampleVulnerableHSJAVA49 = `` + SampleSafeHSJAVA49 = `` + + SampleVulnerableHSJAVA50 = `` + SampleSafeHSJAVA50 = `` + + SampleVulnerableHSJAVA51 = `` + SampleSafeHSJAVA51 = `` + + SampleVulnerableHSJAVA52 = `` + SampleSafeHSJAVA52 = `` + + SampleVulnerableHSJAVA53 = `` + SampleSafeHSJAVA53 = `` + + SampleVulnerableHSJAVA54 = `` + SampleSafeHSJAVA54 = `` + + SampleVulnerableHSJAVA55 = `` + SampleSafeHSJAVA55 = `` + + SampleVulnerableHSJAVA56 = `` + SampleSafeHSJAVA56 = `` + + SampleVulnerableHSJAVA57 = `` + SampleSafeHSJAVA57 = `` + + SampleVulnerableHSJAVA58 = `` + SampleSafeHSJAVA58 = `` + + SampleVulnerableHSJAVA59 = `` + SampleSafeHSJAVA59 = `` + + SampleVulnerableHSJAVA60 = `` + SampleSafeHSJAVA60 = `` + + SampleVulnerableHSJAVA61 = `` + SampleSafeHSJAVA61 = `` + + SampleVulnerableHSJAVA62 = `` + SampleSafeHSJAVA62 = `` + + SampleVulnerableHSJAVA63 = `` + SampleSafeHSJAVA63 = `` + + SampleVulnerableHSJAVA64 = `` + SampleSafeHSJAVA64 = `` + + SampleVulnerableHSJAVA65 = `` + SampleSafeHSJAVA65 = `` + + SampleVulnerableHSJAVA66 = `` + SampleSafeHSJAVA66 = `` + + SampleVulnerableHSJAVA67 = `` + SampleSafeHSJAVA67 = `` + + SampleVulnerableHSJAVA68 = `` + SampleSafeHSJAVA68 = `` + + SampleVulnerableHSJAVA69 = `` + SampleSafeHSJAVA69 = `` + + SampleVulnerableHSJAVA70 = `` + SampleSafeHSJAVA70 = `` + + SampleVulnerableHSJAVA71 = `` + SampleSafeHSJAVA71 = `` + + SampleVulnerableHSJAVA72 = `` + SampleSafeHSJAVA72 = `` + + SampleVulnerableHSJAVA73 = `` + SampleSafeHSJAVA73 = `` + + SampleVulnerableHSJAVA74 = `` + SampleSafeHSJAVA74 = `` + + SampleVulnerableHSJAVA75 = `` + SampleSafeHSJAVA75 = `` + + SampleVulnerableHSJAVA76 = `` + SampleSafeHSJAVA76 = `` + + SampleVulnerableHSJAVA77 = `` + SampleSafeHSJAVA77 = `` + + SampleVulnerableHSJAVA78 = `` + SampleSafeHSJAVA78 = `` + + SampleVulnerableHSJAVA79 = `` + SampleSafeHSJAVA79 = `` + + SampleVulnerableHSJAVA80 = `` + SampleSafeHSJAVA80 = `` + + SampleVulnerableHSJAVA81 = `` + SampleSafeHSJAVA81 = `` + + SampleVulnerableHSJAVA82 = `` + SampleSafeHSJAVA82 = `` + + SampleVulnerableHSJAVA83 = `` + SampleSafeHSJAVA83 = `` + + SampleVulnerableHSJAVA84 = `` + SampleSafeHSJAVA84 = `` + + SampleVulnerableHSJAVA85 = `` + SampleSafeHSJAVA85 = `` + + // Deprecated: Repeated vulnerability, same as HS-JAVA-12 + // + //SampleVulnerableHSJAVA86 = `` + //SampleSafeHSJAVA86 = `` + + SampleVulnerableHSJAVA87 = `` + SampleSafeHSJAVA87 = `` + + SampleVulnerableHSJAVA88 = `` + SampleSafeHSJAVA88 = `` + + SampleVulnerableHSJAVA89 = `` + SampleSafeHSJAVA89 = `` + + SampleVulnerableHSJAVA90 = `` + SampleSafeHSJAVA90 = `` + + SampleVulnerableHSJAVA91 = `` + SampleSafeHSJAVA91 = `` + + SampleVulnerableHSJAVA92 = `` + SampleSafeHSJAVA92 = `` + + SampleVulnerableHSJAVA93 = `` + SampleSafeHSJAVA93 = `` + + SampleVulnerableHSJAVA94 = `` + SampleSafeHSJAVA94 = `` + + SampleVulnerableHSJAVA95 = `` + SampleSafeHSJAVA95 = `` + + SampleVulnerableHSJAVA96 = `` + SampleSafeHSJAVA96 = `` + + SampleVulnerableHSJAVA97 = `` + SampleSafeHSJAVA97 = `` + + SampleVulnerableHSJAVA98 = `` + SampleSafeHSJAVA98 = `` + + SampleVulnerableHSJAVA99 = `` + SampleSafeHSJAVA99 = `` + + SampleVulnerableHSJAVA100 = `` + SampleSafeHSJAVA100 = `` + + SampleVulnerableHSJAVA101 = `` + SampleSafeHSJAVA101 = `` + + SampleVulnerableHSJAVA102 = `` + SampleSafeHSJAVA102 = `` + + SampleVulnerableHSJAVA103 = `` + SampleSafeHSJAVA103 = `` + + SampleVulnerableHSJAVA104 = `` + SampleSafeHSJAVA104 = `` + + // Deprecated: Repeated vulnerability, same as HS-JAVA-23 + // + //SampleVulnerableHSJAVA105 = `` + //SampleSafeHSJAVA105 = `` + + // Deprecated: Repeated vulnerability, same as HS-JAVA-111 + // + //SampleVulnerableHSJAVA106 = `` + //SampleSafeHSJAVA106 = `` + + SampleVulnerableHSJAVA107 = `` + SampleSafeHSJAVA107 = `` + + SampleVulnerableHSJAVA108 = `` + SampleSafeHSJAVA108 = `` + + SampleVulnerableHSJAVA109 = `` + SampleSafeHSJAVA109 = `` + + SampleVulnerableHSJAVA110 = `` + SampleSafeHSJAVA110 = `` + SampleVulnerableHSJAVA111 = ` public class Foo { public void Bar() { @@ -732,6 +1012,72 @@ public class Foo { } ` + SampleVulnerableHSJAVA112 = `` + SampleSafeHSJAVA112 = `` + + SampleVulnerableHSJAVA113 = `` + SampleSafeHSJAVA113 = `` + + SampleVulnerableHSJAVA114 = `` + SampleSafeHSJAVA114 = `` + + SampleVulnerableHSJAVA115 = `` + SampleSafeHSJAVA115 = `` + + SampleVulnerableHSJAVA116 = `` + SampleSafeHSJAVA116 = `` + + SampleVulnerableHSJAVA117 = `` + SampleSafeHSJAVA117 = `` + + SampleVulnerableHSJAVA118 = `` + SampleSafeHSJAVA118 = `` + + SampleVulnerableHSJAVA119 = `` + SampleSafeHSJAVA119 = `` + + SampleVulnerableHSJAVA120 = `` + SampleSafeHSJAVA120 = `` + + SampleVulnerableHSJAVA121 = `` + SampleSafeHSJAVA121 = `` + + SampleVulnerableHSJAVA122 = `` + SampleSafeHSJAVA122 = `` + + SampleVulnerableHSJAVA123 = `` + SampleSafeHSJAVA123 = `` + + SampleVulnerableHSJAVA124 = `` + SampleSafeHSJAVA124 = `` + + SampleVulnerableHSJAVA125 = `` + SampleSafeHSJAVA125 = `` + + SampleVulnerableHSJAVA126 = `` + SampleSafeHSJAVA126 = `` + + SampleVulnerableHSJAVA127 = `` + SampleSafeHSJAVA127 = `` + + SampleVulnerableHSJAVA128 = `` + SampleSafeHSJAVA128 = `` + + SampleVulnerableHSJAVA129 = `` + SampleSafeHSJAVA129 = `` + + SampleVulnerableHSJAVA130 = `` + SampleSafeHSJAVA130 = `` + + SampleVulnerableHSJAVA131 = `` + SampleSafeHSJAVA131 = `` + + SampleVulnerableHSJAVA132 = `` + SampleSafeHSJAVA132 = `` + + SampleVulnerableHSJAVA133 = `` + SampleSafeHSJAVA133 = `` + SampleVulnerableHSJAVA134 = ` import java.sql.Connection; import java.sql.PreparedStatement; @@ -779,6 +1125,33 @@ public class VulnerableCodeSQLInjection134 { } ` + SampleVulnerableHSJAVA135 = `` + SampleSafeHSJAVA135 = `` + + SampleVulnerableHSJAVA136 = `` + SampleSafeHSJAVA136 = `` + + SampleVulnerableHSJAVA137 = `` + SampleSafeHSJAVA137 = `` + + SampleVulnerableHSJAVA138 = `` + SampleSafeHSJAVA138 = `` + + SampleVulnerableHSJAVA139 = `` + SampleSafeHSJAVA139 = `` + + SampleVulnerableHSJAVA140 = `` + SampleSafeHSJAVA140 = `` + + SampleVulnerableHSJAVA141 = `` + SampleSafeHSJAVA141 = `` + + SampleVulnerableHSJAVA142 = `` + SampleSafeHSJAVA142 = `` + + SampleVulnerableHSJAVA143 = `` + SampleSafeHSJAVA143 = `` + SampleVulnerableHSJAVA144 = ` public class Foo { public void Bar() { @@ -788,6 +1161,7 @@ public class Foo { } } ` + SampleSafeHSJAVA144 = `// Don't use NullCipher in its code` SampleVulnerableHSJAVA145 = ` public class Foo { diff --git a/internal/services/engines/jvm/rules.go b/internal/services/engines/jvm/rules.go index 536685249..dc0d90252 100644 --- a/internal/services/engines/jvm/rules.go +++ b/internal/services/engines/jvm/rules.go @@ -53,7 +53,7 @@ func Rules() []engine.Rule { NewBase64Decode(), NewPotentialAndroidSQLInjection(), NewKeychainAccess(), - NewWebViewLoadRequest(), + // NewWebViewLoadRequest(), NewCookieStorage(), NewSetReadClipboard(), NewUsingLoadHTMLStringCanResultInject(), @@ -76,11 +76,13 @@ func Rules() []engine.Rule { func NewNoLogSensitiveInformation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-1", - Name: "No Log Sensitive Information", - Description: "The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-1", + Name: "No Log Sensitive Information", + Description: "The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM1, + UnsafeExample: SampleVulnerableHSJVM1, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -92,11 +94,13 @@ func NewNoLogSensitiveInformation() *text.Rule { func NewHTTPRequestsConnectionsAndSessions() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-2", - Name: "HTTP Requests, Connections and Sessions", - Description: "HTTP Requests, Connections and Sessions", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-2", + Name: "HTTP Requests, Connections and Sessions", + Description: "For more information checkout the CWE-CVE-2020-13956 (https://www.cvedetails.com/cve/CVE-2020-13956)", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM2, + UnsafeExample: SampleVulnerableHSJVM2, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -108,11 +112,13 @@ func NewHTTPRequestsConnectionsAndSessions() *text.Rule { func NewNoUsesSafetyNetAPI() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-3", - Name: "No uses safety api", - Description: "This App uses SafetyNet API", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-3", + Name: "No uses safety api", + Description: "This App uses SafetyNet API", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM3, + UnsafeExample: SampleVulnerableHSJVM3, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -124,11 +130,13 @@ func NewNoUsesSafetyNetAPI() *text.Rule { func NewNoUsesContentProvider() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-4", - Name: "No uses Content Provider", - Description: "No uses Content Provider", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-4", + Name: "No uses Content Provider", + Description: "No uses Content Provider", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM4, + UnsafeExample: SampleVulnerableHSJVM4, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -140,11 +148,13 @@ func NewNoUsesContentProvider() *text.Rule { func NewNoUseWithUnsafeBytes() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-5", - Name: "No Use With Unsafe Bytes", - Description: "Using this implementation of '.withUnsafeBytes' can lead to the compiler's decision to use unsafe APIs, such as _malloc and _strcpy, as the method calls closing with an UnsafeRawBufferPointer. For more information checkout the CWE-789 (https://cwe.mitre.org/data/definitions/789.html) advisory.", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-5", + Name: "No Use With Unsafe Bytes", + Description: "Using this implementation of '.withUnsafeBytes' can lead to the compiler's decision to use unsafe APIs, such as _malloc and _strcpy, as the method calls closing with an UnsafeRawBufferPointer. For more information checkout the CWE-789 (https://cwe.mitre.org/data/definitions/789.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM5, + UnsafeExample: SampleVulnerableHSJVM5, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -156,11 +166,13 @@ func NewNoUseWithUnsafeBytes() *text.Rule { func NewNoUseLocalFileIOOperations() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-6", - Name: "Local File I/O Operations", - Description: "Local File I/O Operations", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-6", + Name: "Local File I/O Operations", + Description: "Local File I/O Operations. See more details in https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM6, + UnsafeExample: SampleVulnerableHSJVM6, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -172,11 +184,13 @@ func NewNoUseLocalFileIOOperations() *text.Rule { func NewWebViewComponent() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-7", - Name: "WebView Component", - Description: "WebView Component", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-7", + Name: "WebView Component", + Description: "UIWebview is available since iOS 1 and deprecated in iOS 8. It has many security issues: You can NOT disable Javascript. You can NOT disable Access to files. You can NOT implement the same origin policy for file access. Native application has access to all the requests/response, which is not ideal for sensitive data and external authentication. The rendered content, and the native application shares the same process", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM7, + UnsafeExample: SampleVulnerableHSJVM7, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -188,11 +202,13 @@ func NewWebViewComponent() *text.Rule { func NewEncryptionAPI() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-8", - Name: "Encryption API", - Description: "Encryption API", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-8", + Name: "Encryption API", + Description: "Encryption API. For more information checkout the CWE-789 (https://cwe.mitre.org/data/definitions/789.html) advisory", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM8, + UnsafeExample: SampleVulnerableHSJVM8, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -204,11 +220,13 @@ func NewEncryptionAPI() *text.Rule { func NewKeychainAccess() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-9", - Name: "Keychain Access", - Description: "Keychain Access", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-9", + Name: "Keychain Access", + Description: "Keychain Access", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM9, + UnsafeExample: SampleVulnerableHSJVM9, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -220,11 +238,13 @@ func NewKeychainAccess() *text.Rule { func NewNoUseProhibitedAPIs() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-10", - Name: "No Use Prohibited APIs", - Description: "The application may contain prohibited APIs. These APIs are insecure and should not be used. For more information checkout the CWE-676 (https://cwe.mitre.org/data/definitions/676.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-10", + Name: "No Use Prohibited APIs", + Description: "The application may contain prohibited APIs. These APIs are insecure and should not be used. For more information checkout the CWE-676 (https://cwe.mitre.org/data/definitions/676.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM10, + UnsafeExample: SampleVulnerableHSJVM10, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -236,11 +256,13 @@ func NewNoUseProhibitedAPIs() *text.Rule { func NewApplicationAllowMITMAttacks() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-11", - Name: "Application allow MITM attacks", - Description: "The application allows self-signed or invalid SSL certificates. The application is vulnerable to MITM (Man-In-The-Middle) attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.Critical.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-11", + Name: "Application allow MITM attacks", + Description: "The application allows self-signed or invalid SSL certificates. The application is vulnerable to MITM (Man-In-The-Middle) attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.Critical.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM11, + UnsafeExample: SampleVulnerableHSJVM11, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -252,11 +274,13 @@ func NewApplicationAllowMITMAttacks() *text.Rule { func NewUIWebViewInApplicationIgnoringErrorsSSL() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-12", - Name: "UIWebView in application ignoring errors SSL", - Description: "The in-app UIWebView ignores SSL errors and accepts any SSL certificate. The application is vulnerable to attacks from MITM (Man-In-The-Middle). For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-12", + Name: "UIWebView in application ignoring errors SSL", + Description: "The in-app UIWebView ignores SSL errors and accepts any SSL certificate. The application is vulnerable to attacks from MITM (Man-In-The-Middle). For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM12, + UnsafeExample: SampleVulnerableHSJVM12, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -268,11 +292,13 @@ func NewUIWebViewInApplicationIgnoringErrorsSSL() *text.Rule { func NewNoListClipboardChanges() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-13", - Name: "No List changes on the clipboard", - Description: "The application allows you to list the changes on the Clipboard. Some malware also lists changes to the Clipboard.", - Severity: severities.Info.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-13", + Name: "No List changes on the clipboard", + Description: "The application allows you to list the changes on the Clipboard. Some malware also lists changes to the Clipboard.", + Severity: severities.Info.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM13, + UnsafeExample: SampleVulnerableHSJVM13, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -284,11 +310,13 @@ func NewNoListClipboardChanges() *text.Rule { func NewApplicationUsingSQLite() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-14", - Name: "The application is using SQLite. Confidential information must be encrypted.", - Description: "The application is using SQLite. Confidential information must be encrypted.", - Severity: severities.Info.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-14", + Name: "The application is using SQLite. Confidential information must be encrypted.", + Description: "The application is using SQLite. Confidential information must be encrypted.", + Severity: severities.Info.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM14, + UnsafeExample: SampleVulnerableHSJVM14, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -300,15 +328,17 @@ func NewApplicationUsingSQLite() *text.Rule { func NewNoUseNSTemporaryDirectory() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-15", - Name: "No use NSTemporaryDirectory", - Description: "User use in \"NSTemporaryDirectory ()\" is unreliable, it can result in vulnerabilities in the directory. For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-15", + Name: "No use NSTemporaryDirectory", + Description: "User use in \"NSTemporaryDirectory ()\" is unreliable, it can result in vulnerabilities in the directory. For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM15, + UnsafeExample: SampleVulnerableHSJVM15, }, Type: text.Regular, Expressions: []*regexp.Regexp{ - regexp.MustCompile(`NSTemporaryDirectory\(\),`), + regexp.MustCompile(`NSTemporaryDirectory\(\)`), }, } } @@ -316,11 +346,13 @@ func NewNoUseNSTemporaryDirectory() *text.Rule { func NewNoCopiesDataToTheClipboard() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-16", - Name: "No copies data to the Clipboard", - Description: "The application copies data to the Clipboard. Confidential data must not be copied to the Clipboard, as other applications can access it. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-16", + Name: "No copies data to the Clipboard", + Description: "The application copies data to the Clipboard. Confidential data must not be copied to the Clipboard, as other applications can access it. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM16, + UnsafeExample: SampleVulnerableHSJVM16, }, Type: text.Regular, Expressions: []*regexp.Regexp{ @@ -332,16 +364,18 @@ func NewNoCopiesDataToTheClipboard() *text.Rule { func NewNoDownloadFileUsingAndroidDownloadManager() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-17", - Name: "No Download File Using Android Download Manager", - Description: "This App downloads files using Android Download Manager", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-17", + Name: "No Download File Using Android Download Manager", + Description: "This App downloads files using Android Download Manager", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM17, + UnsafeExample: SampleVulnerableHSJVM17, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ + regexp.MustCompile(`getSystemService\(.*DOWNLOAD_SERVICE.*\)`), regexp.MustCompile(`android.app.DownloadManager`), - regexp.MustCompile(`getSystemService\(DOWNLOAD_SERVICE\)`), }, } } @@ -349,16 +383,18 @@ func NewNoDownloadFileUsingAndroidDownloadManager() *text.Rule { func NewAndroidKeystore() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-18", - Name: "Android Keystore", - Description: "Android Keystore", - Severity: severities.Critical.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JVM-18", + Name: "Android Keystore", + Description: "Android Keystore", + Severity: severities.Critical.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJVM18, + UnsafeExample: SampleVulnerableHSJVM18, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ - regexp.MustCompile(`security.KeyStore`), - regexp.MustCompile(`Keystore.getInstance\(`), + regexp.MustCompile(`(?i)security.KeyStore`), + regexp.MustCompile(`(?i)Keystore.getInstance\(`), }, } } @@ -366,11 +402,13 @@ func NewAndroidKeystore() *text.Rule { func NewAndroidNotifications() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-19", - Name: "Android Notifications", - Description: "Android Notifications", - Severity: severities.Low.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JVM-19", + Name: "Android Notifications", + Description: "For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.", + Severity: severities.Low.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJVM19, + UnsafeExample: SampleVulnerableHSJVM19, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -383,15 +421,17 @@ func NewAndroidNotifications() *text.Rule { func NewPotentialAndroidSQLInjection() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-20", - Name: "Potential Android SQL Injection", - Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-20", + Name: "Potential Android SQL Injection", + Description: "The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM20, + UnsafeExample: SampleVulnerableHSJVM20, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ - regexp.MustCompile(`((select|SELECT)|(update|UPDATE)|(insert|INSERT)|(delete|DELETE))((.*|\n)*)?((=(\s?)(["|']*)(\s?)(\+))|(=(\s?)\%.(["|']*)(.*?|\n?)(\,?)))`), + regexp.MustCompile(`(?i)(select|update|insert|delete)((.*|\n)*)?((=(\s?)(["|']*)(\s?)(\+))|(=(\s?)\%.(["|']*)(.*?|\n?)(\,?)))`), regexp.MustCompile(`rawQuery\(\w+\,null\)`), }, } @@ -400,16 +440,19 @@ func NewPotentialAndroidSQLInjection() *text.Rule { func NewSQLInjectionWithSQLite() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-21", - Name: "SQL Injection With SQLite", - Description: "App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-21", + Name: "SQL Injection With SQLite", + Description: "App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM21, + UnsafeExample: SampleVulnerableHSJVM21, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ - regexp.MustCompile(`android\.database\.sqlite`), + regexp.MustCompile(`(?i)(select|update|insert|delete)((.*|\n)*)?((=(\s?)(["|']*)(\s?)(\+))|(=(\s?)\%.(["|']*)(.*?|\n?)(\,?)))`), regexp.MustCompile(`execSQL\(|rawQuery\(`), + regexp.MustCompile(`android\.database\.sqlite`), }, } } @@ -417,11 +460,13 @@ func NewSQLInjectionWithSQLite() *text.Rule { func NewWebViewGETRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-22", - Name: "WebView GET Request", - Description: "WebView GET Request", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-22", + Name: "WebView GET Request", + Description: "WebView GET Request", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM22, + UnsafeExample: SampleVulnerableHSJVM22, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -435,11 +480,13 @@ func NewWebViewGETRequest() *text.Rule { func NewWebViewPOSTRequest() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-23", - Name: "WebView POST Request", - Description: "WebView POST Request", - Severity: severities.Medium.ToString(), - Confidence: confidence.High.ToString(), + ID: "HS-JVM-23", + Name: "WebView POST Request", + Description: "WebView POST Request", + Severity: severities.Medium.ToString(), + Confidence: confidence.High.ToString(), + SafeExample: SampleSafeHSJVM23, + UnsafeExample: SampleVulnerableHSJVM23, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -453,11 +500,13 @@ func NewWebViewPOSTRequest() *text.Rule { func NewBase64Decode() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-24", - Name: "Base64 Decode", - Description: "Base64 Decode", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-24", + Name: "Base64 Decode", + Description: "Base64 Decode", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM24, + UnsafeExample: SampleVulnerableHSJVM24, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -470,11 +519,13 @@ func NewBase64Decode() *text.Rule { func NewKeychainAccessAndMatch() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-25", - Name: "WebView Load Request", - Description: "WebView Load Request", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-25", + Name: "WebView Load Request", + Description: "WebView Load Request", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM25, + UnsafeExample: SampleVulnerableHSJVM25, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -484,31 +535,36 @@ func NewKeychainAccessAndMatch() *text.Rule { } } -func NewWebViewLoadRequest() *text.Rule { - return &text.Rule{ - Metadata: engine.Metadata{ - ID: "HS-JVM-26", - Name: "WebView Load Request", - Description: "WebView Load Request", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), - }, - Type: text.AndMatch, - Expressions: []*regexp.Regexp{ - regexp.MustCompile(`webView`), - regexp.MustCompile(`loadRequest`), - }, - } -} +// Deprecated: Repeated vulnerability, same as HS-JVM-25 +//func NewWebViewLoadRequest() *text.Rule { +// return &text.Rule{ +// Metadata: engine.Metadata{ +// ID: "HS-JVM-26", +// Name: "WebView Load Request", +// Description: "WebView Load Request", +// Severity: severities.Info.ToString(), +// Confidence: confidence.Low.ToString(), +// SafeExample: SampleSafeHSJVM26, +// UnsafeExample: SampleVulnerableHSJVM26, +// }, +// Type: text.AndMatch, +// Expressions: []*regexp.Regexp{ +// regexp.MustCompile(`webView`), +// regexp.MustCompile(`loadRequest`), +// }, +// } +//} func NewCookieStorage() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-27", - Name: "Cookie Storage", - Description: "Cookie Storage", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-27", + Name: "Cookie Storage", + Description: "Cookie Storage", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM27, + UnsafeExample: SampleVulnerableHSJVM27, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -521,11 +577,13 @@ func NewCookieStorage() *text.Rule { func NewSetReadClipboard() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-28", - Name: "Set or Read Clipboard", - Description: "Set or Read Clipboard", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-28", + Name: "Set or Read Clipboard", + Description: "Set or Read Clipboard", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM28, + UnsafeExample: SampleVulnerableHSJVM28, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -538,11 +596,13 @@ func NewSetReadClipboard() *text.Rule { func NewUsingLoadHTMLStringCanResultInject() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-29", - Name: "Using LoadHTMLString can result Inject", - Description: "User input not sanitized in 'loadHTMLString' can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-29", + Name: "Using LoadHTMLString can result Inject", + Description: "User input not sanitized in 'loadHTMLString' can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM29, + UnsafeExample: SampleVulnerableHSJVM29, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -555,11 +615,13 @@ func NewUsingLoadHTMLStringCanResultInject() *text.Rule { func NewNoUseSFAntiPiracyJailbreak() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-30", - Name: "No Use SFAntiPiracy Jailbreak", - Description: "Verifications found of type SFAntiPiracy Jailbreak", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-30", + Name: "No Use SFAntiPiracy Jailbreak", + Description: "Verifications found of type SFAntiPiracy Jailbreak", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM30, + UnsafeExample: SampleVulnerableHSJVM30, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -573,11 +635,13 @@ func NewNoUseSFAntiPiracyJailbreak() *text.Rule { func NewNoUseSFAntiPiracyIsPirated() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-31", - Name: "No Use SFAntiPiracy IsPirated", - Description: "Verifications found of type SFAntiPiracy isPirated", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-31", + Name: "No Use SFAntiPiracy IsPirated", + Description: "Verifications found of type SFAntiPiracy isPirated", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM31, + UnsafeExample: SampleVulnerableHSJVM31, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -591,11 +655,13 @@ func NewNoUseSFAntiPiracyIsPirated() *text.Rule { func NewWeakMd5HashUsing() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-32", - Name: "Weak md5 hash using", - Description: "MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-32", + Name: "Weak md5 hash using", + Description: "MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM32, + UnsafeExample: SampleVulnerableHSJVM32, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -608,11 +674,13 @@ func NewWeakMd5HashUsing() *text.Rule { func NewWeakSha1HashUsing() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-33", - Name: "Weak sha1 hash using", - Description: "SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-33", + Name: "Weak sha1 hash using", + Description: "SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM33, + UnsafeExample: SampleVulnerableHSJVM33, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -625,11 +693,13 @@ func NewWeakSha1HashUsing() *text.Rule { func NewWeakECBEncryptionAlgorithmUsing() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-34", - Name: "Weak ECB encryption algorithm using", - Description: "The application uses ECB mode in the encryption algorithm. It is known that the ECB mode is weak, as it results in the same ciphertext for identical blocks of plain text. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-34", + Name: "Weak ECB encryption algorithm using", + Description: "The application uses ECB mode in the encryption algorithm. It is known that the ECB mode is weak, as it results in the same ciphertext for identical blocks of plain text. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM34, + UnsafeExample: SampleVulnerableHSJVM34, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -642,11 +712,13 @@ func NewWeakECBEncryptionAlgorithmUsing() *text.Rule { func NewUsingPtrace() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-35", - Name: "The application has anti-debugger using ptrace()", - Description: "The application has anti-debugger using ptrace()", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-35", + Name: "The application has anti-debugger using ptrace()", + Description: "The application has anti-debugger using ptrace()", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM35, + UnsafeExample: SampleVulnerableHSJVM35, }, Type: text.AndMatch, Expressions: []*regexp.Regexp{ @@ -659,11 +731,13 @@ func NewUsingPtrace() *text.Rule { func NewSuperUserPrivileges() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-36", - Name: "Super User Privileges", - Description: "This App may request root (Super User) privileges. For more information checkout the CWE-250 (https://cwe.mitre.org/data/definitions/250.html) advisory.", - Severity: severities.High.ToString(), - Confidence: confidence.Medium.ToString(), + ID: "HS-JVM-36", + Name: "Super User Privileges", + Description: "This App may request root (Super User) privileges. For more information checkout the CWE-250 (https://cwe.mitre.org/data/definitions/250.html) advisory.", + Severity: severities.High.ToString(), + Confidence: confidence.Medium.ToString(), + SafeExample: SampleSafeHSJVM36, + UnsafeExample: SampleVulnerableHSJVM36, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -679,11 +753,13 @@ func NewSuperUserPrivileges() *text.Rule { func NewSendSMS() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-37", - Name: "Send SMS", - Description: "Send SMS. For more information checkout the OWASP-M3 (https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication) advisory", - Severity: severities.Low.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-37", + Name: "Send SMS", + Description: "Send SMS. For more information checkout the OWASP-M3 (https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication) advisory", + Severity: severities.Low.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM37, + UnsafeExample: SampleVulnerableHSJVM37, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -698,11 +774,13 @@ func NewSendSMS() *text.Rule { func NewBase64Encode() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-38", - Name: "Base64 Encode", - Description: "Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-38", + Name: "Base64 Encode", + Description: "Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM38, + UnsafeExample: SampleVulnerableHSJVM38, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -716,11 +794,13 @@ func NewBase64Encode() *text.Rule { func NewGpsLocation() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-39", - Name: "GPS Location", - Description: "GPS Location", - Severity: severities.Medium.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-39", + Name: "GPS Location", + Description: "GPS Location", + Severity: severities.Medium.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM39, + UnsafeExample: SampleVulnerableHSJVM39, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ @@ -736,11 +816,13 @@ func NewGpsLocation() *text.Rule { func NewApplicationMayContainJailbreakDetectionMechanisms() *text.Rule { return &text.Rule{ Metadata: engine.Metadata{ - ID: "HS-JVM-40", - Name: "The application may contain Jailbreak detection mechanisms", - Description: "The application may contain Jailbreak detection mechanisms.", - Severity: severities.Info.ToString(), - Confidence: confidence.Low.ToString(), + ID: "HS-JVM-40", + Name: "The application may contain Jailbreak detection mechanisms", + Description: "The application may contain Jailbreak detection mechanisms.", + Severity: severities.Info.ToString(), + Confidence: confidence.Low.ToString(), + SafeExample: SampleSafeHSJVM40, + UnsafeExample: SampleVulnerableHSJVM40, }, Type: text.OrMatch, Expressions: []*regexp.Regexp{ diff --git a/internal/services/engines/jvm/rules_test.go b/internal/services/engines/jvm/rules_test.go index 80e4cbf0c..7cddc3114 100644 --- a/internal/services/engines/jvm/rules_test.go +++ b/internal/services/engines/jvm/rules_test.go @@ -27,6 +27,494 @@ func TestRulesVulnerableCode(t *testing.T) { tempDir := t.TempDir() testcases := []*testutil.RuleTestCase{ + { + Name: "HS-JVM-1", + Rule: NewNoLogSensitiveInformation(), + Src: SampleVulnerableHSJVM1, + Filename: filepath.Join(tempDir, "HS-JVM-1.test"), + Findings: []engine.Finding{ + { + CodeSample: "log.info(\"the user requested is: \" + user);", + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-1.test"), + Line: 7, + Column: 8, + }, + }, + }, + }, + { + Name: "HS-JVM-2", + Rule: NewHTTPRequestsConnectionsAndSessions(), + Src: SampleVulnerableHSJVM2, + Filename: filepath.Join(tempDir, "HS-JVM-2.test"), + Findings: []engine.Finding{ + { + CodeSample: `import http.client.HttpClient;`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-2.test"), + Line: 2, + Column: 7, + }, + }, + }, + }, + { + Name: "HS-JVM-3", + Rule: NewNoUsesSafetyNetAPI(), + Src: SampleVulnerableHSJVM3, + Filename: filepath.Join(tempDir, "HS-JVM-3.test"), + Findings: []engine.Finding{ + { + CodeSample: "compile 'com.google.android.gms.safetynet.SafetyNetApi:11.0.4'", + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-3.test"), + Line: 3, + Column: 13, + }, + }, + }, + }, + { + Name: "HS-JVM-4", + Rule: NewNoUsesContentProvider(), + Src: SampleVulnerableHSJVM4, + Filename: filepath.Join(tempDir, "HS-JVM-4.test"), + Findings: []engine.Finding{ + { + CodeSample: `import android.content.ContentProvider;`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-4.test"), + Line: 2, + Column: 7, + }, + }, + }, + }, + { + Name: "HS-JVM-5", + Rule: NewNoUseWithUnsafeBytes(), + Src: SampleVulnerableHSJVM5, + Filename: filepath.Join(tempDir, "HS-JVM-5.test"), + Findings: []engine.Finding{ + { + CodeSample: `messageData.withUnsafeBytes {messageBytes in`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-5.test"), + Line: 3, + Column: 4, + }, + }, + }, + }, + { + Name: "HS-JVM-6", + Rule: NewNoUseLocalFileIOOperations(), + Src: SampleVulnerableHSJVM6, + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Findings: []engine.Finding{ + { + CodeSample: `Keychain`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 3, + Column: 0, + }, + }, + { + CodeSample: `kSecAttrAccessibleWhenUnlocked`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 5, + Column: 0, + }, + }, + { + CodeSample: `kSecAttrAccessibleAfterFirstUnlock`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 7, + Column: 0, + }, + }, + { + CodeSample: `SecItemAdd`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 9, + Column: 0, + }, + }, + { + CodeSample: `SecItemUpdate`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 11, + Column: 0, + }, + }, + { + CodeSample: `NSDataWritingFileProtectionComplete`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + Line: 13, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-7", + Rule: NewWebViewComponent(), + Src: SampleVulnerableHSJVM7, + Filename: filepath.Join(tempDir, "HS-JVM-7.test"), + Findings: []engine.Finding{ + { + CodeSample: `UIWebView`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-7.test"), + Line: 2, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-8", + Rule: NewEncryptionAPI(), + Src: SampleVulnerableHSJVM8, + Filename: filepath.Join(tempDir, "HS-JVM-8.test"), + Findings: []engine.Finding{ + { + CodeSample: `return AESCrypt.encrypt(passPhrase, value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-8.test"), + Line: 4, + Column: 9, + }, + }, + }, + }, + { + Name: "HS-JVM-9", + Rule: NewKeychainAccess(), + Src: SampleVulnerableHSJVM9, + Filename: filepath.Join(tempDir, "HS-JVM-9.test"), + Findings: []engine.Finding{ + { + CodeSample: `PDKeychainBindings`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-9.test"), + Line: 2, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-10", + Rule: NewNoUseProhibitedAPIs(), + Src: SampleVulnerableHSJVM10, + Filename: filepath.Join(tempDir, "HS-JVM-10.test"), + Findings: []engine.Finding{ + { + CodeSample: `strncat(dest, src, strlen(dest));`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-10.test"), + Line: 3, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-11", + Rule: NewApplicationAllowMITMAttacks(), + Src: SampleVulnerableHSJVM11, + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Findings: []engine.Finding{ + { + CodeSample: `request.validatesSecureCertificate = NO;`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 2, + Column: 8, + }, + }, + { + CodeSample: `allowInvalidCertificates = YES;`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 4, + Column: 0, + }, + }, + { + CodeSample: `canAuthenticateAgainstProtectionSpace`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 6, + Column: 0, + }, + }, + { + CodeSample: `continueWithoutCredentialForAuthenticationChallenge`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 8, + Column: 0, + }, + }, + { + CodeSample: `kCFStreamSSLAllowsExpiredCertificates`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 10, + Column: 0, + }, + }, + { + CodeSample: `kCFStreamSSLAllowsAnyRoot`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 12, + Column: 0, + }, + }, + { + CodeSample: `kCFStreamSSLAllowsExpiredRoots`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + Line: 14, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-12", + Rule: NewUIWebViewInApplicationIgnoringErrorsSSL(), + Src: SampleVulnerableHSJVM12, + Filename: filepath.Join(tempDir, "HS-JVM-12.test"), + Findings: []engine.Finding{ + { + CodeSample: `setAllowsAnyHTTPSCertificate: YES`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-12.test"), + Line: 2, + Column: 0, + }, + }, + { + CodeSample: `allowsAnyHTTPSCertificateForHost`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-12.test"), + Line: 4, + Column: 0, + }, + }, + { + CodeSample: `loadingUnvalidatedHTTPSPage = yes`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-12.test"), + Line: 6, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-13", + Rule: NewNoListClipboardChanges(), + Src: SampleVulnerableHSJVM13, + Filename: filepath.Join(tempDir, "HS-JVM-13.test"), + Findings: []engine.Finding{ + { + CodeSample: `[[NSNotificationCenter defaultCenter] postNotificationName:UIPasteboardChangedNotification object:[UIPasteboard generalPasteboard]];`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-13.test"), + Line: 2, + Column: 59, + }, + }, + { + CodeSample: `[UIPasteboard generalPasteboard].string = @"your string";`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-13.test"), + Line: 4, + Column: 14, + }, + }, + { + CodeSample: `NSString *str = [UIPasteboard generalPasteboard].string];`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-13.test"), + Line: 5, + Column: 31, + }, + }, + }, + }, + { + Name: "HS-JVM-14", + Rule: NewApplicationUsingSQLite(), + Src: SampleVulnerableHSJVM14, + Filename: filepath.Join(tempDir, "HS-JVM-14.test"), + Findings: []engine.Finding{ + { + CodeSample: `sqlite3_exec(...)`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-14.test"), + Line: 2, + Column: 0, + }, + }, + }, + }, + { + Name: "HS-JVM-15", + Rule: NewNoUseNSTemporaryDirectory(), + Src: SampleVulnerableHSJVM15, + Filename: filepath.Join(tempDir, "HS-JVM-15.test"), + Findings: []engine.Finding{ + { + CodeSample: `const tempDirectory NSTemporaryDirectory = new NSTemporaryDirectory()`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-15.test"), + Line: 2, + Column: 47, + }, + }, + }, + }, + { + Name: "HS-JVM-16", + Rule: NewNoCopiesDataToTheClipboard(), + Src: SampleVulnerableHSJVM16, + Filename: filepath.Join(tempDir, "HS-JVM-16.test"), + Findings: []engine.Finding{ + { + CodeSample: `var clipboard = UIPasteboard()`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-16.test"), + Line: 2, + Column: 4, + }, + }, + }, + }, + { + Name: "HS-JVM-17", + Rule: NewNoDownloadFileUsingAndroidDownloadManager(), + Src: SampleVulnerableHSJVM17, + Filename: filepath.Join(tempDir, "HS-JVM-17.test"), + Findings: []engine.Finding{ + { + CodeSample: `var foo = mContext.getSystemService(Context.DOWNLOAD_SERVICE);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-17.test"), + Line: 5, + Column: 19, + }, + }, + }, + }, + { + Name: "HS-JVM-18", + Rule: NewAndroidKeystore(), + Src: SampleVulnerableHSJVM18, + Filename: filepath.Join(tempDir, "HS-JVM-18.test"), + Findings: []engine.Finding{ + { + CodeSample: `import security.KeyStore`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-18.test"), + Line: 2, + Column: 7, + }, + }, + }, + }, + { + Name: "HS-JVM-19", + Rule: NewAndroidNotifications(), + Src: SampleVulnerableHSJVM19, + Filename: filepath.Join(tempDir, "HS-JVM-19.test"), + Findings: []engine.Finding{ + { + CodeSample: `import android.app.NotificationManager`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-19.test"), + Line: 2, + Column: 15, + }, + }, + }, + }, + { + Name: "HS-JVM-20", + Rule: NewPotentialAndroidSQLInjection(), + Src: SampleVulnerableHSJVM20, + Filename: filepath.Join(tempDir, "HS-JVM-20.test"), + Findings: []engine.Finding{ + { + CodeSample: "String query = \"SELECT * FROM messages WHERE uid= '\"+userInput+\"'\" ;", + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-20.test"), + Line: 2, + Column: 16, + }, + }, + }, + }, + { + Name: "HS-JVM-21", + Rule: NewSQLInjectionWithSQLite(), + Src: SampleVulnerableHSJVM21, + Filename: filepath.Join(tempDir, "HS-JVM-21.test"), + Findings: []engine.Finding{ + { + CodeSample: "String query = \"SELECT * FROM messages WHERE uid= '\"+userInput+\"'\" ;", + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-21.test"), + Line: 5, + Column: 16, + }, + }, + }, + }, + { + Name: "HS-JVM-22", + Rule: NewWebViewGETRequest(), + Src: SampleVulnerableHSJVM22, + Filename: filepath.Join(tempDir, "HS-JVM-22.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-22.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-23", + Rule: NewWebViewPOSTRequest(), + Src: SampleVulnerableHSJVM23, + Filename: filepath.Join(tempDir, "HS-JVM-23.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-23.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, { Name: "HS-JVM-24", Rule: NewBase64Decode(), @@ -43,6 +531,198 @@ func TestRulesVulnerableCode(t *testing.T) { }, }, }, + { + Name: "HS-JVM-25", + Rule: NewKeychainAccessAndMatch(), + Src: SampleVulnerableHSJVM25, + Filename: filepath.Join(tempDir, "HS-JVM-25.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-25.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-27", + Rule: NewCookieStorage(), + Src: SampleVulnerableHSJVM27, + Filename: filepath.Join(tempDir, "HS-JVM-27.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-27.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-28", + Rule: NewSetReadClipboard(), + Src: SampleVulnerableHSJVM28, + Filename: filepath.Join(tempDir, "HS-JVM-28.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-28.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-29", + Rule: NewUsingLoadHTMLStringCanResultInject(), + Src: SampleVulnerableHSJVM29, + Filename: filepath.Join(tempDir, "HS-JVM-29.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-29.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-30", + Rule: NewNoUseSFAntiPiracyJailbreak(), + Src: SampleVulnerableHSJVM30, + Filename: filepath.Join(tempDir, "HS-JVM-30.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-30.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-31", + Rule: NewNoUseSFAntiPiracyIsPirated(), + Src: SampleVulnerableHSJVM31, + Filename: filepath.Join(tempDir, "HS-JVM-31.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-31.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-32", + Rule: NewWeakMd5HashUsing(), + Src: SampleVulnerableHSJVM32, + Filename: filepath.Join(tempDir, "HS-JVM-32.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-32.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-33", + Rule: NewWeakSha1HashUsing(), + Src: SampleVulnerableHSJVM33, + Filename: filepath.Join(tempDir, "HS-JVM-33.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-33.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-34", + Rule: NewWeakECBEncryptionAlgorithmUsing(), + Src: SampleVulnerableHSJVM34, + Filename: filepath.Join(tempDir, "HS-JVM-34.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-34.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-35", + Rule: NewUsingPtrace(), + Src: SampleVulnerableHSJVM35, + Filename: filepath.Join(tempDir, "HS-JVM-35.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-35.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-36", + Rule: NewSuperUserPrivileges(), + Src: SampleVulnerableHSJVM36, + Filename: filepath.Join(tempDir, "HS-JVM-36.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-36.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-37", + Rule: NewSendSMS(), + Src: SampleVulnerableHSJVM37, + Filename: filepath.Join(tempDir, "HS-JVM-37.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-37.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, { Name: "HS-JVM-38", Rule: NewBase64Encode(), @@ -67,6 +747,38 @@ func TestRulesVulnerableCode(t *testing.T) { }, }, }, + { + Name: "HS-JVM-39", + Rule: NewGpsLocation(), + Src: SampleVulnerableHSJVM39, + Filename: filepath.Join(tempDir, "HS-JVM-39.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-39.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, + { + Name: "HS-JVM-40", + Rule: NewApplicationMayContainJailbreakDetectionMechanisms(), + Src: SampleVulnerableHSJVM40, + Filename: filepath.Join(tempDir, "HS-JVM-40.test"), + Findings: []engine.Finding{ + { + CodeSample: `byte[] decodedValue = Base64.getDecoder().decode(value);`, + SourceLocation: engine.Location{ + Filename: filepath.Join(tempDir, "HS-JVM-40.test"), + Line: 4, + Column: 43, + }, + }, + }, + }, } testutil.TestVulnerableCode(t, testcases) @@ -75,6 +787,222 @@ func TestRulesVulnerableCode(t *testing.T) { func TestRulesSafeCode(t *testing.T) { tempDir := t.TempDir() testcases := []*testutil.RuleTestCase{ + { + Name: "HS-JVM-1", + Rule: NewNoLogSensitiveInformation(), + Src: SampleSafeHSJVM1, + Filename: filepath.Join(tempDir, "HS-JVM-1.test"), + }, + { + Name: "HS-JVM-2", + Rule: NewHTTPRequestsConnectionsAndSessions(), + Src: SampleSafeHSJVM2, + Filename: filepath.Join(tempDir, "HS-JVM-2.test"), + }, + { + Name: "HS-JVM-3", + Rule: NewNoUsesSafetyNetAPI(), + Src: SampleSafeHSJVM3, + Filename: filepath.Join(tempDir, "HS-JVM-3.test"), + }, + { + Name: "HS-JVM-4", + Rule: NewNoUsesContentProvider(), + Src: SampleSafeHSJVM4, + Filename: filepath.Join(tempDir, "HS-JVM-4.test"), + }, + { + Name: "HS-JVM-5", + Rule: NewNoUseWithUnsafeBytes(), + Src: SampleSafeHSJVM5, + Filename: filepath.Join(tempDir, "HS-JVM-5.test"), + }, + { + Name: "HS-JVM-6", + Rule: NewNoUseLocalFileIOOperations(), + Src: SampleSafeHSJVM6, + Filename: filepath.Join(tempDir, "HS-JVM-6.test"), + }, + { + Name: "HS-JVM-7", + Rule: NewWebViewComponent(), + Src: SampleSafeHSJVM7, + Filename: filepath.Join(tempDir, "HS-JVM-7.test"), + }, + { + Name: "HS-JVM-8", + Rule: NewEncryptionAPI(), + Src: SampleSafeHSJVM8, + Filename: filepath.Join(tempDir, "HS-JVM-8.test"), + }, + { + Name: "HS-JVM-9", + Rule: NewKeychainAccess(), + Src: SampleSafeHSJVM9, + Filename: filepath.Join(tempDir, "HS-JVM-9.test"), + }, + { + Name: "HS-JVM-10", + Rule: NewNoUseProhibitedAPIs(), + Src: SampleSafeHSJVM10, + Filename: filepath.Join(tempDir, "HS-JVM-10.test"), + }, + { + Name: "HS-JVM-11", + Rule: NewApplicationAllowMITMAttacks(), + Src: SampleSafeHSJVM11, + Filename: filepath.Join(tempDir, "HS-JVM-11.test"), + }, + { + Name: "HS-JVM-12", + Rule: NewUIWebViewInApplicationIgnoringErrorsSSL(), + Src: SampleSafeHSJVM12, + Filename: filepath.Join(tempDir, "HS-JVM-12.test"), + }, + { + Name: "HS-JVM-13", + Rule: NewNoListClipboardChanges(), + Src: SampleSafeHSJVM13, + Filename: filepath.Join(tempDir, "HS-JVM-13.test"), + }, + { + Name: "HS-JVM-14", + Rule: NewApplicationUsingSQLite(), + Src: SampleSafeHSJVM14, + Filename: filepath.Join(tempDir, "HS-JVM-14.test"), + }, + { + Name: "HS-JVM-15", + Rule: NewNoUseNSTemporaryDirectory(), + Src: SampleSafeHSJVM15, + Filename: filepath.Join(tempDir, "HS-JVM-15.test"), + }, + { + Name: "HS-JVM-16", + Rule: NewNoCopiesDataToTheClipboard(), + Src: SampleSafeHSJVM16, + Filename: filepath.Join(tempDir, "HS-JVM-16.test"), + }, + { + Name: "HS-JVM-17", + Rule: NewNoDownloadFileUsingAndroidDownloadManager(), + Src: SampleSafeHSJVM17, + Filename: filepath.Join(tempDir, "HS-JVM-17.test"), + }, + { + Name: "HS-JVM-18", + Rule: NewAndroidKeystore(), + Src: SampleSafeHSJVM18, + Filename: filepath.Join(tempDir, "HS-JVM-18.test"), + }, + { + Name: "HS-JVM-19", + Rule: NewAndroidNotifications(), + Src: SampleSafeHSJVM19, + Filename: filepath.Join(tempDir, "HS-JVM-19.test"), + }, + { + Name: "HS-JVM-20", + Rule: NewPotentialAndroidSQLInjection(), + Src: SampleSafeHSJVM20, + Filename: filepath.Join(tempDir, "HS-JVM-20.test"), + }, + { + Name: "HS-JVM-21", + Rule: NewSQLInjectionWithSQLite(), + Src: SampleSafeHSJVM21, + Filename: filepath.Join(tempDir, "HS-JVM-21.test"), + }, + { + Name: "HS-JVM-22", + Rule: NewWebViewGETRequest(), + Src: SampleSafeHSJVM22, + Filename: filepath.Join(tempDir, "HS-JVM-22.test"), + }, + { + Name: "HS-JVM-23", + Rule: NewWebViewPOSTRequest(), + Src: SampleSafeHSJVM23, + Filename: filepath.Join(tempDir, "HS-JVM-23.test"), + }, + { + Name: "HS-JVM-24", + Rule: NewBase64Decode(), + Src: SampleSafeHSJVM24, + Filename: filepath.Join(tempDir, "HS-JVM-24.test"), + }, + { + Name: "HS-JVM-25", + Rule: NewKeychainAccessAndMatch(), + Src: SampleSafeHSJVM25, + Filename: filepath.Join(tempDir, "HS-JVM-25.test"), + }, + { + Name: "HS-JVM-27", + Rule: NewCookieStorage(), + Src: SampleSafeHSJVM27, + Filename: filepath.Join(tempDir, "HS-JVM-27.test"), + }, + { + Name: "HS-JVM-28", + Rule: NewSetReadClipboard(), + Src: SampleSafeHSJVM28, + Filename: filepath.Join(tempDir, "HS-JVM-28.test"), + }, + { + Name: "HS-JVM-29", + Rule: NewUsingLoadHTMLStringCanResultInject(), + Src: SampleSafeHSJVM29, + Filename: filepath.Join(tempDir, "HS-JVM-29.test"), + }, + { + Name: "HS-JVM-30", + Rule: NewNoUseSFAntiPiracyJailbreak(), + Src: SampleSafeHSJVM30, + Filename: filepath.Join(tempDir, "HS-JVM-30.test"), + }, + { + Name: "HS-JVM-31", + Rule: NewNoUseSFAntiPiracyIsPirated(), + Src: SampleSafeHSJVM31, + Filename: filepath.Join(tempDir, "HS-JVM-31.test"), + }, + { + Name: "HS-JVM-32", + Rule: NewWeakMd5HashUsing(), + Src: SampleSafeHSJVM32, + Filename: filepath.Join(tempDir, "HS-JVM-32.test"), + }, + { + Name: "HS-JVM-33", + Rule: NewWeakSha1HashUsing(), + Src: SampleSafeHSJVM33, + Filename: filepath.Join(tempDir, "HS-JVM-33.test"), + }, + { + Name: "HS-JVM-34", + Rule: NewWeakECBEncryptionAlgorithmUsing(), + Src: SampleSafeHSJVM34, + Filename: filepath.Join(tempDir, "HS-JVM-34.test"), + }, + { + Name: "HS-JVM-35", + Rule: NewUsingPtrace(), + Src: SampleSafeHSJVM35, + Filename: filepath.Join(tempDir, "HS-JVM-35.test"), + }, + { + Name: "HS-JVM-36", + Rule: NewSuperUserPrivileges(), + Src: SampleSafeHSJVM36, + Filename: filepath.Join(tempDir, "HS-JVM-36.test"), + }, + { + Name: "HS-JVM-37", + Rule: NewSendSMS(), + Src: SampleSafeHSJVM37, + Filename: filepath.Join(tempDir, "HS-JVM-37.test"), + }, { Name: "HS-JVM-38", Rule: NewBase64Encode(), @@ -88,10 +1016,16 @@ func TestRulesSafeCode(t *testing.T) { Filename: filepath.Join(tempDir, "HS-JVM-38.test"), }, { - Name: "HS-JVM-24", - Rule: NewBase64Decode(), - Src: SampleSafeHSJVM24, - Filename: filepath.Join(tempDir, "HS-JVM-24.test"), + Name: "HS-JVM-39", + Rule: NewGpsLocation(), + Src: SampleSafeHSJVM39, + Filename: filepath.Join(tempDir, "HS-JVM-39.test"), + }, + { + Name: "HS-JVM-40", + Rule: NewApplicationMayContainJailbreakDetectionMechanisms(), + Src: SampleSafeHSJVM40, + Filename: filepath.Join(tempDir, "HS-JVM-40.test"), }, } diff --git a/internal/services/engines/jvm/samples.go b/internal/services/engines/jvm/samples.go new file mode 100644 index 000000000..87fb872c3 --- /dev/null +++ b/internal/services/engines/jvm/samples.go @@ -0,0 +1,375 @@ +// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package jvm + +const ( + SampleVulnerableHSJVM1 = ` +public class SomeClass { + public static User getUser(string id) + { + Logger log = Logger.getLogger("com.api.jar"); + User user = _repository.getUser(id); + log.info("the user requested is: " + user); + } +} +` + SampleSafeHSJVM1 = ` +public class SomeClass { + public static User getUser(string id) + { + // Don't use log in your system + return _repository.getUser(id); + } +} +` + + SampleVulnerableHSJVM2 = ` +import http.client.HttpClient; + +public class Foo { + ... +} +` + SampleSafeHSJVM2 = ` +// Don't use http client without tls +public class Foo { + ... +} +` + + SampleVulnerableHSJVM3 = ` +dependencies { + compile 'com.google.android.gms.safetynet.SafetyNetApi:11.0.4' +} +` + SampleSafeHSJVM3 = ` +dependencies { + // don't use SafetyNetApi +} +` + + SampleVulnerableHSJVM4 = ` +import android.content.ContentProvider; + +public class Foo { + ... +} +` + SampleSafeHSJVM4 = ` +// Don't use ContentProvider library + +public class Foo { + ... +} +` + + SampleVulnerableHSJVM5 = ` +_ = digestData.withUnsafeMutableBytes {digestBytes in + messageData.withUnsafeBytes {messageBytes in + CC_MD5(messageBytes, CC_LONG(messageData.count), digestBytes) + } + } +` + SampleSafeHSJVM5 = ` +// Use sha256 and with safe bytes generations +MessageDigest digest = MessageDigest.getInstance("SHA-256"); +byte[] hash = digest.digest(text.getBytes(StandardCharsets.UTF_8)); +` + + SampleVulnerableHSJVM6 = ` +// Vulnerable mode is: +Keychain +or +kSecAttrAccessibleWhenUnlocked +or +kSecAttrAccessibleAfterFirstUnlock +or +SecItemAdd +or +SecItemUpdate +or +NSDataWritingFileProtectionComplete +` + SampleSafeHSJVM6 = ` +// safe mode is: +kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly +` + + SampleVulnerableHSJVM7 = ` +UIWebView +` + SampleSafeHSJVM7 = ` +// Don't use web view component.` + + SampleVulnerableHSJVM8 = ` +@Override +public String encrypt(String value) throws Exception{ + return AESCrypt.encrypt(passPhrase, value); +} +` + SampleSafeHSJVM8 = ` +// Use sha256 and with safe bytes generations +MessageDigest digest = MessageDigest.getInstance("SHA-256"); +byte[] hash = digest.digest(text.getBytes(StandardCharsets.UTF_8)); +} +` + + SampleVulnerableHSJVM9 = ` +PDKeychainBindings +` + SampleSafeHSJVM9 = ` +// Don't use this method of keychain access +` + + SampleVulnerableHSJVM10 = ` +//wrong: should use remaining size of dest +strncat(dest, src, strlen(dest)); +` + SampleSafeHSJVM10 = ` +// Don't use this method of keychain access +` + + SampleVulnerableHSJVM11 = ` +request.validatesSecureCertificate = NO; +or +allowInvalidCertificates = YES; +or +canAuthenticateAgainstProtectionSpace +or +continueWithoutCredentialForAuthenticationChallenge +or +kCFStreamSSLAllowsExpiredCertificates +or +kCFStreamSSLAllowsAnyRoot +or +kCFStreamSSLAllowsExpiredRoots +` + SampleSafeHSJVM11 = ` +request.validatesSecureCertificate = YES; +or +request.allowInvalidCertificates = NO; +` + + SampleVulnerableHSJVM12 = ` +setAllowsAnyHTTPSCertificate: YES +or +allowsAnyHTTPSCertificateForHost +or +loadingUnvalidatedHTTPSPage = yes +` + SampleSafeHSJVM12 = ` +setAllowsAnyHTTPSCertificate: no +or +loadingUnvalidatedHTTPSPage = no +` + + SampleVulnerableHSJVM13 = ` +[[NSNotificationCenter defaultCenter] postNotificationName:UIPasteboardChangedNotification object:[UIPasteboard generalPasteboard]]; +or +[UIPasteboard generalPasteboard].string = @"your string"; +NSString *str = [UIPasteboard generalPasteboard].string]; +` + SampleSafeHSJVM13 = ` +// Don't get content from clipboard +` + + SampleVulnerableHSJVM14 = ` +sqlite3_exec(...) +` + SampleSafeHSJVM14 = ` +// Dont't use sqlite executable directly +` + + SampleVulnerableHSJVM15 = ` +const tempDirectory NSTemporaryDirectory = new NSTemporaryDirectory() +` + SampleSafeHSJVM15 = ` +// Don't use temporary directory ` + + SampleVulnerableHSJVM16 = ` +var clipboard = UIPasteboard() +` + SampleSafeHSJVM16 = ` +// Don't past content from clipboard +` + + SampleVulnerableHSJVM17 = ` +import android.app.DownloadManager + +... +var foo = mContext.getSystemService(Context.DOWNLOAD_SERVICE); +` + SampleSafeHSJVM17 = ` +import android.app.DownloadManager + +... +var foo = mContext.getSystemService(); +` + + SampleVulnerableHSJVM18 = ` +import security.KeyStore + +... +KeyStore keyStore = KeyStore.getInstance("JKS"); +String fileName = System.getProperty("java.home") + + "/lib/security/myKeyStore.jks"; + +FileInputStream stream = new FileInputStream(new File(fileName)); +keyStore.load( stream, "storeit".toCharArray()); +` + SampleSafeHSJVM18 = ` +String fileName = System.getProperty("java.home") + + "/lib/security/myKeyStore.jks"; + +FileInputStream stream = new FileInputStream(new File(fileName)); +` + + SampleVulnerableHSJVM19 = ` +import android.app.NotificationManager + +... +NotificationManager notificationManager = (NotificationManager) context.getSystemService(Context.NOTIFICATION_SERVICE); + +Uri soundUri = RingtoneManager.getDefaultUri(RingtoneManager.TYPE_NOTIFICATION); + +NotificationCompat.Builder mBuilder = new NotificationCompat.Builder(getApplicationContext()) + .setSmallIcon(icon) + .setContentTitle(title) + .setContentText(message) + .setSound(soundUri); +notificationManager.notify(0, mBuilder.build());` + SampleSafeHSJVM19 = ` +// Don't send notification for not expose sensitive content.` + + SampleVulnerableHSJVM20 = ` +String query = "SELECT * FROM messages WHERE uid= '"+userInput+"'" ; +Cursor cursor = this.getReadableDatabase().rawQuery(query,null); +` + SampleSafeHSJVM20 = ` +String query = "SELECT * FROM messages WHERE uid= ?" ; +Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInput}); +` + + SampleVulnerableHSJVM21 = ` +import android.database.sqlite; + +... +String query = "SELECT * FROM messages WHERE uid= '"+userInput+"'" ; +Cursor cursor = conn.rawQuery(query,null); +` + SampleSafeHSJVM21 = ` +import android.database.sqlite; + +... +String query = "SELECT * FROM messages WHERE uid= ?" ; +Cursor cursor = conn.rawQuery(query,new String[] {userInput}); +` + + SampleVulnerableHSJVM22 = `` + SampleSafeHSJVM22 = `` + + SampleVulnerableHSJVM23 = `` + SampleSafeHSJVM23 = `` + + SampleVulnerableHSJVM24 = ` +class T { + void f(String value) { + byte[] decodedValue = Base64.getDecoder().decode(value); + } +} +` + SampleSafeHSJVM24 = ` +class T { + void f() { + this.decodeSomeRandomValue("value); + console.log.println("foo.decode"); + } + + void decodeSomeRandomValue(String value) {} +} +` + + SampleVulnerableHSJVM25 = `` + SampleSafeHSJVM25 = `` + + // Deprecated: Repeated vulnerability, same as HS-JVM-25 + //SampleVulnerableHSJVM26 = `` + //SampleSafeHSJVM26 = `` + + SampleVulnerableHSJVM27 = `` + SampleSafeHSJVM27 = `` + + SampleVulnerableHSJVM28 = `` + SampleSafeHSJVM28 = `` + + SampleVulnerableHSJVM29 = `` + SampleSafeHSJVM29 = `` + + SampleVulnerableHSJVM30 = `` + SampleSafeHSJVM30 = `` + + SampleVulnerableHSJVM31 = `` + SampleSafeHSJVM31 = `` + + SampleVulnerableHSJVM32 = `` + SampleSafeHSJVM32 = `` + + SampleVulnerableHSJVM33 = `` + SampleSafeHSJVM33 = `` + + SampleVulnerableHSJVM34 = `` + SampleSafeHSJVM34 = `` + + SampleVulnerableHSJVM35 = `` + SampleSafeHSJVM35 = `` + + SampleVulnerableHSJVM36 = `` + SampleSafeHSJVM36 = `` + + SampleVulnerableHSJVM37 = `` + SampleSafeHSJVM37 = `` + + SampleVulnerableHSJVM38 = ` +class T { + void f() { + String input = "test input"; + Base64.getEncoder().encodeToString(input.getBytes()); + + Base64 base64 = new Base64(); + String encodedString = new String(base64.encode(input.getBytes())); + } +} + ` + SampleSafeHSJVM38 = ` +class T { + void f() { + obj.addContentType("application/x-www-form-urlencoded") + } +} + ` + Sample2SafeHSJVM38 = ` +" + + + + +` + + SampleVulnerableHSJVM39 = `` + SampleSafeHSJVM39 = `` + + SampleVulnerableHSJVM40 = `` + SampleSafeHSJVM40 = `` +) diff --git a/internal/services/engines/jvm/samples_test.go b/internal/services/engines/jvm/samples_test.go deleted file mode 100644 index c073dd0b1..000000000 --- a/internal/services/engines/jvm/samples_test.go +++ /dev/null @@ -1,65 +0,0 @@ -// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package jvm - -const ( - SampleVulnerableHSJVM38 = ` -class T { - void f() { - String input = "test input"; - Base64.getEncoder().encodeToString(input.getBytes()); - - Base64 base64 = new Base64(); - String encodedString = new String(base64.encode(input.getBytes())); - } -} - ` - - SampleVulnerableHSJVM24 = ` -class T { - void f(String value) { - byte[] decodedValue = Base64.getDecoder().decode(value); - } -} - ` -) - -const ( - SampleSafeHSJVM38 = ` -class T { - void f() { - obj.addContentType("application/x-www-form-urlencoded") - } -} - ` - Sample2SafeHSJVM38 = ` -" - - - - -` - - SampleSafeHSJVM24 = ` -class T { - void f() { - this.decodeSomeRandomValue("value); - console.log.println("foo.decode"); - } - - void decodeSomeRandomValue(String value) {} -} -` -) diff --git a/internal/utils/testutil/rules_test_generic.go b/internal/utils/testutil/rules_test_generic.go index 32c186e9d..f90e90130 100644 --- a/internal/utils/testutil/rules_test_generic.go +++ b/internal/utils/testutil/rules_test_generic.go @@ -52,6 +52,7 @@ func assertExpectedFindingAndRuleCase(t *testing.T, findings []engine.Finding, t func TestSafeCode(t *testing.T, testcases []*RuleTestCase) { for _, tt := range testcases { t.Run(tt.Name, func(t *testing.T) { + assert.NotEmpty(t, tt.Src) Findings := executeRule(t, tt) assert.Empty(t, Findings, "Expected not issues on safe code to Rule %s", tt.Name) assert.Equal(t, tt.Name, tt.Rule.ID)